Archiving Medical Images in the Cloud

Business Continuity, Easy Access Are Goals
Archiving Medical Images in the Cloud

To back up massive diagnostic imaging files, more healthcare organizations are turning to archiving in the cloud as part of their business continuity and disaster recovery efforts. In addition, some are using cloud archiving to provide clinicians with easier, secure day-to-day access to medical images.

See Also: Global Adoption of Encryption; Is it Inevitable?

For example, Intermountain Healthcare and Ponoma Valley Hospital Medical Center are backing up their digitized medical images - and related patient information - onto huge cloud-based archives.

The benefits that cloud computing can offer for disaster recovery offset some of the security concerns, such as the potential for unauthorized access. Plus, healthcare providers are including security protections, such as the right to conduct audits, into their cloud vendor contracts.

"If a meteor were to hit my building, we'd be able to restore images in five minutes," says Geoff Duke, director of imaging information systems for Intermountain, which operates 22 hospitals, a medical group with 185 clinics and a health plan in Utah.

Intermountain is backing up many petabytes worth of digitized medical images onto a private cloud architecture hosted by Dell Computer and Siemens. That will provide Intermountain with three copies of medical images, including locally stored images, plus two additional copies stored by Dell and Siemens. "We do millions of images. ... We needed a better way for ensuring access to these images for disaster planning and business continuity," Duke says.

Dell and Siemens will archive more than 14.7 million Intermountain medical studies over the next few years. These studies are first stored on departmental picture archiving and communication systems, or PACS, used in areas such as radiology and cardiology, Duke says. And until now, the images also were backed up to tapes and disks.

The cloud archive will ease access to images directly from electronic medical records. "Clinicians will access these images via either the PACS system or a web-based, enterprise viewer embedded within the EMR," Duke says.

Eventually, more than 17,000 physicians will be able to access clinically relevant images stored in the cloud via electronic records. All imaging data will be encrypted at rest and in transmission, Duke says.

In addition, the cloud-based archiving will enable patient information tied to a specific image to be better synchronized and up to date, Duke says. For example, if a patient marries and changes their surname, that information will be more easily updated in all back-up copies of the image records, he says.

Updating patient demographic information in multiple copies of an image is made easier by the consolidated cloud archive, he adds.

Terms of Contract

As for other security matters, those are covered in the contract between Intermountain and Dell/Siemens, Duke says. For instance, the contract spells out specifics regarding financial, legal and operational details related to security, such as insurance, penalties for breaches, security audits and security policies, he says.

Under the contract, Intermountain has the right to visit the vendors' data centers to review security procedures and conduct audits. While Duke says he's confident that all important security matters, including technology and policy issues, are well-covered by the contract, he acknowledges that responsibility for security is shared between Intermountain and Dell/Siemens.

In addition to the enterprise PACS archiving that's being moved to the cloud environment, Intermountain also plans to eventually store in the cloud archive patient data and images related to its telemedicine services, Duke says.

Compared to other options, the cloud back-up for archiving has several advantages, Duke says. "The primary advantage of this hybrid-cloud architecture is that the remote, off-site storage is still live and on-line in that it is on spinning disk and is synchronized so that, in the event of any disaster or other outage, I could make this several petabytes of data available in a matter of minutes," he says. "It would take weeks or months to do this with a tape solution."

Boosting Back-Up

Like Intermountain, Pomona Valley Hospital Medical Center, a 453-bed community hospital near Los Angeles, is also moving its medical images archive onto a private cloud based architecture provided by Dell/Siemens. The move is part of a broader effort to boost disaster recovery.

The cloud vendors are providing direct point-to-point connections for Pomona to their data centers for access to the backed-up images. And if those connections are disrupted, physicians will be able to retrieve the images securely via an Internet-based virtual private network as a backup, says Kent Hoyos, CIO at Pomona. Primary storage for the images will remain at the hospital's PACS system.

Turning over image archiving to a remote cloud-based services provider is similar to other kinds of technology outsourcing, Hoyos says. "Cloud is a sexy term, but we've been doing stuff in the cloud for 20 years," he says.

Before moving the medical images archive onto a cloud architecture hosted by Dell and Siemens, remote image archiving was provided to Ponoma by another vendor, which Hoyos declined to name. "The technology was getting stale and was too expensive to maintain," he says. "The cloud allows you to move to the latest hardware for a known cost," he says.

Sizing Up the Cloud

One legal expert says that cloud-based architectures can provide a secure means for healthcare providers to archive medical images and back up data.

"In general, I believe that sophisticated cloud providers can offer most healthcare providers better data security than the health care providers could themselves achieve," says Adam Greene, a partner at the law firm Davis, Wright, Tremaine.

"I have heard people express caution that cloud service providers may have a higher risk because they are a greater target of hackers and other unauthorized persons," Greene says. "I'm not convinced if this is true - is the bank robber more likely to try to break into Fort Knox because that is where the money is, or the bank that leaves its rear window open at night?"

Nonetheless, Greene says one of the biggest challenges involved in using the cloud is HIPAAcompliance.

"No matter how good a cloud provider's security may be, a healthcare provider should still consider how cloud computing services fit with the healthcare provider's own risk assessment," he advises. "For example, the cloud may be secure, but what is the risk to the healthcare provider if it experiences a network outage or if a member of its workforce downloads information to an unsecure mobile device?"

Greene says it's essential for healthcare organizations to enter a formal business associate agreement with a cloud vendor.

"The Office for Civil Rights has indicated, via a settlement agreement, that a business associate agreement is required when protected health information is stored through a cloud provider's online calendar or online e-mail services," Greene warns.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.