August 2017
A Matter of Location
By Susan Chapman
For The Record
Vol. 29 No. 8 P. 10
Is it better to have an EMR grounded in-house or one residing skyward?
When it comes to implementing an EMR, perhaps no decision will be as vital as whether to go with a server-based choice or one that resides in the cloud.
Health care organizations of all sizes have the option of accessing their EMRs through in-house computer networks or via cloud-based technology, where records are stored remotely and accessed when needed. Which option an organization chooses often depends on a number of different factors.
The Best Fit
Both local and cloud technologies are held to the rigorous standards of the Centers for Medicare & Medicaid Services (CMS). In the publication "Risk Management Handbook, Volume III," CMS states that facilities have the responsibility to protect sensitive information whether the data are housed at the facility or in the cloud.
By CMS standards, cloud services are a general support system and must be approved for operation by the CMS office of the chief information security officer and the CIO of CMS. As the publication states, "All systems deployed in a cloud environment must be evaluated for an authorization to operate using the same security standards and requirements as those deployed in traditional environments, and must be maintained only within those authorized environments."
Given that both local and cloud-based technology must meet the CMS standards, both will provide equivalent levels of security. However, there are other factors that differentiate the technologies.
Ron Sterling, an HIT consultant with Sterling Solutions, says, "The whole issue with cloud-based vs local systems is a compliance and strategic issue. If you buy your own system, you have to purchase the resources that you expect to need over the next 12 to 36 months. However, the cloud is virtual and can add resources on demand. Therefore, with the cloud, organizations can expand as necessary."
Such flexibility is especially beneficial for small practices, which may lack the resources for full-time IT staffs. It also enables small organizations to ensure HIPAA compliance and keep pace with advancing technology. If such practices were to select a cloud-based vendor, Sterling says they could adjust resources as necessary with the vendor's assistance. "This allows practices to rely on the cloud vendor for a number of HIPAA compliance issues such as system recovery and backup," he says. "In a small practice it is very difficult to meet HIPAA security requirements with a local network. The practice may not have a secure place for the server or backups. With cloud-based technology, many HIPAA security issues can be solved at a reasonable price."
"Cloud-hosted EMRs are a good fit for lean IT departments that are sensitive to staffing concerns, as they generally minimize both the need for on-premise IT skills and the risk of sustaining local staffing for such expertise," says Tim Ruff, vice president of solutions management at M*Modal. "The technical requirements for an EMR typically involve back-end infrastructure such as web servers, databases, monitoring tools, and/or virtualization stacks. From a support perspective, cloud-based EMRs are good insurance against staffing concerns and in many ways represent an outsourcing of both technology and people."
Brina Hollis, PhD, CST, MHHS, CBRS, a health informatics faculty member at Kaplan University, says the cloud can be enjoyed by both large and small health care organizations. "Smaller organizations don't have the upfront costs for technology and personnel, and facilities will ask what the vendor can do for them, given their needs. Larger organizations are also looking toward the cloud and testing the waters in different areas. For example, some larger hospitals have cloud-based e-mail systems, or some other aspects of the organization may be in the cloud. In such instances, the facilities are using multibased systems, a combination of local and cloud access," she says.
Provider Preference
According to Sterling, cloud vendors are reshaping the economics of software acquisition. "We see this in the Microsoft world," he says. "They'd rather have revenue from an organization every month than have a company buy software once every few years. And more and more vendors are making it hard or impossible to buy their systems outside of a cloud offering. Some vendors make it attractive to use the cloud by swapping a big upfront software fee with a lower monthly service fee. However, when we look at the numbers per month against the cost of the license, support, and hardware hosting, we find that if a health care provider bought the license and installed it on the cloud, at the two- to four-year mark, the license fee would have been paid even though many cloud vendors do not decrease their service fee at any point. To address this issue, some vendors reduce the price at the three-year mark. Many vendors do not."
