The Risks Of Moving Health Care Delivery To The Internet

Of the numerous disruptions to health care delivery forced upon us by COVID-19, the push toward virtual care and remote work may be the longest lasting. But this new era is not without challenges. Downtime for the virtual meeting company “Zoom” on August 24—which, prior to COVID-19, would be a non-event for health care organizations—led to canceled appointments, delayed visits, and countless frustrations at our institution and others. In this piece, we describe the risks and advantages of moving health care delivery to the internet and a path forward for ensuring safe and effective clinical care delivery.

That the US health care system is dependent on technology is not a secret—almost 90 percent of US physicians use an electronic health record (EHR), fueled in part by the Health Information Technology for Economic and Clinical Health (HITECH) Act as part of the American Recovery and Reinvestment Act of 2009. Historically, however, most technology management has been internal. EHRs ran within a hospital data center, often on site. Operational software—used both for productivity (for example, email) and to support human resources and finance—were also usually internally managed. Health care organizations invested in the hardware and personnel to manage this software but could administer with few external dependencies beyond the walls of the hospital.

A more recent change has been an increasing reliance on external networks—the internet—for core clinical or operational services. Most major EHR vendors, for example, now offer “cloud” services, which is a model for allowing access to a shared set of computational or network resources over the internet, usually managed by an external organization. Cloud computing services allow a hospital to move the management and hosting of their EHRs to a third party. Indeed, large software providers such as Microsoft and Oracle are pushing organizations toward cloud-based options for enterprise software, instead of “on premise” options that require a data center and local expertise. 

Patients are also now more reliant on the internet to access care—patients access EHR portals and telemedicine services using their own computers, mobile devices, and network connectivity. The recently published “final rule” called for in the 21st Century Cures Act enables patients to direct their health care data to applications of their choice using internet technologies. There are numerous examples of this data sharing already in use, including the Centers for Medicare and Medicaid Services’ Blue Button 2.0 initiative, which harnesses cloud computing to help seniors navigate our complex health care system. These changes further push health data and applications outside of a hospital’s walls and create additional dependencies on networks and cloud for both patients and providers.

The operational advantages of cloud technology are important considerations—health care organizations can outsource the technical knowledge and equipment required to maintain complex systems to dedicated experts, often at a lower price point. For example, adoption of a new EHR system is expensive. Cloud-based EHRs may facilitate adoption by having lower costs for hardware, software, networking, and personnel. This may be particularly advantageous for smaller health care organizations that do not have as many information technology  resources. Furthermore, health care organizations can access technology infrastructure on demand, scaling services up or down depending on their needs. For example, early in the pandemic, we created a cloud-based “chatbot” to help patients determine if they should be assessed for COVID-19. A public marketing campaign led to a dramatic increase in web traffic, which was seamlessly handled by our cloud provider. This lets us focus on what we do best—delivering clinical care.

However, while cloud-based tools may be easier and less expensive to maintain, dependency on cloud computing infrastructure introduces significant risk, which manifests in a few areas. First, problems with the vendor’s software will immediately impact users. For example, Microsoft Office 365 downtime in September 2020 affected multiple products, including Outlook email and their virtual meeting product Teams, limiting some users’ ability to read and send email. Health care organizations across the world using these tools might have had delays in communication about patient care issues, and—critically—trouble communicating about the incident itself.

Second, moving to cloud-based services centralizes risk. If a large regional data center has connectivity issues, numerous hospitals could be impacted simultaneously. Mitigations for downtime, such as diverting ambulances to other hospitals, will be less tenable if several other locations in the region are having similar challenges. Centralizing technical infrastructure also centralizes cybersecurity attack targets. In 2018, for example, a cyberattack against two of an EHR vendor’s data centers impacted hundreds of physician practices.

Third, while externalizing operational management of software is an advantage of cloud-based solutions, health care organizations lose control of the software lifecycle. Updates are planned according to vendor schedules and affect all customers at once.   Software may stop working, “go down,” or suddenly change, without warning, and for reasons unbeknownst to the customer. This model has advantages, such as bringing new software features or security fixes online more rapidly. However, customers may not have the opportunity to adequately test updated software in their own environment and may also not have sufficient time to communicate these changes to end users. At our institution, a recent update to Zoom resulted in Zoom-integrated virtual visits in our EHR no longer working.

Finally, access to the internet itself is fragile. Consider a satellite ambulatory health center that provides ambulatory visits, day surgery, and laboratory and imaging services. This facility may be connected to the internet through a dedicated fiber connection to an internet service provider (ISP). If, for example, there is road construction and the fiber line is damaged, this facility is cut off from the internet and may be unable to access their EHR. Furthermore, if the system had moved their phone service to voice over internet protocol, phone service would also be unavailable. CenturyLink, a major US-based ISP that provides backbone services for the internet, had significant downtime in August impacting a large portion of internet traffic, including our organization’s ability to access external applications. Remote work further magnifies our dependence on the internet. If an employee’s home internet service is disrupted, the employee may no longer be able to support essential operational functions.

Addressing these risks requires a multidisciplinary approach. Information technology, of course, is one aspect of providing safe and reliable connectivity. This includes having multiple, redundant connections to the internet in case one connection goes down, combining “cloud” services with on-premises solutions to improve redundancy and continued investment in network infrastructure. As an example, we recently created dedicated network connections to cloud-services providers, so that our access to these providers are not impacted by disruptions to our primary internet service. 

Business continuity planning is another critical mitigation. With increased virtual care delivery and a distributed workforce, planning must now happen on two fronts—the hospital and the community. Today, “downtime procedures” are focused on the hospital environment. We are creating plans for community-based internet downtime, such as reserving in-person capacity in our buildings that rely on more robust corporate networks. We have also implemented procedures for reverting to phone calls if virtual care visits are unavailable.

The Department of Homeland Security designates health care and public health, information technology, and communications as critical infrastructure sectors. This is truer now more than ever. With our increasing reliance on external services to support hospital operations and clinical care delivery, we are seeing new risks, new dependencies, and new failure modes. This shift may have started before COVID-19 but was certainly catalyzed by the pandemic. Investing attention, resources, and capital into stabilizing and improving health care connectivity will go a long way in ensuring continued safe and effective care delivery. 

Authors’ Notes

William J. Gordon reports consulting income from the Office of the National Coordinator for Health Information Technology. Aneesh Chopra reports being an employee of CareJourney. Adam Landman is a member of the Abbott Medical Device Cybersecurity Council.

Leave a Comment

Your email address will not be published. Required fields are marked *