Tip

Four security tips for HIPAA compliance in healthcare cloud storage

Chief information officers around the globe are adopting cloud data storage for their enterprises, utilizing it primarily for remote storage, archiving, information sharing and cost reduction purposes. With that comes the concern around its security.

Healthcare cloud storage

    Requires Free Membership to View

requires more layers of data security and compliance strategies, making some CIOs reluctant to engage the services of third parties for storing patient data. HIPAA, Payment Card Industry and other regulations govern security and privacy, and their rules must be addressed by any provider who uses a cloud service.

The demand for more cloud storage continues to provide scalability, flexibility and data sharing capabilities for health organizations. More and more vendors are entering the market, and competition is driving down cloud storage costs. However, it is critical to receive adequate information around how a vendor manages health information, and what safeguards are in place to ensure its protection.

In general, evaluate cloud storage vendors on the following criteria:

Encryption questions and concerns: When it comes to shared storage or the use of public cloud providers, data encryption can provide an added level of protection and compliance. While not all providers offer end-to-end encryption capabilities, this line item would be an important aspect when evaluating the cloud storage providers serving a healthcare customer.

Back up your cloud: It may seem redundant to ask a vendor to back up your data in its cloud, but the reality is that it's dangerous to overlook. Discuss retention policies and backup methods upfront with prospective cloud providers. There have been some incidents where data has been lost by top vendors, including Amazon and T-Mobile. In some cases, healthcare clients should evaluate the use of secondary cloud providers or leverage their on-premises storage for added protection in case their cloud provider does not offer adequate, secured data backups.

More about cloud storage in healthcare

How cloud works with tablets

Cloud security a concern for healthcare pros

Quiz: Find out how much you know about healthcare cloud

Data access monitoring: In order to ensure data is protected adequately, cloud providers implement advanced firewalls and intrusion detection systems that can help detect and prevent hackers from accessing their clients' sensitive data. Reviewing and receiving documentation supporting the safeguards implemented by the providers and researching any reported intrusions can help define which cloud providers are more secure than others.

Contract evaluations: HIPAA business associate agreements and other service-level agreements can be a first step toward ensuring healthcare cloud providers are taking data security seriously. But read the fine print and look for nuances in the language. Such close reading can uncover security concerns about a vendor's data handling. Furthermore, sticky matters surrounding a vendor's policy or attitudes toward data ownership and data access can be revealed, which becomes crucial for protecting the organization, especially when the cloud provider might be going out of business. Or you can find out if the organization fails to pay fees and potentially locks users out of their data, which becomes a HIPAA nightmare.

The above tips are a good starting point; some healthcare cloud implementations may require tighter security, and steps must be taken to ensure data protection and regulatory compliance when it comes to clinical data storage in the public cloud. However, as a general practice, any cloud storage deployment for healthcare entities must be followed by strict security checkpoints that begin with these principles.

Reda Chouffani is vice president of development at Biz Technology Solutions Inc., which provides software design, development and deployment services for the healthcare industry. Let us know what you think about the story; email editor@searchhealthit.com or contact @SearchHealthIT on Twitter.

This was first published in January 2014

Join the conversation Comment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.