HIPAA compliance in the public cloud: You don’t have to pilot it alone
To escape the confines of outdated IT infrastructure, more healthcare organizations are migrating data to public clouds like Azure and Amazon Web Services (AWS). Here they find a scalable, flexible environment for unlimited innovation, under a manageable “pay-as-you-go” price plan.
Organizations considering a similar move may be wondering if these benefits also include strong safeguarding of protected health information (PHI). It’s a crucial consideration – by law, healthcare organizations and their business associates who handle PHI must protect it in compliance with the Healthcare Insurance Portability & Portability Act (HIPAA). And this legislation only addresses the minimum standards for PHI security and privacy. Industry best practices advise additional and even more rigorous measures, and for good reason. Health data is under attack, with over 120 million health records breached in 2015 alone.
So here’s the big question: how do healthcare providers and healthcare IT organizations take advantage of public clouds like AWS and Azure without having to take on the entire responsibility of keeping PHI private and secure? An increasing number are instead offloading this daunting responsibility to cloud vendors who offer a broad set of services for managing PHI in a purpose-built HIPAA-compliant cloud. These include: data migration, data encryption, access control, backup and disaster recovery, firewall management and more.
In just one example, Next IT Healthcare uses such a strategy to overcome a prevalent conflict in digital healthcare—how to meet patients’ demands for online engagement without exposing their personal health data to a breach. The company’s digital health coaching applications are hosted in a HIPAA-compliant AWS cloud, built and maintained by a third party provider. This enables any influx in patient data volume, while assuring this data stays private.
Securing PHI in the cloud
Working with PHI in a public cloud requires a very specific, ever-evolving knowledge set; it’s not something you can “pick up” from a webinar during the lunch hour. At a minimum, it calls for deep experience in complying with HIPAA’s standards for security at the physical, technical and administrative levels. Beyond that, organizations should strive to adhere to the Health Information Trust Alliance Common Security Framework (HITRUST-CSF) program, the gold standard for PHI security with 19 separate directives that, like HIPAA, address multiple layers of defense.
With the advent of public clouds, expertise is required in using tools developed specifically for managing security in these environments. AWS, for example, offers DIY tools like CloudTrail for log monitoring – just one of the security tasks mandated by HIPAA. Obviously, these tools take time to learn, use and automate, and then HIPAA itself is a constant endeavor. Many organizations would rather use their IT resources for innovation, not continuous security. Here is where a certified AWS or Azure cloud vendor can step in with services that include:
- Application security
- Identity and access management
- Configuration management for operating systems, networks and firewalls
- Client-side and server-side data encryption
- Network traffic protection
- Log management
- Monitoring and alerting
- and much more
One of the most important benefits a cloud vendor should bring to the table is a negotiable, purpose-written Business Associate Agreement – that is, a contract in which the cloud vendor puts in writing a promise to assume the appropriate share of risk in the event of a data breach.
The HIPAA-compliant cloud in action at Cleveland Clinic
So what does it look like when healthcare organizations achieve innovation and HIPAA compliance in a public cloud? One good example is Cleveland Clinic’s Lou Ruvo Center for Brain Health. The clinic opened on May 21, 2010 in Las Vegas, Nevada as a national resource for the most current research and scientific treatment of Alzheimer’s Disease, Parkinson’s Disease, Huntington’s Disease and Multiple Sclerosis. As part of its Healthy Brain Initiative, the center establishes its own research by gathering information directly from patients themselves via a mobile app built with AWS services and that tracks physical exercise, nutrition, sleep, social interaction, and other contributing factors to brain health.
Because the app is hosted in the AWS cloud, data can be collected from unlimited locations with ease and efficiency. At the same time, HIPAA compliance and other stringent security measures applied by a third party cloud security partner make sure this data can only be accessed by the right people at the right time. With privacy and security off its own shoulders, Cleveland Clinic and other healthcare organizations can reap all the potential of public clouds without having to fly solo on PHI security.
Amazon Web Services, AWS, Azure, ClearDATA, Cleveland Clinic, CloudTrail, Health Information Trust Alliance Common Security Framework, HIPAA, HITRUST-CSF, pay-as-you-go, PHI, Protected Health Information