There is no doubt: American health care is headed to the cloud.
Hosting electronic health records (EHRs) and other patient data ‘in the cloud’ – via remote web servers – is a simple and affordable alternative to hosting the data locally. More doctors are signing up to free themselves from yesterday’s expensive and bulky client-server arrangements.
Patient Data in the Cloud
Cloud computing enables a move away from the fear of using someone else’s data center to store information. Health care organizations can leave the hardware and IT expertise to a dedicated company and simply pay for the software as a service over the Internet. But cloud computing also opens up a can of worms with respect to patient privacy and security.
Once patient data is handed off to an outside vendor, there is much less certainty about who has access to the information and where it is actually stored. Maintaining an on-site server has its own security concerns, such as physically protecting equipment from thieves. But these are within managers’ control. Outsourcing that control to the cloud transforms questions of security into a question of trust.
Health care organizations connected to the cloud are no less bound by their obligations to patient privacy under the Health Insurance Portability and Accountability Act (HIPAA). As trusted caregivers, providers continue to hold primary responsibility for the integrity of their patients’ health information. This situation makes the choice of cloud vendor extremely important.
Vendors must offer robust HIPAA compliant cloud storage solutions for all the privacy and security concerns that come with hosting sensitive medical information. In short, physicians and health organization managers need to know: can their patient data be hacked? What security measures are in place to make sure that doesn’t happen?
Here we look at some of the most important HIPAA compliant cloud storage solutions available for keeping and transmitting sensitive medical information.
HIPAA precludes the possibility of pooling server space with other organizations. Private infrastructure means you’ve got your own cloud and only approved users can get in and use it. Having a private cloud is like having your own house instead of sharing an apartment building with multiple tenants.
The comprehensive data protection required by HIPAA is not possible without top-notch encryption technology. Information stored in the cloud should never be available in plain text.
All patient information should be encrypted using strong algorithms like 256-bit AES. Data must also be encrypted whether it is ‘at rest’ – in storage – or ‘in flight’ – in the process of being transmitted. Ideally, not even the cloud provider should be able to read what has been encrypted.
Cloud providers must restrict access to patient data by employing security features like multifactor authentication, which makes it extremely difficult for unauthorized users to login to a network. At least two-factor authentication should cover all points-of-access to meet HIPAA compliant cloud storage benchmarks. All access points should be further encrypted with Secure Socket Layers (SSL).
Even for authentic users, a granular system of user privileges is essential for minimizing the inherent risk of allowing large numbers of people in an organization access to HIPAA-protected information. To restrict access, the cloud should be configured to always provide only as much access as is necessary and only to users with sufficient privilege.
Regular data backups are vital, and the information in the backups must be encrypted. After a defined point in time, backups need to be permanently deleted.
Physical Security and Integrity
A secure cloud is nothing without secure data centers. Cloud providers must maintain robust physical security for their servers, which means data centers with on-site employees and excellent building security systems.
Additionally, there need to be contingency plans in the event of a disaster. For example, what happens if there is a power failure or the servers are physically damaged in some way? HIPAA compliant cloud storage means having a Plan B for the worst-case scenario.
Regular Risk Assessment
Hackers are always coming up with new ways of breaking into networks. Even the most robust security measures must be continually updated based on knowledge of the latest threats. Find a cloud provider that regularly updates its risk assessment with HIPAA in mind.