Best practices for building and maintaining HIPAA-compliant cloud applications
By Lisa O’Neil, July 24, 2012
How to successfully implement a HIPPA-compliant cloud solution that meets business goals.
Many healthcare organizations are interested in improving security, availability and performance of their data and applications. While other industries are increasingly leveraging cloud-based computing to meet these goals and reduce costs, concerns about HIPAA compliance are inhibiting the healthcare sector from following suit. In order for this to happen, the focus needs to shift from whether the cloud is HIPAA compliant to architecting the best solution.
Understanding threats to HIPAA systems
It is a mistake to assume that cloud computing, by its very nature, is a threat to HIPAA compliance. To understand where the actual threats are to protected health information (PHI), we need only to look into the data that is collected by the government on HIPAA breaches.
Since late 2009, 435 HIPAA breaches have affected over 20-million individuals. Sixty-seven percent of incidents involved theft or loss. While this suggests that the majority of threats involve physical PHI, the figure increases dramatically when we consider instead the number of individuals affected by these incidents: 84 percent of the breaches to individuals have involved the theft or loss of physical computers or electronic media.
That’s a stark picture, and the vast majority of data breached to date involves physical digital equipment or media. If we add breaches due to IT/intrusion incidents on physical network servers, that number increases to 92 percent. It is clear that a compliant cloud-based solution can have significant security advantages.
Business associates and AWS
In addition to privacy and security requirements, HIPAA requires a business associate agreement (BAA) with third-party vendors who access PHI. A question heard frequently is: “Will Amazon Web Services (AWS) sign a BAA?” The answer is that AWS employees do not have access to the applications or data of properly architected solutions for covered entities. Using AWS is akin to using the U.S. Postal Service or Federal Express.
However, partnering with a HIPPA solutions provider that will sign a BAA for the duration of the project, spanning design of the solution, implementation and any ongoing support or other work, does add an extra layer of protection.
A success story: Pronia
Pronia Medical Systems (www.proniamed.com), whose GlucoCare application manages glucose delivery in hospitals, implemented a successful cloud-based HIPAA-compliant solution. The main objective for using AWS was to execute faster, easier, more cost-effective hospital trials. Continued HIPAA compliance of administrative processes, patient data storage and data transmission were also paramount.
To optimize customer onboarding, Control Group designed an AWS-based architecture that supports Pronia’s technical, regulatory and business requirements via Rapid Initial Deployment. The solution is comprised of a suite of services and AWS technologies that cover the spectrum from analysis and architecture to design and implementation.
Technical review of Pronia's operations and the GlucoCare application revealed which facets would need modification for delivering a compliant cloud-hosted solution, and documentation was created to support future HIPAA and FDA technical reviews.
The AWS Relational Database Service (RDS) rapidly deploys a database for each new customer, creating a consistent environment where backups and replication are handled automatically. GlucoCare servers are provisioned in Amazon’s Elastic Compute Cloud (EC2), and this solution uses on-demand instances to create servers that run the application instantly.
In addition, AWS auto scaling and configuration automation deliver a self-healing solution that responds to outages instantly, without manual intervention. Because monitoring and alerting are essential for GlucoCare’s clinical uptime requirements, Cloudwatch was selected to highlight usage trends, automate problem resolution and send instantaneous issue notifications.
Pronia now has in place a highly data-driven, automated solution that deploys and manages machine lifecycles, code versioning and testing. It is a highly scalable, stable, HIPAA-compliant, AWS-based footprint from which to launch trial hospital implementations. New customer systems are deployed with a high degree of control over security, role and user management in full compliance with HIPAA. With AWS pricing, scalability and reliability, the platform has proven to be ideal for Pronia's rapidly growing business.
About the author
Lisa O’Neil is vice president of enterprise consulting at Control Group, a technology innovation firm that enables companies to work smarter, create new sources of revenue and enhance their customer experiences by delivering on the full potential of technology and user-centered design. Learn more at www.controlgroup.com.
Tags: :: Online Only Features ::