In tech circles, “cloud” does have a rather specific meaning. For our purposes, however, we’ll define “the cloud” this way:
“The Cloud” = “Other People’s Computers”
Cloud services center around providing software services — and sometimes information storage services — on computers in well-connected data centers.
If you’re not sure whether or not you currently use any cloud services, here are some examples of such services that meet our definition:
- Email services
- Online health records/practice management
- Online data backup
- File sharing (e.g. Dropbox)
- Online payment service (e.g. PayPal)
- Online FAX
From Ownership to Renting
Before cloud services started to become commonplace, we bought software (often on disks that came in boxes!) and installed it on our computers. We also kept all of our data on those computers.
Every digital thing we used was on our own computers. If you didn’t have your computer with you, you couldn’t use the software or the data on it. If your computer broke or got lost, you lost all that software and data.
Cloud services take the software and data off of our computers and put it all on professionally maintained servers, where we can access it with any device and from any place with an Internet connection. Most of what we do now with our computers and smartphones happens in a Web browser program (e.g. Chrome, Firefox, or Safari), or through an app that we have installed on our device but that accesses a cloud server in order to do its work.
There are a number of advantages to this setup, which we’ll discuss below. For awareness’ sake, however, it’s worth noting the downsides here:
- We now rent our software instead of owning it. In the late 90s, there was some angst about the move towards subscription-based cloud computing since it could easily result in excess expenses. Fortunately, costs of cloud services have turned out to be quite reasonable for the most part, and they can even reduce costs in some cases. We still don’t own the software we buy anymore, however.
- Because the cloud is other people’s computers, that means other people have possession of our data and can observe how we use our software. This means there is a need to establish that each given cloud service provider can be trusted to handle our data, especially our health data. This is best done through agreements with the provider — primarily the HIPAA Business Associate Agreement — and through an appropriate amount of vetting of the provider’s trustworthiness and competence to keep our information private and secure.
When we work with a cloud service that is operated properly and competently, we can expect a number of benefits:
- Our data will be protected by security experts, rather than relying on our own security skills to keep it safe.
- Our data will be backed up on a regular basis without any effort on our parts.
- Our software will be updated regularly without requiring any new purchases, and often without having to install anything new.
- Our data will be available to us anywhere we can access the Internet.
- We can control access to our data. So even if we lose a computer or smartphone, we can still ensure that our cloud services cannot be accessed from that lost device. We can simply change the password or even lock that device out of the account (if the cloud service supports it.)
- We can monitor access to our data. One cannot view information on a cloud service with it being logged by the service. We can use these logs to see if anything suspicious has been happening in our accounts.
Once again, the full benefit of these features is only gained when our cloud services are operated properly and competently. That is why vetting of cloud services is important. The HIPAA Business Associate Agreement is also vital, but anyone can execute such an agreement with you. It doesn’t guarantee their competence or trustworthiness.
Vetting a cloud service can be similar to vetting a therapist. Ask people who you trust, and who have worked with the service, to give you their thoughts and opinions. You can also ask experts.
Hopefully you are getting a picture of how using cloud services in our practices requires some due diligence, but that this diligence can be very worthwhile to engage in. Cloud services can take a lot of the HIPAA compliance load off of our shoulders and improve the care we provide to clients. So they’re worth investing time and energy into using properly.