Comment: HIPAA vs The Cloud

Cloud storage creates HIPAA compliance challenges because absolute end-to-end control of the data is no longer assured
Cloud storage creates HIPAA compliance challenges because absolute end-to-end control of the data is no longer assured

If you are involved in healthcare IT, you know all about HIPAA and the responsibility it puts on the organization to protect patient information. In the early days of HIPAA regulations, there were only general guidelines and required outcomes to help direct IT departments in reaching compliance.

The fact that most organizations maintained a “closed” system – meaning they had their own data center, with very little data being exposed outside of the organization – made compliance relatively simple. Our biggest worry was the tape media being rotated out to our favorite offsite storage facility.

Over time, data center strategies have evolved to include collocation and managed services. While this has added some complexity to HIPAA compliance, you still know exactly where your data resides and have a good idea of who could potentially access it from the third-party provider. Now cloud computing has been added to the mix of service options. This creates some interesting HIPAA compliance challenges because absolute end-to-end control of the data is no longer assured.

Challenges in the Cloud

For the sake of this discussion, we are only concerned with the concept of a public cloud. A private cloud that is served from your own data center is no more a concern than delivering services from traditional non-cloud-based servers.

For HIPAA, data privacy is a key component. In order to maintain security, you need to know where your data resides, take precautions to preserve privacy, and employ mechanisms to audit access. In the cloud, servers, network, and storage are designed to be abstracted, which means you do not know where things physically reside.

Getting data to and from the cloud is not terribly challenging. Most organizations move data securely today over the public network (a.k.a., internet) using various encryption methods, such as VPN tunnels and SSL web communication. Once the data reaches the cloud, it becomes a bit more problematic.

Ideally, all data would be encrypted from end-to-end, including storage. However, few healthcare application vendors support this. So, in the cloud, you will have a number of people with access to the physical servers and storage that you have no control over.

Because complete control over data and cloud computing seem to be in conflict, certain precautions need to be employed. Given the current absence of industry-wide certifications that would ultimately provide legal protection, the organization needs to negotiate a strong contract with the cloud provider that protects its interests. The cloud vendor should also be required to provide detailed reporting that includes all access to the servers and storage by anyone within their organization. The contract should include strong financial penalties to help incentivize the vendor and indemnify the healthcare provider in case there is a breech.

HIPPA, HITECH and Meaningful Use Implications

Let’s look at the HIPAA and cloud question from a different perspective. In 2009, the American Recovery and Reinvestment Act (ARRA) expanded HIPAA to include the Health Information Technology for Economic and Clinical Health Act (HITECH) and Meaningful Use provisions.

Organizations are now positioning to attain Meaningful Use in order to capture the incentives allocated by the Federal Government. In a few years, that carrot becomes a stick, and reimbursements will be in jeopardy for those who are not in line with the Meaningful Use provisions.

The increased use of technology solutions in delivering clinical care, as put forth in Meaningful Use, is putting additional stress on IT departments. Most healthcare organizations cannot provide basic data center services in line with fundamental best practices, let alone operate a data center that approaches 99.999% availability. This means that most organizations are at risk for unscheduled outages.

In an environment that is increasingly dependent on technology availability, this is becoming a life-and-death situation. Fixing the problem is expensive and, in general, health care providers should not be in the data center business – but that’s another story. Cloud computing can provide a very cost effective solution for organizations needing to attain a certain level of availability but not wanting to invest the capital to build it on their own. With a cloud vendor you, in effect, “rent” server, virtualization, network, storage, and security experts rather than having to keep them on your own payroll. Some of these folks are in high demand and can be very expensive to hire.

When discussing high availability of clinical applications en route to achieving Meaningful Use, one must include infrastructure. If you are going to meet uptime requirements, you will need more than one data center.

Undertaking the infrastructure work yourself will double your overall capital investment in data center infrastructure. This is another area where the cloud shines. An attribute of the cloud is rapid provisioning and deployment. You are able to change compute capacity as demand changes. In the cloud, server instances can also be quickly moved to alternate hosts or clustered to provide redundancy in case of failure. This is the easiest and least expensive way for even the smallest organizations to achieve what has historically been only within the reach of larger Integrated Delivery Networks.

The Bottom Line

Cloud adoption and achieving HIPAA compliance do not have to be in conflict. As with any evolving or new technological solution, it is critical for organizations to perform their due diligence so they fully understand not only the technology, but how it impacts their environment.

IT must develop the necessary skills or engage the assistance from a trusted advisor. They cannot shy away from new technology because they do not understand it. The cloud is here to stay and can provide a financial advantage to those who embrace it.

As president and co-founder of WAKE TSI, Chris Witt oversees data center and infrastructure-architecture relationships with some of the nation’s best hospitals, health networks, payers, and university teaching and research institutions, as well as many large organizations in the commercial, federal and state business sectors in the Mid-Atlantic. His technical background, which includes nearly thirty years of evolving with developing IT trends and leading-edge architecture, is complemented with over fourteen years of managing projects, budgets, personnel, and operations. Witt is a published author and veteran speaker. He holds an MBA in technology management from the University of Phoenix, and a BS in computer science from Villanova University.

What’s hot on Infosecurity Magazine?