Patient Privacy Concerns Lead VA to Test Cloud Application

From 7/27/2011 article from FierceHealthIT News

The Department of Veterans Affairs (VA) is testing an unnamed commercial “cloud” application that will allow VA employees to share data in the cloud without compromising the personal health information of patients, according to a report in FierceGovernmentIT. VA Chief Information Office Roger Baker said a few months ago that this option would be available by the end of the summer.

The department’s monthly reports to Congress have mentioned infractions of security rules involving unauthorized use of web-based solutions outside of the VA information system. Employees reportedly stored personally identifiable health data in commercial cloud collaboration applications such as GoogleDocs and Yahoo Calendar.

In one case at the Indianapolis VA hospital, a spreadsheet uploaded to EditGrid included the names and diagnoses of 184 patients. While the spreadsheet was password-protected, the site didn’t use secure hypertext transfer protocol.

According to Baker, the new cloud application will require employees to be authenticated and to enter the website directly from the VA system. The commercial site will include a separate VA section that is completely secure.

“We’re able to offer the service to our folks, not as a VA-customized version, or one that we brought in house, but one that is the authentic version of the cloud software,” Baker said during a July 25 press call. “I would hope that once we’ve proven that with that vendor we can expand it to others and just be able to offer access to those services.”

Baker has said all along that the VA doesn’t want to develop its own cloud software. “I can guarantee you it would not be as good and it would not be as popular” as the commercial version, he said at a press briefing in April.