Strategic insight for health IT leaders

alphaspirit - Fotolia

How to keep cloud services compliant with HIPAA standards

As more healthcare providers send aspects of their business into the cloud, they must be aware that such a move doesn't free them from their HIPAA compliance duties.

The regular addition of cloud technology services has analysts concerned that health IT departments are being overwhelmed by the speed of these changes and don't possess adequate resources to be sure their cloud-based workloads comply with HIPAA standards. The adoption of cloud in healthcare has been steadily increasing for some time now. Hospitals, health plan providers and physician groups rely on these services to help reduce some of their infrastructure complexities and reduce costs.

Considering the amount of available cloud services and the number of healthcare entities that are using them, it's easy to deduce that a large quantity of patients' health information (PHI) resides in the cloud, permanently or temporarily. As providers increase their dependence on cloud and online services, health IT executives face the pressure of constantly certifying that all of their cloud services meet HIPAA standards.

There are two distinct types of services that IT generally deals with when working with cloud providers, and each one deals with HIPAA standards very differently.

Vendors that offer online managed cloud services, such as software as a service, are fully responsible for meeting HIPAA requirements. In these cases, the vendors themselves are 100% responsible for data protection, disaster recovery planning, systems redundancy and all general security practices that are mandated by HIPAA.

Unmanaged cloud services are those that a cloud provider offers their clients that leave the client somewhat responsible for some of the data protection. In this type of service -- which can include infrastructure as a service or storage as a service -- the vendors are required to cover a baseline of HIPAA security requirements, but their clients must also take full responsibility for satisfying the remainder of HIPAA.

Cloud services offered today by Google, Amazon, Microsoft and several others in the marketplace continue to see an increase in their client bases. Many providers offer tools to assist their healthcare clients meet HIPAA standards. There are a few crucial questions that healthcare providers should address to be certain their cloud products are compliant with HIPAA.

What systems must meet HIPAA requirements?

As part of the overall review of systems, a healthcare entity must first identify all systems that interact with PHI. Doing this determines which systems should be evaluated to establish conformity with HIPAA privacy and security regulations.

Who is responsible for ensuring HIPAA compliance?

It is common practice for healthcare organizations' technology vendors to work closely with patient data sign business associate agreements (BAAs). Despite the existence of BAAs, not all cloud providers are responsible for all aspects of HIPAA. So it becomes extremely important for the IT department to understand where its responsibilities begin and end when it comes to the systems managed in the cloud.

Should you rely on cloud security tools?

The systems that reside in the cloud such as servers and applications are subject to the same risks as any other system. Cloud providers offer and deploy highly sophisticated security systems to ensure core systems are protected from cyberattacks and data breaches. Systems and servers hosted internally by hospitals aren't protected by cloud providers and are vulnerable to hacks. A health IT department must evaluate security platforms for their server workloads in the cloud in the same way they would for their internal server infrastructure.

Does the cloud still need to be audited?

The cloud services offered today are easy to implement, manage and operate, but working with vendors to gather information about how their products meet HIPAA protocols can be difficult. An IT team must be diligent in documenting as much relevant information as possible so they have something to present to potential HIPAA auditors.

Are the systems automatically backed up?

The common answer to this question asked by vendors to IT departments is "maybe." Though cloud vendors usually ensure system availability if any of their hardware fails within their data center, that doesn't always mean that user data can be restored after it's deleted. Cloud vendors offer backup and recovery services for their cloud, which means users of the service must plan for cloud backups the same way they do for their internal systems.

Security and the protection of systems is still one of the top priorities for IT executives. As more cloud services are adopted, IT departments are trying to quickly alter their security policies accordingly. Regardless of how popular a cloud vendor is, the services it offers to healthcare clients must still undergo the same review protocol that's applied to in-house systems. This is especially important because HIPAA requires that all systems, no matter where they are hosted, must meet its standards.

Article 4 of 5

Next Steps

HIPAA not just a security rule, gives patients access to their health data

Repeat violators of HIPAA hit with few punitive actions

Hospital pays $850,000 fine for PHI breach

Dig Deeper on HIPAA (Health Insurance Portability and Accountability Act)

Get More Pulse

Access to all of our back issues View All