With the continued increase in cloud computing adoption among healthcare organizations, security and HIPAA compliance...
continue to be top of mind for health IT leaders. Many cloud service providers address HIPAA compliance by adding more protections and processes to meet its requirements and ensure health data is adequately secured.
Healthcare organizations look to cloud computing for a number of reasons. Some organizations use cloud services to archive and store health data due to its low cost of entry. Others migrate their computing workloads and host their systems with cloud service providers (CSP). No matter what level of cloud adoption a health organization is pursuing, the same HIPAA protections that apply to on-premises systems are required.
There are generally five key areas that CSPs must focus on to address HIPAA requirements.
System availability to ensure timely access to patient health records
Because the majority of healthcare organizations use EHRs, HIPAA mandates that any system hosting protected health information (PHI) must offer high availability and reliability. This means the cloud provider's uptime is critical to ensuring that patient data is available when physicians need it.
Admins should review a CSP's uptime score and identify whether or not their contracts with the vendor include service-level agreements.
PHI protection and security practices
As part of having health data hosted within a cloud provider's data center, HIPAA mandates that all data must be encrypted during transport and at rest. The law also requires a level of auditing and traceability for system and data access at any time. Most cloud providers offer data encryption services to secure their client's data, which satisfies the majority of HIPAA encryption requirements.
A healthcare organization can always take further steps to protect its data by implementing additional security safeguards, such as adding encryption layers and restricting access to the data to only authorized users.
Data ownership and accessibility post-service termination
A CSP must ensure that a healthcare client can extract its data when a hosting agreement is terminated. Any attempt to block or deny access to that data is considered a breach of the HIPAA Privacy Rule.
Fortunately, several cloud providers, like Amazon, Microsoft and Google, offer ways to easily export, migrate and download copies of customer data with ease. However, companies should always ask this question at the beginning of a CSP relationship.
Security practices within data centers
Healthcare organizations are required to have a business associate agreement (BAA) with any entity that comes in contact with PHI -- and this includes a cloud hosting provider. This also means the CSP must meet all the technical and administrative requirements under HIPAA.
Any CSP that is unwilling to sign a BAA is likely not able to commit to HIPAA requirements, and health IT should not consider it for cloud hosting.
Compliance and security standards and practices
Some CSPs, like Microsoft, provide additional services to help their clients review their HIPAA compliance. Some of Microsoft's services include Compliance Manager, which provides a way for a health organization to track activities on their HIPAA checklist, and Secure Score, which provides detailed scoring for the security of Office 365 and Azure workloads.
It can be challenging for health IT to determine the best CSP partner who can meet their HIPAA requirements. Fortunately, most of the larger cloud vendors recognize that alignment with HIPAA is a must in order to attract healthcare clients. The result is that vendors like IBM, Microsoft, Google and Amazon fully advertise their adherence not only to HIPAA, but to other healthcare-related rules and security frameworks, such as Hitrust, that ensure the protection of health data.