HIPAA Regulatory Alert: Is the cloud safe for healthcare?
Ask these questions to determine data security
The benefits of using cloud service providers include improved operating efficiencies as well as reduced costs related to infrastructure, when compared to more traditional, physical environments.
Ensuring data security, however, is more complex than traditional data storage systems, says David S. Linthicum, founder and chief technology officer of Blue Mountain Labs, information technology advisors in St. Louis, MO. As times go on and more healthcare organizations rely on cloud computing, regulations such as the omnibus rule will provide guidance on how health entities can ensure they are choosing a cloud service provider that is compliant with privacy and security regulations, Linthicum explains. “Until then, it is up to the healthcare organization to be skeptical and ask cloud providers to prove their ability to meet security requirements,” he says.
One of the first steps is to understand what service you are purchasing, suggests Linthicum. The cost-savings of cloud computing are related to the multi-tenant structure of the service. The cost benefit of cloud computing are related to multiple customers sharing the costs of transmitting and storing data. The multi-tenancy is something healthcare organizations need to understand. Some of the key questions to ask potential cloud service providers include:
• How are clients segmented?
Andrew Hicks, MBA, CISA, CCM, CRISC, director and healthcare practice lead at Coalfire, a Louisville, CO-based independent IT governance, risk, and compliance firm, says, “If it is one system with multiple tenants, there are firewalls between data, but healthcare organizations should ask how the cloud service provider ensures data is never mixed.”
Another key issue to address is how the cloud service provider can identify what data is involved if a breach occurs. Although the provider is not working directly with the data, it should be able to identify which client’s data was breached and the extent of the breach.
• Where is data stored?
Cynthia J. Larose, Esq., an attorney and member of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo in Boston, says, “Another significant concern that must be addressed in any agreement with a cloud service provider is the location of the data.”
Data with a cloud service provider is always moving from server farm to server farm, depending on demand for access and space on servers, Larose explains. “Many providers use server farms outside the U.S., where data security is not as regulated,” she says. “For this reason, healthcare organizations should specify that their data is never to be stored anywhere outside the U.S.”
• Do you work with healthcare or financial institutions?
It is helpful to work with a cloud service provider that understands healthcare privacy and security requirements, but a provider who handles financial transactions, such as credit cards, is accustomed to high levels of security, Hicks points out. “They also have systems in place to track location of data and correctly identify what information was affected by a breach,” he says.
Ask specifically about other healthcare clients, suggests Linthicum. “Request permission to contact their largest and most active healthcare clients for a reference,” he advises.
• What are your physical security protections?
Don’t just focus on data security while in storage or transmission, suggests Hicks. “Ask about controls that limit physical access to servers as well as employee access to data,” he says. Just as a hospital tries to ensure employees don’t carry unencrypted personal health information home on a laptop that can easily be lost, a cloud service provider should have physical safeguards as well as policies to protect your data.
• What are your disaster recovery procedures?
When asking about security protections, ask about disaster recovery plans as well, says Hicks.
“Understand what their disaster recovery plans includes such as location of data and how easily accessible it is to you,” he says. In addition to making sure your data is secure in the event of a disaster, you also want to make sure continuity of your service is not affected, he adds.
While use of cloud computing can be a safe, cost-effective business solution for many healthcare organizations, it might not be right for everyone, admits Linthicum. “Each organization should evaluate their needs, costs of cloud versus other computing solutions, and their organization’s readiness to change,” he says.
If an organization enters into an agreement with a cloud services provider, be sure to define specific penalties and responsibilities for the provider, suggests Linthicum. “Healthcare is very wary of cloud computing, but there are benefits,” he says. “Each organization needs to weigh the risks and benefits to make the right choice based on individual need.”