Why not store personal health information in the cloud?

At the recent American Association for the Advancement of Science (AAAS) meeting in Chicago, my colleague Bob Grossman organized what was by all accounts a fascinating session on How Big Data Supports Biomedical Discovery. It being a Saturday, I had family duties. But I read with interest a synopsis of remarks made by speaker Lincoln Stein: “Legal and ethical issues with using commercial cloud vendors for cancer data. If Comcast buys Amazon, who owns data?” (As you can tell by the abbreviated style, this remark was communicated by Twitter.)

Lincoln published in 2010 The Case for Moving Genome Informatics to the Cloud, which remains a good read. Is he having second thoughts, or was he misquoted, or is he speaking to some specific technical issue? Not having heard his talk, I can only guess. But the synopsis spurs a few thoughts, which I want to get down.

I think about cloud storage of personal health information (PHI) from three different perspectives:

  1. In my infrequent role as a patient, I am aware of how the vast majority of my  medical records are essentially inaccessible to me. Perhaps they exist somewhere, in filing cabinets or computer systems, but I have no idea where. I contrast this situation with the view of my financial records that I obtain from cloud-based Mint, and shake my head.
  2. Living vicariously as a physician, I observe my wife’s use of a cloud-based medical records system for her medical practice, and see how this system has transformed the way she practices. The contrast between the before (paper-based records, an old-fashioned electronic system on an office PC) and after (high-quality interface, instant access to data at any time) is striking.
  3. In my day job as a researcher, I work closely with colleagues who make extensive use of Amazon cloud services for storage and analysis of large quantities of genomic data. I see how access to cloud has transformed the way these researchers work, allowing them to conduct studies that otherwise would have been out of reach, due to a lack of required hardware, software, and expertise.

Based on these perspectives, I focus on three major issues with respect to storage of personal health information (PHI), namely accessibility, confidentiality, and longevity. Let’s examine them in turn.

Accessibility: Patients want to be able to access their medical records whenever needed and regardless of which practitioner provided care. Physicians want to be able to access the medical records of their patients at any time, not just when they are in their office. Researchers want to be able to access large quantities of biomedical data. In each case, cloud has considerable advantages relative to many alternatives.

Confidentiality: Patients, physicians, and researchers are all deeply concerned about unauthorized access to PHI, albeit for somewhat different reasons (see below). Is a cloud more or less secure than alternatives? I myself believe that a professionally operated cloud service can and should be more secure than storage systems operated by patients, physicians, or even medical centers. On the other hand, the consequences of a breach can be larger at a cloud provider. So the issues here are complex.

Longevity: Patients, physicians, and researchers all want to be able to access their data in the future. For each, cloud storage has the potential, like a bank vault, to increase longevity relative to less well-run and protected alternatives; but also represents a single point of failure. I suggest  that we should embrace the cloud but  ensure backup to an alternative provider. (I realize that I have work to do when I get home.)

Do any of these perspectives shed light on the legal and ethical concerns attributed to Stein? It would  be concerning if cloud providers could claim ownership of stored data. But I am puzzled as to why I have not heard this concern raised in other contexts, given that cloud-based medical record systems are quasi-ubiquitous in medicine. Is there perhaps something special about Amazon’s terms of service? If any reader can shed light on this question, I would love to hear from you.

My friend Jonathan Silverstein points to an inherent asymmetry that arises when dealing with PHI. The regulations (mostly HIPAA and HITECH and all the complexity that follows) treat all data holders other than the patient as data stewards rather than data owners. Patients may, quite reasonably, want to move  their data to cloud storage: they can do so, and the “only” risk to them to their privacy. Healthcare providers and researchers, on the other hand, act as stewards, and thus must consider the severe penalties for breaches, which create a high threshold for trusting another party.

My own perspective is that commercial cloud providers have such advantages in terms of accessibility, economies of scale, and pace of innovation that researchers, in particular, would be foolish to dismiss them. Demand from patients and physicians is leading to large quantities of PHI moving to the cloud. That transition will surely accelerate. If legal and ethical issues exist, they will be addressed in those contexts. Researchers should celebrate the opportunities this new technologies present to accelerate and democratize research. (The subject of the symposium that I ran at AAAS, Outsourcing Science: Will the Cloud Transform Research?)

3 comments on “Why not store personal health information in the cloud?
  1. Jim Pruyne says:

    Good points. There turns out to be so much that goes in to this issue. We pursued one approach as described in Computer: http://www.computer.org/csdl/mags/co/2012/11/mco2012110042-abs.html. Having an MD’s viewpoint as you talk about here and as we did on our team is incredibly valuable.

  2. Ian Foster says:

    Via Jonathan Silverstein: “Cleveland Clinic, Dell pair up to help late adopters, switchers implement Epic EMR” as cloud solution — http://feedly.com/e/GurK-YY6

Leave a Reply

Your email address will not be published. Required fields are marked *