HIPAA vs The Cloud
If you are involved in healthcare IT, you know all about HIPAA and the responsibility it puts on the organization to protect patient information. In the early days of HIPAA regulations, there were only general guidelines and required outcomes to help direct IT departments in reaching compliance. The fact that most organizations maintained a “closed” system, meaning they had their own data center with very little data being exposed outside of the organization, made compliance relatively simple. Our biggest worry was the tape media being rotated out to our favorite offsite storage facility. Over time, data center strategies have evolved to include collocation and managed services. While this has added some complexity to HIPAA compliance, you still know exactly where your data resides and have a good idea of who could potentially access it from the third party provider. Now cloud computing has been added to the mix of service options. This adds some interesting HIPAA compliance challenges since absolute end-to-end control of the data is no longer assured.
Challenges in the cloud
For the sake of this discussion, we are only concerned with the concept of a public cloud. A private cloud that is served from your own data center is no more a concern than delivering services from traditional non-cloud based servers. For HIPAA, data privacy is a key component. In order to maintain security, you need to know where your data resides, take precautions to preserve privacy, and employ mechanisms to audit access. In the cloud, servers, network, and storage are designed to be abstracted which means you do not know where things physically reside.
Getting data to and from the cloud is not terribly challenging. Most organizations move data securely today over the public network (a.k.a. the Internet) using various encryption methods such as VPN tunnels and secure SSL web communication. Once the data reaches the cloud, it becomes a bit more problematic. Ideally, all data would be encrypted from end-to-end including storage. However, few healthcare application vendors support this. So, in the cloud, you will have a number of people with access to the physical servers and storage that you have no control over. Since complete control of the data and cloud computing seems to be in conflict, certain precautions need to be employed. Given the current absence of industry-wide certifications that would ultimately provide legal protection, the organization needs to negotiate a strong contract with the cloud provider that protects its interests. The cloud vendor should also be required to provide detailed reporting which includes all access to the servers and storage by anyone within their organization. The contract should include strong financial penalties to help incentivize the vendor and indemnify the healthcare provider in case there is a breech.
HIPPA, HITECH and meaningful use implications