Although the cost and flexibility of the cloud have long been appealing to hospitals, doctors, pharmacies, and other covered entities, many healthcare providers have been hesitant to move their data because of security concerns. However, the winds may have changed on September 23, 2013, when business associates became directly liable and responsible for complying with the HIPAA Security Rule. This regulatory change has put cloud providers on notice that they need to address healthcare industry security concerns, and has the potential to empower healthcare providers to finally take advantage of the benefits that the cloud has to offer. But before signing on to the movement, healthcare providers must weigh the pros and cons, all the while asking hard questions of themselves and their prospective new business associates. By Paul Luehr, Managing Director, and Dave Dalva, Vice President, Stroz Friedberg
By Paul Luehr, Managing Director, and Dave Dalva, Vice President, Stroz Friedberg
Although the cost and flexibility of the cloud have long been appealing to hospitals, doctors, pharmacies, and other covered entities, many healthcare providers have been hesitant to move their data because of security concerns. However, the winds may have changed on September 23, 2013, when business associates became directly liable and responsible for complying with the HIPAA Security Rule. This regulatory change has put cloud providers on notice that they need to address healthcare industry security concerns, and has the potential to empower healthcare providers to finally take advantage of the benefits that the cloud has to offer. But before signing on to the movement, healthcare providers must weigh the pros and cons, all the while asking hard questions of themselves and their prospective new business associates.
The process begins by evaluating the cloud’s benefits. For many healthcare providers, the cloud has long represented an opportunity for significant cost savings, a particularly valuable advantage at a time when price of healthcare services is under scrutiny. With the advent of state and federal health exchanges, covered entities compete not only company by company, but also individual by individual. The efficiencies achieved by outsourcing the maintenance of servers and software, and by being able to nimbly adjust network size to business needs—both key benefits of cloud use—have been hard to dismiss. After all, in a business that sells healthcare, IT is a cost center, not a revenue generator.
The interoperability of information systems is another advantage of the cloud. The lifetime and power of a healthcare provider’s legacy systems can grow if these systems can communicate with each other through a common, cloud-based interface. But more importantly, as patients shuttle between primary care physicians and specialists, across hospital networks, and from one insurance provider to another, the cloud can help ensure continuity of care and the efficient transfer of electronic medical records in ways that paper filing systems never could. The demand for interoperability will only increase as third-party suppliers, such as clinical trial centers and actuarial firms, continue to develop their own technology and services.
Then there are the research and health-outcome benefits. The cloud can enable clinicians and medical researchers alike to spot new healthcare trends and potential cures in ever-growing repositories of “big data.” And consumers can more effectively take control of their own care through cloud-supported innovations like same-day scheduling and exercise apps for smartphones.
The advantages are apparent and persuasive. But the shift to the cloud should not be taken lightly. The new regulation doesn’t ease responsibilities for covered entities or shift obligations to the business associate. Moving to the cloud is an exercise in balancing efficiencies and risks. In no way is information security something that can be entirely outsourced.
In a large organization, the potential move to the cloud should be addressed by the risk management committee. This group should include key stakeholders, such as a C-level officer, legal counsel, IT and security managers, HR and communication directors, finance directors, care providers, and staff employees. Together they should ask introspective and strategic questions, including: How will the cloud improve patient or customer care? What data can we move and what needs to remain local? Do we have the technical skills to manage this move? What are our competitors or partners doing in this area? And of course, how will the cloud affect our privacy and security posture? Ultimately, if it appears as though the cloud may be employed, the team should review and update its risk management process in order to create a standard procedure for engaging this new kind of provider.
This standard procedure should involve the exploration of the following important areas:
Cloud Provider’s Reputation and Experience: Many cloud providers are attuned to clients’ security needs and concerns, and they likely have already undergone their own security reviews. Therefore, they should be willing and able to positively answer the following questions:
-
Have you been certified or audited under any established security standards? If so, which one(s)?
-
Have you undergone a risk assessment under the HIPAA Security Rule?
-
Have you signed or will you sign a Business Associate Agreement?
-
Do you have any references that are healthcare clients?
Data Storage Location and Accessibility: By definition, when information is stored in the cloud, it no longer lives entirely within the healthcare provider’s environment. Knowing exactly where on earth it resides and how it can be accessed by both representatives of the healthcare provider and others is essential. To explore this issue, the provider should gain a better appreciation for how its data will be managed by asking questions such as:
-
Where will my data be located physically? Will it be in the U.S., Europe, India, or all three?
-
Will my data be “co-located” on machines containing other companies’ data?
-
How will you ensure that access is only provided to authorized users at my company and yours?
-
What type of encryption do you offer, and how do you manage encryption keys?
Disaster Recovery and Resiliency: Healthcare providers don’t stop working in the midst of a crisis. In many cases, a crisis is when they have to perform at their best. Therefore, healthcare providers should determine if the cloud provider will meet its continuity needs by asking questions such as:
-
Does your service level agreement (SLA) guarantee a high level of access such as 99 percent uptime?
-
How is my data backed up and protected from loss or corruption?
-
If I decide to change cloud providers, what is the process, timing, and cost associated with obtaining my data and then wiping any backups?
-
Can I see a copy of your Disaster Recovery, Business Continuity, and Breach Response plans?
Data Breach Response: In the final question, the data breach response plan is of particular importance. Both cloud providers and healthcare providers are prime targets for cyber attacks since they manage so much valuable information. The most reliable way to approach all of the angles of a data breach is to go through an incident simulation with the prospective provider, playing out the steps each party would take in the event of an attack. Through this exercise and in the SLA, it is important to define the lines of security responsibility between the healthcare provider and the cloud provider, and to outline respective obligations in the case of an incident. The agreement should include:
-
Your right to demand the cloud provider’s participation in an investigation.
-
The cloud provider’s obligation to provide full access to your data, even down to the virtual or physical drive on which that information resides.
-
The cloud service provider’s obligation to notify you quickly, ideally within 24 hours, in the event of an attack.
If the risk management committee does this due diligence and finds traditional cloud-based services too risky, there are two alternatives to consider: self-directed encryption and a private cloud. Self-directed encryption, which is where you encrypt the data yourself and you hold the only key, can add an important layer of security on top of that offered by a cloud provider. Similarly, a private cloud offers more security than the common multi-tenant, “co-location” structure, by providing the client greater control of its data. The multi-tenant structure, where a provider hosts data from different companies on the same network or physical location, is how the cloud achieves efficiency and scale beyond that of traditional IT data centers. A private cloud is often more costly, but it can still offer benefits by aggregating the data of a single company and providing flexible, just-in-time processing services.
No matter what a healthcare provider chooses for its cloud service, the very process of making the move can strengthen the provider’s information security. Preparing for a shift to the cloud will likely add rigor and certainty to network configurations, policies, and procedures. It also should trigger the migration of data off individual hard drives and devices, where it is most vulnerable, to a managed network environment, where it can be accessed, monitored, and secured more effectively. Finally, the process will likely force IT to take stock of where the most important or risky data is stored, and it will likely bring to the surface old and obsolete information that should be destroyed because it poses unnecessary risk to patients, customers, and the organization. This “clean-up” process alone can make discussions about using the cloud all the more appealing.