The U.S. Department of Veterans Affairs plans to offer its physicians commercial cloud-based software-as-a-service collaborative tools to improve communications while also reducing data breaches.
Some physicians already use Web-based tools without approval, a situation that heightens the risk for sensitive data disclosure, VA officials have said.
VA seeks information from vendors about their experience and interest working with the department to integrate their communications tools with existing VA systems, such as Exchange Calendaring and SharePoint.
VA plans to pilot the cloud software-as-a-service (SaaS) collaborative tools with up to 5,000 VA staff physicians and residents to share patient information with each other, including documents and calendars. If successful, VA may expand the software availability to all 134,000 VA medical personnel, according to a recent announcement in Federal Business Opportunities. Vendors must respond to VA by Sept. 8.
The tools will reduce the time physicians spend on collaboration and prevent data breaches, which have been caused, in part, due to the lack of a VA-approved collaborative tool, according to VA officials, who cite findings from a report from the Veterans Health Administration’s Health Alliance.
“By implementing a pilot of cloud SaaS-based collaborative tools, the VA would be able to demonstrate how collaborative tools will improve veterans’ care, reduce the amount of time the VA’s doctors spend on collaboration, and prevent further data breaches, which have been caused, in part, due to the lack of a VA-approved collaborative tool,” VA officials said in the notice.
Seeking security
VA has sought a method by which its physicians can securely use popular tools that enable them to share patient data in the course of their work.
In November 2010, VA reported a security incident at the Chicago VA hospital that involved a shared scheduling calendar on Yahoo! The breach included almost 900 patients with their surgery dates, type of surgery and partial Social Security numbers. Although the account was password-protected, it contained personally identifiable information and was beyond VA's control, so it represented an information breach, said Roger Baker, VA CIO.
VA shut down the account and sent notification letters to the affected patients. It reported a similar incident in September 2010 related to physicians using Google Docs, another widely used tool that enables multiple users to collaborate on activities.
"We're spending a lot of time trying to figure out how to go from saying no to saying yes for these kinds of applications," said Baker in a briefing at that time. "We have to figure out how to embrace those and at the same time be sure that we are providing the privacy and health information protections that we're committed to doing."
As a result, VA is now evaluating the cloud-based, software-as-a-service tools as an alternative to developing and hosting its own applications for collaboration across VA and possibly outside VA. The software would enable the sharing of documents and calendars once they are authenticated to the VA network with the vendor’s cloud environment.
Potential vendors would have to meet federal security requirements, such as holding a Federal Information Security Management Act (FISMA) moderate certificate, VA said.
VA said it will also develop and test the sharing of health information that is not sensitive and related to education, published and non-published research and policy collaboration. Another scenario will evaluate the use of the cloud-based software-as-a-service tools as a substitute for VA’s standard Outlook Exchange email, and for interconnection the VA’s existing email systems for collaboration.
Federal agencies are increasingly considering a cloud-based environment to consolidate systems, reduce costs and strengthen information security – per an Office of Management and Budget “Cloud First” policy for new projects – and health-related agencies are moving in that direction.
For example, the Centers for Medicare and Medicaid Services recently announced it wouldl use cloud computing services to support its Healthcare.Gov plan finder and the system demands of the health insurance exchange program being created in the 50 states. The vendor will enable CMS to increase its capabilities for infrastructure as a service instead of owning and managing the assets.
