The world is moving to the cloud at an unprecedented rate. Both enterprise level businesses and newly founded startups are preferring to host their data on the cloud as opposed to the traditional IT infrastructure. The healthcare industry has been one of the laggards in the cloud transformation due to the additional security concerns surrounding cloud adoption but is quickly catching pace.
Author: Rahul Varshneya, co-founder of Arkenea
It is of critical importance for healthcare organizations and health IT firms to be in compliance with HIPAA norms to ensure the safeguarding o HIPAA sensitive patient data. Here is what you need to do to ensure that your cloud hosted healthcare data remains HIPAA compliant.
A privacy and security policy need to be in place before implementing the shifting of data into the cloud. All the relevant policies and procedures need to be documented beforehand. This includes a provision for a breakdown of infrastructure and the steps that need to be taken in case any breach occurs.
One of the fundamental principles of designing cloud architecture and building cloud applications is designing for failure. Go forth with the belief that something or the other will break down and be prepared for the eventuality of it.
Choose a HIPAA compliant cloud hosting provider
While there are several cloud hosting providers to choose from, not all vendors are equal. Before choosing a vendor, you need to ensure that the one you are picking complies with the HIPAA norms, ensuring the logistical and physical security of the infrastructure and adequate implementation of the security protocols.
Before making your choice discuss HIPAA compliance with the vendors that you have shortlisted. Ask them about how they comply with HIPAA regulations. Enquire about their existing security practices including the administrative, technical as well as physical safeguards they have in place to prevent any unauthorized entry.
The cloud service provider (CSP) you choose should be well equipped to mitigate and prevent any attacks on your data in the form of malware attacks or DDoS attacks that compromise the security of healthcare data hosted in the cloud.
Ask whether the CSP has a HIPAA policy template available with them. Do they have around the clock personnel available in case the need arises? Is there a system in place for deletion of data? What measures are taken to prevent data leak when the servers get decommissioned? The answers that the cloud service providers have to questions like these can help you select the right provider for you.
Sign the BAA and SLAs
A covered entity under HIPAA (the healthcare providers and payor) are required to treat the cloud service provider as a business associate. Signing the business associate agreement (BAA) and service level agreements (SLA) are the legal contracts to clarify and limit the permissible uses and disclosure of patient health information (PHI) and individual’s rights to their own health information.
Cloud security is one of the biggest concerns when shifting healthcare data to the cloud. While de-identified patient data is free from compliance norms, encrypted patient data stored on the cloud is still subject to HIPAA compliance norms.
When shifting the healthcare data to the cloud, the ePHI are subject to the same standards and norms applicable to the normal PHIs. When the BAA is signed, the covered entity and the service provider are both contractually liable to meet the terms stated in the agreement and are responsible for meeting the applicable requirements of the HIPAA rules.
If a vendor doesn’t know what a BAA is or is unwilling to sign one, it is the biggest red flag and you need to absolutely steer clear of such cloud service provider. Ensuring that the ePHI is only the first step of successful cloud data hosting, a comprehensive risk assessment is a must to ensure that the policies, processes and tech are available to reduce the security risk to data.
A service level agreement goes into the specifics of the operational aspects such as level of service and features that cloud providers offer its customers. Aspects such as disaster recovery, response time, system uptime etc are an indicator whether the CSP is capable of hosting sensitive information such as ePHI.
The cloud solution that you choose may offer you tools in collaboration with other vendors if they don’t have a comparable solution or are missing out on certain features. In such cases, the secondary vendor’s tools may not necessarily by compliant to HIPAA norms. All the tools that the CSP is providing you with need to be thoroughly vetted so that there aren’t any unintentional or accidental HIPAA violations.
Cloud computing is all set to become the standard practice for healthcare IT infrastructure and data storage in the coming years. While signing the BAAs ensures compliance with regulations such as HIPAA and HITECH law, the ultimate responsibility of ensuring data security lies in the hands of the organization itself. A compliance program and the necessary internal processes need to exist in the first place for successful medical data migration to the cloud.
About the Author and Arkenea
Rahul Varshneya is the co-founder of Arkenea. He has been featured as a technology thought leader in numerous media channels such as Bloomberg TV, Forbes, HuffPost, Inc, among others.
Founders of fast growing and venture funded startups hire Arkenea to accelerate their product time to market by leveraging its on-demand engineering teams. Arkenea delivers custom software development (web/mobile) and/or augments existing teams with their skilled software engineers backed by solutions architects. The company delivers solutions across industries including Healthcare, FinTech, EdTech, et cetera, and business models including SaaS, On-Demand, et cetera. It has expertise across various tech stacks in web and mobile.