Cloud computing provides a means of storing and accessing personal data and other information technology resources over a network. Nic Paton investigates whether or not it is something that could be of use to healthcare practitioners.
For any health professional, losing confidential data or, even worse, finding that such data has somehow leaked out into the public domain, can be their worst nightmare. The confidentiality of the patient experience is paramount to effective practice and the damage that can occur to reputation if this trust, however inadvertently, is breached will deservedly be severe.
Against this backdrop, the notion that occupational health practitioners might one day be happy to store their confidential medical, patient and client data remotely in the online “cloud” takes some getting your head around. However, it certainly should not be discounted.
Increasingly, the storage of personal data is done online – anyone, after all, who has access to a Hotmail or Gmail account in effect uses the cloud to communicate, send files and store data, however anodyne.
The more we use smart phones and tablet computers on a daily basis, the more we carry data around with us. In fact, as OH practitioner Georgina Mills points out, the on-the-road lifestyle of your average OH adviser does make the convenience and flexibility that cloud computing offers potentially attractive.
“The reason I started looking into it is that, as an independent nurse, when I go out to a new site or company that I have not been to before I am not always going to have notes to refer to, especially around health surveillance. So I tend to look at them in retrospect after the event, and cloud, I imagine, might be able to solve that,” says Mills, who is director of ReSano Occupational Health in Hamilton, Glasgow.
She adds: “The biggest thing for me has to be confidentiality; making sure the information cannot fall into the wrong hands, and that is what is, at the moment, stopping me from going ahead. The worry is either that the information will somehow disappear and you can’t get it back, or that it gets leaked.”
Lindsey Hall, independent occupational health adviser with Split Dimension in Thornbury, Gloucestershire, agrees that moving to the cloud looks attractive in principle but, for the moment and in a tough economic environment where no one can afford to take risks, it is a leap of faith that, for many, may be too far, too soon.
“For the time being we have shied away from doing it. There seem to be two levels, public versions such as Dropbox [an internet-based document-sharing platform], in which it makes sense to keep bits and pieces, but probably nothing that is especially sensitive – so my wife, who is part of the business, can, for example, access information when she is physically not in the office,” he explains.
“But then, if we decide to go the whole way and have our sensitive information on there, we are looking at expanding our server capacity. I spoke to one provider who advised me that, because of the sensitivity of the information, you might be looking at a fee of around £300 to £400 a month. There does not seem to be any sort of middle ground, at least not at the moment,” he adds.
The sky’s the limit
For the uninitiated, cloud computing is essentially the next level up from the modern PC or laptop that sits on your desk sucking up data and files as you create them – in fact, laptops such as Google’s Chromebook have their operating systems located on the web, meaning there needs to be much less “inside” the actual machine.
The biggest thing for me has to be confidentiality; making sure the information cannot fall into the wrong hands.”
So, rather than data, documents and programs being stored within the hard drive of your computer, they are simply stored online, meaning that you can, in principle, access them anywhere, anytime, assuming you have internet access.
For OH practitioners, the potential benefits are obvious – no more carrying around data or documents (in whatever form). “A lot of the time I will be on the road and so have to deal with internet dongles and so forth to send emails,” points out Mills.
The tricky question for occupational healthcare practitioners is: is this a secure and robust way to manage cases? As Mills adds: “Security has to be the biggest issue; as a small practitioner you just cannot afford to get that wrong.”
Cloud computing may offer a lot in principle, but in practice it is still something in its infancy, agrees Jonathan Wyatt, UK managing director of management, risk and IT consultancy Protiviti.
“Most companies are, at best, experimenting with cloud at the moment; I’d say, most are just playing with it. But even if you are a bit nervous about it, it does make sense to be testing it out,” he points out.
In fact, it is nervousness, suspicion and a lack of understanding that is hampering wider adoption of cloud computing, research published by Protiviti last November suggested. Almost three-quarters of IT managers in the UK – the ones who, if anything, should already be embracing this – felt that it was not relevant to their business.
Nevertheless, the NHS, for one, is beginning to test the water. Last summer, for example, Chelsea and Westminster Hospital NHS Foundation Trust began piloting online sharing of confidential patient information with consultants and GPs, which is called the “E-Health Cloud”, following an 18-month development programme in conjunction with Edinburgh Napier University and cloud services provider Flexiant.
Similarly, the Government has been working to develop a UK-wide cloud-computing strategy, the “G-Cloud”, publishing a strategy document in October 2011 that outlined plans to adopt a “public cloud first approach” to procurement, intended to save as much as £340 million by 2015.
Whatever lessons the NHS learns will, almost inevitably, act as a template and probably a catalyst for adoption by other healthcare professionals.
“If we were able, say, to replicate something that the NHS had done, that would probably be one way forward. There is always a danger with being the first person to do something,” suggests Mills.
“It is like having a big room containing lots and lots of chests of drawers. If you are willing to pay the money, then no one else is going to be able to have space in that drawer. Using a free cloud provider pretty much means you have a corner of one drawer, which is fine as that corner is your own corner, but in terms of healthcare data is just not good enough, or at least not yet,” adds Hall.
As well as the security of the data storage, if you venture into the cloud you need to be very clear where your data is being stored, concedes Andy Burton, chairman of the Cloud Industry Forum (CIF).
“You need clarity over what you have and where your data is being stored. There is an increasing requirement for UK data to be stored in the UK. There can sometimes be a challenge to know where your data is. But it is important to have clarity about where your data physically resides,” he points out.
The tricky question for occupational healthcare practitioners is: is this a secure and robust way to manage cases?”
It is wise to take note of this point in order to ensure that you do not inadvertently breach the Data Protection Act 1998. It is vital to make sure that whichever provider you are using for your cloud computing service is compliant with the Act.
