How healthcare cloud tools can help with HIPAA/HITECH compliance
Robert LaMagna-Reiter, vice president and chief information security officer at First National Technology Solutions, better known as FNTS, says healthcare organizations increasingly are using industry-specific clouds to work on compliance issues, such as those surrounding HIPAA and HITECH.
To meet these organizations' needs, FNTS recently launched FNTS Healthcare Cloud and also held some focus groups on the topic. As such, LaMagna-Reiter is filled with new and expert learnings on the subject.
Healthcare IT News interviewed LaMagna-Reiter to get him to share detailed expertise on industry-specific clouds, cybersecurity and, on a related note, recent changes to the HIPAA Safe Harbor Law.
Q: You have said there is a growing trend of businesses using industry-specific cloud solutions to address compliance-related issues like HIPAA and HITECH. How has this become a trend, and why is it significant?
A: The cloud is a strategic enabler. By aligning enterprise strategy to simplify and modernize IT environments, healthcare organizations can enhance and extend capabilities while reducing complexity. Industry-specific cloud solutions are trending to further shrink the time-to-value organizations seek from digital transformation and the need for agility.
Due to the evolving threat landscape and the sensitive nature of data collected by highly regulated healthcare organizations, these organizations also face mounting risks to security and compliance. It doesn't stop there. There also is the threat of downtime, regulatory fines and reputational risk, which can cause significant damage.
Cloud solutions have proven to be secure and capable of supporting regulated industries; however, it's entirely up to these organizations to implement the appropriate controls – platform dependent, of course, as the service provider is responsible for more controls as you move further up the stack into PaaS and SaaS.
When organizations weigh the decisions they must make – transferring existing security, compliance and privacy capabilities versus converting – it demands time, analysis and resources to accompany the technology decision to adopt a cloud operating model.
When cloud service providers offer to shrink the gap or simplify the ability to operate in not only a secure manner but a compliant manner with industry-specific regulations, the time-to-value shrinks considerably. The opportunity costs of not leveraging native capabilities increase and the business has greater incentives – simplification, consolidation and agility – to consume a ready-to-use solution.
There will always be analysis and requirements specific to an organization, but if the capabilities and outputs are normalized among specific frameworks and regulatory requirements, in addition to the world-class security capabilities delivered by cloud service providers, it's a win-win.
This is significant because it represents another paradigm shift within cloud services. Who enjoys continuously issuing RFPs each time a specific capability is up for renewal? Fragmenting skill sets and integrating separate disciplines has been tough, but when given the choice to consume a uniform, consistent and automated industry-specific cloud – in this case, healthcare – gone are the days when the organization's highly skilled resources must spend large chunks of their time on the care, feeding and upkeep.
"Healthcare organizations also need to ensure end users have a positive experience that aligns with business growth. This includes selecting and developing right-fit health IT software applications and integrating them with an organization's desired infrastructure."
Robert LaMagna-Reiter, FNTS
Immediately, healthcare organizations can focus on consuming outputs, tuning, simplification and leveraging the economies of scale. Enhanced capabilities, optimized costs and time across business units, and a reduction in the demand for specialized talent also are benefits.
As the future of the healthcare industry is reimagined through more business capabilities and customer self-service tools, organizations require redundancy and resiliency to improve operational efficiencies, clinical outcomes and patient satisfaction. Security isn't the only advantage that industry-specific cloud solutions provide.
Healthcare organizations also need to ensure end users have a positive experience that aligns with business growth. This includes selecting and developing right-fit health IT software applications and integrating them with an organization's desired infrastructure.
Q: What are some high-level insights from the health IT experts you've dealt with in the industry on the problems they face and how they define value in IT?
A: Health IT experts have several challenges, many of which an industry-specific cloud solution can address.
Instead of making capital investments for hardware, the cloud provides a continued refresh, ongoing maintenance and upkeep of the technology, in addition to security solutions. In the cloud, this also extends to managing subscriptions, cost efficiency and data sprawl.
Splitting time between updating skill sets, knowledge and refreshing strategies can be challenging, which is why organizations seek solutions that are accompanied by ongoing IT support, scalable storage and computing resources.
Staying current or ahead of regulatory changes, and ensuring security and compliance requirements are uniformly applied across the technology footprint, is important. Compliance-driven industries not only require tailored technology solutions, but also expertise and support that keep them in adherence to the most stringent regulatory standards pertaining to HIPAA, HITECH and more.
This includes the protection of electronic protected health information (ePHI) through administrative, technical and physical safeguards, such as self-auditing capabilities in the cloud and advanced analytics.
Performing day-to-day monitoring and management of systems, storage and backups is a common challenge, in addition to vendor management and time-to-value with existing technology deployments.
Value has different meanings depending on the stakeholder. In healthcare, IT value is usually derived from innovation – the ability to innovate in a cost-effective and efficient manner – and agility – the ability of the organization to rapidly respond to opportunities, threats, etc.
IT experts analyze the services, cost and outcomes. With an industry-specific cloud solution, healthcare organizations are on the receiving end of more services, less overall cost and refined outcomes that:
- Stabilize or enhance SLAs
- Align costs to usage
- Enable the organization to focus on its core competencies and easily produce compliance attestations (in the case of HIPAA/HITECH and BAAs)
- Deliver integrated information security controls and capabilities (the combination is compelling for organizations without sizable skill sets, capabilities and abilities to balance the ongoing complexity with the increasing demands from revenue-producing activities)
In addition, when selecting a cloud services provider, organizations want to foster partnerships that can provide real-time visibility, and a consultative and collaborative approach that develops IT teams in areas where there may be skill gaps.
Q: On another note, there recently have been changes to the HIPAA Safe Harbor Law. Healthcare organizations are now being incentivized to adopt preventative cybersecurity measures that could reduce fines or shorten audits. What are some best practices on what organizations can do to get started, and what bases they need to cover?
A: The HIPAA Safe Harbor Law will have long-lasting positive impacts for the entire healthcare sector by incentivizing organizations to take a more proactive approach to HIPAA and HITECH compliance. Below are a few best practices to get organizations started:
Ensure the basics are covered. Requirements under the Cybersecurity Act of 2015 need a solid foundation. Think asset management, data classification, data flows and role-aligned/least privilege.
Take a hard look at how business is being conducted in your organization. In order to implement, mature or maintain a cybersecurity program, you must first understand the who, what, when, why and how of your environment.
Review current cybersecurity practices and protocols to ensure a program has been implemented that meets or exceeds requirements under the Cybersecurity Act of 2015. Take this opportunity to determine if gaps are present and implement a strategy to remediate them. Review COBIT, ISO, NIST, CSA or other best-practices frameworks.
Ensure cybersecurity practices and protocols are correctly applied across the enterprise. Determine if a risk register exists and if a risk analysis and management report documenting all required and actionable controls has been conducted. Having a program in place is the first step, and mapping it to HIPAA/HITECH required and actionable provisions allows organizations to focus on critical data, asset applications and services.