When it comes to the storage of health care data, security is arguably the biggest concern. Although many businesses question cloud storage security, the truth is that most reputable cloud service providers actually have better security than the average health care data center.
Even so, it's important for any health care organization that is considering storing data off-site to examine how the cloud service provider's security measures up to HIPAA requirements. Cloud storage security falls into a gray area when it comes to HIPAA compliance. The federal government sets up very specific guidelines for which organizations are and are not required to be HIPAA compliant.
Our series on cloud storage security
Health care, cloud storage providers and data ownership
Cloud storage security considerations for health care providers
Negotiating maximum cloud uptime from service providers
Under the original legislation in 1996, the only types of organizations required to adhere to HIPAA regulations are the following:
- A health care provider that conducts certain transactions in electronic form (a "covered health care provider").
- A health care clearing house.
- A health plan.
Under changes made to the HIPAA Privacy Rule and HIPAA Security Rule by the HITECH Act, HIPAA regulations now apply to HIPAA business associates as well. That includes the following:
- A health information exchange (HIE) or regional health information organization (RHIO).
- An e-prescribing gateway.
- A subcontractor.
The Covered Entity Charts published by the Centers for Medicare and Medicaid Services demonstrate that cloud providers are not required to be HIPAA compliant. However, the security rule states that covered entities that outsource some of their business processes to a third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements.
The problem is that even if a provider uses top-notch cloud storage security, it may not necessarily be HIPAA compliant. Your best option is to look for a cloud service provider that advertises HIPAA compliance. Otherwise, you will have to pick apart the individual HIPAA mandates to ensure that your cloud provider addresses all of the requirements.
Risk analysis, management can make cloud storage security, HIPAA compliance tricky
One area in which you might have trouble addressing the HIPAA security requirements if you choose to use a cloud storage provider is in the risk analysis and management area. The reason for this has to do with the following HIPAA requirements:
- Evaluate the likelihood and impact of potential risks to electronic personal health information (ePHI).
- Implement appropriate security measures to address the risks identified in the risk analysis.
- Document the chosen security measures and, where required, the rationale for adopting those measures.
- Maintain continuous, reasonable and appropriate security protections.
It is a safe bet that as long as you don’t use a fly-by-night company, the cloud storage provider that you've chosen has done its own risk management, implemented security safeguards and takes measures to maintain cloud security. The problem is that HIPAA places a heavy emphasis on documentation.
When viewed from a HIPAA compliance standpoint, the lack of information about cloud storage security could make it very difficult to document your compliance.
My experience has been that most cloud services will only provide a very limited amount of information about their security measures. Doing so makes total sense for the cloud provider, since providing too much information could potentially undermine its security efforts. When viewed from a HIPAA compliance standpoint, however, the lack of information about cloud storage security could make it very difficult to document your compliance with the measures listed above.
Cloud storage security brings additional documentation headaches
With HIPAA’s heavy emphasis on documentation, some documentation requirements can be difficult to meet when data storage is outsourced. For example, HIPAA includes a requirement to encrypt and decrypt ePHI.
Chances are, your cloud service provider probably uses volume-level encryption that has been implemented either through BitLocker Drive Encryption or through a hardware solution. However, such encryption can be difficult to prove. You will likely have to implement encryption of your own at the file system level or at the database level, depending on the type of data that you are storing.
Another HIPAA provision that can be problematic in a cloud storage environment is the requirement for audit controls. Specifically, the law requires organizations to implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. In other words, HIPAA requires you to audit access (and attempted access) to data.
Auditing capabilities are often built into front-end applications that link to back-end databases. Even so, you should implement file system level auditing as a way of making sure that nobody attempts to access your database from outside of the front-end application. If you are subscribing to an Infrastructure as a Service (IaaS) cloud, then this is easy to do because you have full control of the virtual server. However, if you are only leasing hosted storage, then you may not have access to file system auditing capabilities.
Ultimately, there are many challenges associated with moving health care data to the cloud. A lot of health care organizations get around them by requiring their cloud service providers to sign contracts stating that they will adhere to the guidelines set forth by HIPAA.
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. Write to him at firstname.lastname@example.org.