Hollis believes the combination of convenience and lower upfront costs has led more small providers to opt for the cloud. However, large systems have not been as eager to take the leap for fear of losing control of their data. "It comes down to the needs of the organization," she says. "Larger hospital systems have IT departments regardless of where their EMRs are housed. And there are a lot of other variables. We have to have the proper bandwidth to access EMRs in the cloud, for example. Larger organizations are afraid of the unknown, which is why so many of them are only testing the technology with pieces of their businesses in the cloud and others held locally."
Tim McMullen, senior vice president of health care and life sciences with NTT DATA Services, says EMR preferences are in a state of flux. "The industry trend is absolutely moving from server-based EMRs to a greater comfort level among providers with cloud-based EMRs," he says. "Health care is still behind other industries in this movement, but there is momentum now."
Pros and Cons
Providers that adopt a cloud-based system need not be concerned with upgrades, backups, and the physical protection of the EMR network at a specific location, Sterling says. "As an example, many cloud servers have backup so that they can move to a different place in the event of catastrophic failure," he explains.
Hollis says cloud-based technology offers fewer upfront costs, with the price tag spread among a vendor's clients. "A typical local system can cost about $40,000 to set up; cloud-based could be half that," she says. "In the latter case, there is no hardware or software that needs to be purchased and maintained. All the health care organization needs is an internet connection and a vendor."
Hollis notes that many organizations believe cloud vendors deliver better support, including continuous information backup and data protection, and the ability to meet the requirements of incentive programs. "A lot of the host companies have more sophisticated security measures. They are very strict in meeting all of the mandates. It's the responsibility of the vendor to meet the requirements for meaningful use. Those organizations that use cloud-based vendors can rely on them for that purpose. And a health care provider who travels needs only an internet connection to access records. Even if that individual is on an unsecured internet system, he or she still has the security provided by the vendor," she says.
Cloud-based EMRs have their drawbacks. "A big con is that communications costs increase," Sterling says. "An organization has to be sure it has the communication capacity to go to a server that is potentially hundreds of miles away. Bandwidth and other calculations can be done to be sure information can be sent back and forth. This is a particular challenge in health care because we do have a lot of images. Scanned lab reports or HIPAA consent forms are both image heavy.
"When we move into a diagnostic arena, that is a whole different animal—scans, field tests, and high-quality radiology studies are all examples of documents that require high-definition accurate images. That can take a lot of time to send to the vendor and then get it back. Although not as big an issue in primary care practices that typically do not transfer large quantities of high-definition images, exchange of information is one of the biggest challenges to using cloud-based technology."
Hollis says the quality of the internet service is a major factor in determining whether a cloud-based system makes the grade. "If you don't have a lot of bandwidth, you can have some lag, particularly with larger images and, if the internet goes out, there is no way to access the cloud. That can leave practices in the dark if they don't have local backup," she says.
Hollis believes the possibility of slow or intermittent internet service in remote areas should sway rural practices from adopting the technology.
Vendor reliability is another issue that must be addressed, she says. "Vendors may go out of business without communicating with hospitals and/or organizations to help set up a new system with another vendor," Hollis says. "With our cell phones, we can back up to the cloud, for instance, but we can't do that if the vendor is having difficulty."
According to Ruff, by choosing to place its EMR in the cloud, an organization risks a loss of flexibility and control within its IT department. This occurs when vendors, in order to serve many different customers on a large scale, must standardize EMRs to some extent with regard to deployment and workflow.
In-house systems have their own set of challenges. For example, organizations must have hardware, personnel, and a strategy in place in the event of growth. Also, data security becomes more complicated. "You are responsible for more HIPAA issues because you have to protect the in-house equipment. With the cloud, you are capitalizing on the fact a lot of people are sharing equipment and resources in the cloud. In the cloud, someone else is monitoring that system," Sterling says.
Adds McMullen, "It is rare to find a hospital without multiple vendors, particularly around the periphery of the EMR space. A common challenge is that some vendors want to host only their own applications. The added cost of managing applications outside their own core competencies is generally not something they want to take on. Being able to bundle applications from their own proprietary suite of offerings is an advantage for the vendor."