Similarly, it is worth getting clarity on where the cloud service provider’s servers are located so that you can be sure about any local laws that may apply to the data held on those servers. For example, data held in the US may become liable to being forcibly disclosed under the Patriot Act.
A code of practice for cloud service providers was agreed in 2010 by the CIF, which is also something to look out for or ask any provider about, points out Burton.
Playing it safe
“A lot of businesses are now starting to adopt cloud but, yes, there is still quite a lot of confusion about it,” he says. “What you tend to have is free online storage services, which have been proven to be able to be breached. I would not, especially in the context of healthcare, encourage people to look at free storage.
“If you want physical data storage combined with accessibility and security you are, realistically, going to have to pay for it. It is very important that you understand what you are getting.
“Having said that, as a rule of thumb, someone operating cloud services will be far more focused on security than the average software provider. Security is always the issue that is raised and the thing people fear about it, but professional cloud [service] providers are, or should be, inherently more secure,” Burton adds.
Simon Wheeler, managing director of Warwick International Computing, understands the concerns surrounding cloud computing, especially those relating to data security.
“Warwick has successfully implemented a ‘software as a service’ [SaaS] model for a number of our clients, using market-leading data centres. Our SaaS model allows us to deliver a dedicated, secure hosting service which is compliant with information governance guidance and standards.”
Warwick’s e-OPAS software supports mobile working for OH professionals. Users can connect via a secure web-based connection to a system that is fully supported and maintained.
So, as an OH provider, who should you go to for help? The CIF offers a lot of advice, as do generic business resources such as BusinessLink. But a good first port of call is probably your existing IT provider, says Burton.
A lot of cloud service providers are relatively new, so it does make sense to do your due diligence into those organisations.”
“Cloud [computing] can be a confusing phrase, especially for a small or medium-sized business that will typically have had little contact with third-party IT providers. But your current IT provider is probably a good place to start, especially if they are a trusted partner; go and speak to them and talk through your needs. Cloud, after all, is simply a different method for deploying IT.”
Having said that, one of the challenges of cloud computing is that it is effectively changing the role of the IT function, cautions Wyatt.
So, rather than simply running and installing hardware and software, IT firms or (in bigger organisations) departments are becoming much more focused on managing suppliers.
Then there is the issue that, as with any new technology, there are providers arriving on the scene all the time.
“A lot of cloud service providers are relatively new, so it does make sense to do your due diligence into those organisations. One thing you do need to consider as a business continuity issue is the failure of a third-party organisation and how you would cope,” advises Wyatt.
“It does come back to treating a third-party as, in essence, an extension of your business. There has to be an appropriate agreement, you have to be clear how the data is going to be managed and stored on your behalf, you have to know where the data is being stored and you need to know whether it is being encrypted or not.
“So what is important is, very simply, talking to them and defining your requirements very closely and clearly,” he adds.
“It is as much about business process re-engineering – changing how people think about how they consume IT,” agrees the CIF’s Burton.
“Cloud should also be something that runs alongside, not as a replacement, to your on-premises technology. The key is to do your homework and not go for some form of lesser technology just because it is free,” he adds.
Cloud computing and OH
Ultimately, suggests Hall, cloud computing does offer potential for occupational health providers, but at the moment it is probably just that, at least when it comes to the really important stuff.
“There needs to be a much clearer understanding about what it means in terms of security. We need to have much more confidence and, most probably, the price will need to come down before it starts to become viable. Once those two things happen, then I think we might start to see things changing,” he says.
Apple’s iCloud allows users to store and access information through their iPhones, iPods, iPads, iMacs and MacBooks. It is free for up to 5GB of storage space, with additional storage available from £14 per year for 10GB, £28 for 20GB and £70 for 50GB.
Apple does use encryption technology to keep data secure but specialist publications such as Macworld have raised questions about its security, describing it as “an IT security professional’s nightmare” because when working on a document on your Apple computer, it will automatically become available on your phone, tablet and so on, without even needing to create new user accounts.
Microsoft’s cloud application, SkyDrive, has been described by The Guardian as “more of a virtual hard drive in the cloud” and is closely linked to its Hotmail service. The application can allow users to make certain folders public but it is also possible to set files and folders to share with specific contacts or be kept private.
At the moment the service is free, up to 25GB, with no facility to buy additional storage.
While Google’s email service, Gmail, is essentially a cloud service, the company also offers Google Calendar and Google Docs. All of its cloud services are currently free, although you can pay for additional storage.
The main independent cloud provider, Dropbox, works on both PCs and Macs, and has apps for iPhones, iPads, Android phones and the BlackBerry smart phone. The first 2GB are free. The company stresses that “other Dropbox users can’t see your private files in Dropbox unless you deliberately invite them or put them in your public folder. Everything in your public folder is, by definition, accessible to anyone”.
However, The Guardian also recently pointed out that Dropbox caused something of a stir early in 2011 when it changed its terms and conditions in a way that some read to mean that it claimed ownership over the files stored on it.
The company quickly backtracked, insisting that users retained ownership, but it is an issue that has left some users wary.
UK Fast offers a private rather than public cloud facility, which, it argues, means that “the infrastructure is stored in a closed internal environment with all resources completely dedicated to you”. It is, it adds, “ideal for projects where data security or ‘always on availability’ is paramount”, with the ability to build cloud “stacks”.
When it comes to security overall, IT security expert Bruce Schneier gives the following advice on his blog: “If you expect a cloud provider to do anything more interesting than simply store your files for you and give them back to you at a later date, they are going to have to have access to the plain text. For most people – Gmail users, Google Docs users, Flickr users and so on – that’s fine. For some people, it isn’t. Those people should probably encrypt their files themselves before sending them into the cloud.”