Hospital Chief Information Officers Take Cautious Approach to Implementing Cloud Technology, AIS Newsletter Finds

Share Article

Wary of risks associated with cloud-based applications, information security executives at Seattle Children’s Hosptial and MedStar Health say they are taking cautious steps toward implementing cloud technology, outlining their experiences and best practices in the February issue of Atlantic Information Services’s Report on Patient Privacy.

As hospitals and other health care providers look for ways to simultaneously cut costs, improve care and patient engagement, and compete in the health care market, some are looking at “cool” high-tech solutions and applications that, increasingly, are cloud-based. But choosing a cloud vendor is easier said than done, information technology officers tell Atlantic Information Services, Inc.’s (AIS) Report on Patient Privacy (RPP). Cris Ewell, chief information security officer at Seattle Children’s Hospital, and Pete Celano, director of consumer health initiatives at the MedStar Institute for Innovation, an arm of Washington, D.C.-area health care system MedStar Health, discuss what providers should consider in implementing cloud technology, in the February issue of RPP.

Seattle Children’s has not yet selected a cloud vendor, but implementation won’t come as the result of a quick, or simple, decision, Ewell tells RPP, and offered some issues to consider.

Before moving data to a cloud, Health Insurance Portability and Accountability Act (HIPAA) covered entities (CEs) need to weigh the risks associated with internal versus cloud hosting of data, Ewell says. This requires understanding how the vendor is configured: for example, if the cloud will be public or private, and whether it will be co-mingled with data from others. If the data is co-mingled, the cloud vendor could be a bigger target for hackers because of the amount of information that could be accessible, he explains.

Ewell also urges providers’ HIPAA officers to be actively involved in crafting the business associate agreement and contract that is signed by the vendor. Ewell says he may require that the vendor submit a copy of policy and procedure audits, as well as reports of any breaches it has had and how they were handled.

MedStar Health has already implemented cloud-based tools and products at their hospitals. ZocDocs, an online patient scheduling system, is one such product MedStar now offers patients. Some of its medical offices also use an electronic clipboard of sorts offered by Tonic Solutions, a private firm, which, Celano says, has proven to be popular with both patients and staff, and has not posed problems.

Visit to read the article in its entirety.

About Report on Patient Privacy
Report on Patient Privacy is the health industry’s #1 source of timely news and business strategies for safeguarding patient privacy and data security. Published for hospitals and other providers, health plans and other HIPAA-covered entities and business associates, the 12-page newsletter focuses on privacy issues that can result in huge fines, penalties and public relations nightmares, including: security breach notification; business associate relations and agreements; and new federal privacy rules for marketing, fundraising, privacy notices, minimum necessary, patient rights and safeguarding privacy in EHRs. Visit for more information.

About Atlantic Information Services
Atlantic Information Services, Inc. (AIS) is a publishing and information company that has been serving the health care industry for more than 25 years. It develops highly targeted news, data and strategic information for managers in hospitals, health plans, medical group practices, pharmaceutical companies and other health care organizations. AIS products include print and electronic newsletters, websites, looseleafs, books, strategic reports, databases, webinars and conferences. Learn more at

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Jill Brown, Executive Editor
Atlantic Information Services
+1 (202) 775-9008 Ext: 3058
Email >
since: 01/2011
Follow >
since: 01/2011
Like >
Atlantic Information Services, Inc.

Visit website