Disaster Recovery
In the event of a disaster, cloud-based systems are protected from a number of environmental issues. For example, most cloud-based vendors are protected from power spikes and boast redundant communications systems, which are features only a few stand-alone practices can afford.
"From a disaster recovery perspective, in general, cloud-based systems are better protected and have better fail-safes," Sterling says. "Say you're working out of a data center in Atlanta; a cloud-based system may have a backup in Dallas. A regular health care practice would more than likely not have such capability. In fact, a lot of stand-alone practices do not update back-up and HIPAA compliance procedures in a timely fashion. They may not be actually backing up, or they may be keeping the back-up devices in the same place as they keep the server itself. Cloud-based vendors have backups in other locations. And, in a number of cloud-based solutions, they can switch quickly and lose only a short amount of time."
Hollis notes the importance of having a safety net. "When we think about any EMR system, we have to have backups. Otherwise, there is no way to ensure access to information in case of catastrophe or even a smaller issue," she says.
Hollis cites the case of a Los Angeles health care facility whose system was hacked and its data held for ransom. In that instance, the facility was forced to move to paper records to keep the hospital up and running. It ultimately paid the perpetrators to regain control over its own computer system.
"If the hospital had been on a cloud-based system, not only would such a breach have been less likely to occur but also back-up records would have been available to keep the hospital running smoothly," Hollis says. "Just as cell phone providers remind consumers to back up to the cloud, cloud-based systems will come with those reminders for health care facilities. Cloud-based systems can be automatic, but local systems often are not, so if proper backups are not done on the latter systems, that could lead to larger problems."
In general, cloud-based vendors are stricter with their security protocols than facilities with in-house systems. Also, cloud vendors are available to assist with recovery efforts. With an in-house server-based system, the IT department must be vigilant in completing backups and well schooled in retrieving information in the event of a failure.
"In the case of the Los Angeles hospital, someone could have simply gotten lax in their security, backup, and disaster recovery protocols," Hollis says. "If an organization is small, such an incident could put them out of business. There could also be fines and possible jail time, although jail is not a common consequence in an EMR breach.
"In terms of security and disaster recovery, we can look at the banking industry, where we can bank online with ease of mind," Hollis continues. "We need to have oversight that is looking 24 hours a day to be sure that there are no weak spots that would allow hackers access to protected health information."
Overall Costs
It can be difficult to ascertain the financial impact of each system, particularly when organizations must factor in communication expenses. "If you look at cloud-based answers, you are looking at $300 to $700 per month for cloud-based offerings, not including the communication costs," Sterling says. "Depending on the area of practice, how big the communication pipe has to be can have an impact, so it's difficult to nail down the exact costs."
Because cloud-based systems eliminate the need for the work to be completed in-house, Hollis believes their overall cost is minimal compared with a server-based system. However, Ruff notes that the wide range of available EMR choices makes it difficult to make financial comparisons. "An EMR can be delivered to a provider in many ways, and, as an example, a virtualized application typically has a higher infrastructure cost than an application that is web browser based," he says.
The Right Solution
In the end, Ruff maintains that providers don't need to have a preference between hosted cloud-based solutions and on-premise applications. As long as the product works, there's not much to separate the two. "A cloud-based solution, by virtue of its being hosted somewhere else, typically has anywhere, anytime accessibility as a core part of its offering. But if set up correctly, an on-premise solution can be equally accessible. The onus is on the local IT department to make the latter happen," he says.
"Generally, planning for the different solutions—on-premise vs the cloud—typically would generate different concerns to mitigate," Ruff continues. "When doing a thorough evaluation, it might be helpful to keep in mind that while hosted solutions are sensitive to external factors such as internet connectivity, on-premise solutions might drive costs up with duplication of resources. Decision makers then need to weigh those factors against what is best for their organization's needs."
— Susan Chapman is a Los Angeles-based freelance writer.