With the advent of cloud-based services and the ability of mHealth to move data outside the healthcare setting through these portals, the cost of market entry for many health IT vendors has significantly reduced. Gartner forecasts that general cloud spending will grow to around $150 billion worldwide in 2014, and some say as many as 30 percent of healthcare organizations are looking to use cloud services as a way to reduce cost and provide more dynamic services.
But as more healthcare data is transitioned to cloud infrastructure, one question often asked is “Do federal regulations allow it?”
Many hosting companies offer “HIPAA-compliant” cloud services. While most are responsible enough to steer away from making outright claims, citing only that they provide HIPAA support and expertise, some actually guarantee compliance. At best, this is misleading, but at worst it's dishonest. To understand why, we need to go back to the basics of what HIPAA compliance actually means.
Privacy and security regulations are focused on enforcing rules related to the protection of data. For HIPAA this relates specifically to identifiable electronic health data known as electronic protected health information (ePHI). These regulations are not limited to production data or data stored on a server - they include any ePHI, whether within your production application or stored on a laptop, mobile device or even a printer. In summary, what you may store with a cloud provider is likely to only be a fraction of the ePHI you are handling and hence need to protect.
In addition, while a cloud provider can offer assurances about the technical security of your data (levels of encryption, physical security, redundancy, etc.) they have no control over who you provide access to. If you don't have polices in place that control access to this data or that ensures those who do have access understand their responsibilities, then even the most technically secure environment can be compromised by someone divulging the access credentials or making data public that should be private. The point is, for an organization to be HIPAA-compliant, it must have in place a holistic set of policies that covers the entire organization. And that's not something that can be provided by a cloud provider, regardless of what they claim.
That's not to say cloud providers can't play a role in supporting a company’s compliance program. Responsible providers will help the customer procure their service in a way that is compliant by signing a business associate agreement - a key requirement of HIPAA. Often they will help conduct a vendor risk assessment and provide HIPAA policy templates and consultancy. Some may even partner with third parties that provide broader compliance management support. But regardless of what they do, it still remains the customer’s responsibility to implement a compliance framework that must cover more than just the cloud storage.
This doesn't even cover the debate about whether cloud services are covered under HIPAA. What limited guidance the Department of Health and Human Services has published generally focuses on healthcare providers and health plans and does not address how cloud computing providers and related technology companies are expected to comply with HIPAA. For example, the audit protocol published by HHS in 2012 and the National Institute of Standards and Technology guidance is focused on HIPAA covered entities, so it's not clear how and to what extent they apply to cloud providers that are business associates.
This is a recognized problem. One group looking to tackle that issue is the Health Care Cloud Coalition (HC3). HC3 is focused on supporting healthcare cloud computing companies, including small- and medium-sized mobile technology companies that offer software-as-a-service, to:
1) Help establish a common understanding of how HIPAA and other laws apply in a cloud environment
2) Explore whether existing programs can be leveraged or new programs need to be created to reasonably demonstrate to customers and the government that cloud providers have robust safeguards that address health care laws and cloud-specific threats
3) Seek guidance from and maintain transparency with government stakeholders, such as OCR.
The coalition will be holding its first meeting on June 19.
There is no doubt that the cloud is revolutionizing the healthcare industry. And while health IT vendors are offering ever more creative and affordable solutions, larger providers are recognizing that the cloud offers the ability to innovate and cut costs. But with all rapid change, there is a need for education and regulatory evolution to ensure this transition happens in a way that continues to protect patients’ sensitive data.
Grant Elliott is the founder and CEO of Ostendio, a Virginia-based information security compliance company. Prior to founding Otsendio, he was the chief operations officer and chief information security officer at Voxiva, responsible for building the Text4baby and Text2quit mobile solutions. He also worked for AT&T, Concert Communications and British Telecom.
This article first appeared in mHealthNews on May 23, 2014.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Avoiding the Hidden Pitfalls of Security Audits
In this webinar, see the 5 most common pitfalls of security audits and learn how you can avoid them with the power of MyVCM CrossWalk Assessments.