It’s no lie. Complying with the updated Health Insurance Portability and Accountability Act, or HIPAA, and other related federal and state regulations is arduous and expensive. But the costs of not complying are even more injurious, especially if a breach occurs and regulators pile on significant financial penalties (as they now can).
This matters when considering a move of healthcare data to the cloud. While more healthcare organizations engage in cloud computing, a 2013 survey found just 30 percent of surveyed healthcare organizations, including hospitals and practices, plan to employ or maintain a cloud environment this year. Yet employee use of cloud applications and mobile devices continues to increase in popularity.
The principal concern: the cloud’s ability to meet privacy and security requirements. For some, the cloud seems so nebulous that cyber thieves must be able to breach patient and medical information more easily. More than half of respondents in one survey even thought stormy weather could interfere with cloud computing.
Actually, the cloud can be much more secure than on-site facilities. While 100 percent protection can’t be assured, data in the cloud may be backed up, encrypted and insulated by layers of security.
How does a healthcare organization stay compliant in the cloud?
Here are seven factors to consider when mulling a move to the cloud and staying compliant in the cloud.
- Conduct a cloud risk assessment. HIPAA veterans should be familiar with the need to conduct a risk assessment, and special care should be taken to understand the risks when considering a move to the cloud. Consider what data will be moved; how and by whom it will be accessed; and whether the specific cloud solution will provide sufficient protections to meet your security and compliance requirements.
- Consider using a “private” or “hybrid” cloud solution. Many organizations decide to take a phased approach when moving to the cloud. Rather than move all their data to a public cloud provider, they opt for private clouds, which aren’t shared with other customers, or hybrid clouds that allow them to keep some data under their control while leveraging a cloud provider for less sensitive functions.
- Understand exactly what you are – and aren’t – getting. Considerable variation exists among cloud providers in terms of the security functions they perform and those that remain the customer’s responsibility. Unless your provider states otherwise, assume that any particular requirement, such as encryption or data backup, remains your responsibility.
- Ensure your cloud vendor complies with HIPAA and other regulations. The Department of Health and Human Services on Jan. 25, 2013, published new rules that significantly expand the definition and responsibilities of business associates and subject them to civil and criminal penalties. Be particularly wary of cloud providers who insist they are not business associates under the new rules.
- Know where your data is today – and where it will be tomorrow. Consider not only where your cloud provider is hosting your data, but also what happens to it when you exit the service, including how you will meet HIPAA/HITECH data-retention and data-destruction requirements.
- Consider the so-called cloud security “donut hole.” Your cloud provider may only attest to the security of its physical infrastructure, excluding the shared virtualization systems that support the cloud service. This can leave the so-called “donut hole” between the host’s coverage and the point where the healthcare organization handles its own security. You should seek a host who closes this gap.
- Determine what the cloud provider will and won’t sign. Considering HIPAA compliance, will the vendor attest to what protections the healthcare provider has in place and its responsibilities? If not, can it provide a third-party audit report attesting the healthcare provider possesses such security protections?
HIPAA’s days as the “Toothless Tiger” are over. Healthcare entities must follow its tougher compliance regulations and the data-breach notification requirements in the 46 states that have them.
Migrating data to the cloud will require much thought and planning by healthcare organizations. But you shouldn’t get too uptight about the move if you’ve done the necessary due diligence.
About the Author
Oren Hamami is director of security strategy, SunGard Availability Services. For more on SunGard: www.rsleads.com/306ht-210