Guest Column | February 10, 2020

Understanding Compliance In The Cloud, Part 1

By EmberSec

Healthcare, Clinical Research, And The Cloud: Where Are We Headed?

The massive market shift from on-premise services to the cloud rolls on. And for the healthcare industry, a decision to jump on board with this kind of migration is more complex than simply choosing a cloud provider. Yet in order to stay competitive in a world of resilient, agile, and rapidly accessible infrastructure and interoperable data, healthcare providers, device manufacturers, prescription drug companies and many others are driven to pursue new and different storage and hosting solutions.

The complexities of cloud adoption and migration are uniquely complex for healthcare organizations. Earning HITRUST certification and maintaining HIPAA compliance requires stringent processes and protocols to ensure protected health information (PHI) is safe throughout its life cycle.

The Cloud: Private, Public, Hybrid, And Multi-Tenancy

In a private cloud, the infrastructure supports a single organization, and it is dedicated to the use of that one identified entity; the organization’s data is physically segmented from all other organizations using the provider.

Private clouds are often the most expensive cloud alternative due to the costs associated with running a physical environment, including the actual data center and maintenance of hardware (e.g., CapEx). In the past, private clouds were the premier choice for security and compliance for organizations in highly regulated industries like defense and aerospace, federal government, pharmaceuticals, and industrial systems.

In the public cloud, such as Google Cloud Platform (GCP), Amazon Web Services (AWS) or Microsoft Azure, data centers are owned and managed by the cloud provider in different availability zones and geographic regions throughout the world. These cloud service providers (CSPs) have a shared security framework that dictates the security compliance obligations of what they own and what the customer that builds workloads owns. These models ensure accountability from a compliance perspective. Pay-as-you-go models benefit organizations with economies of scale and help to achieve necessary capabilities in a shorter amount of time without the roadblocks that are traditionally seen within on-premises private clouds.

The hybrid cloud option offers a combination of interconnected public cloud and private infrastructures. Companies that value owning sensitive storage, prefer the pay-as-you-go model or want to implement a mature defense-in-depth strategy often prefer a hybrid approach. It is often suggested that these models be connected and monitored by a compliant managed security service provider (MSSP), which can enable healthcare solutions providers to transfer more risk that meets highly compliant industry regulations and frameworks. However, it’s important to keep in mind that splitting deployment models between public and private options increases internal costs (e.g. CapEx vs. OpEx). Oftentimes, hybrid environments are used as a strategy of compromise in larger organizations that already have infrastructure yet are migrating workloads and applications to the cloud.

Another consideration is multi-tenancy in the cloud. Whether private, hybrid or public, there are multiple customers, organizations or applications that share the same resources in a multi-tenant cloud environment (i.e., infrastructure, data stores, virtual components). Organizations do not generally have any knowledge or insight into the customers with whom they are sharing resources. Because of the nature of a shared environment, cloud customers that deploy this option do not generally have any knowledge around the organizations with whom they’re sharing resources nor their individual, respective security practices.

Healthcare compliance in the cloud is possible in any cloud deployment model, as long as it addresses controls in the five main HIPAA Omnibus categories: Administrative Safeguards (§ 164.308)

  • Physical Safeguards (§ 164.310)
  • Technical Safeguards (§ 164.312)
  • Organizational Safeguards (§ 164.314)
  • Policies and Procedures and Documentation Safeguards (§ 164.316)
  • Additional security provisions within References 13402 of the HITECH Act

Existing in the cloud is ever critical today, and recent trends suggest that the future of healthcare data interoperability is centered on organizations making this shift. Because of its pay-as-you-go pricing, better usability, increased security and scalability, the public cloud options are quickly emerging as a preferred choice for many healthcare providers and digital health solutions. In my next installment, I’ll talk about the pros and cons of going cloud versus on-prem solutions.

About EmberSec

EmberSec, a subsidiary of By Light, delivers cybersecurity services and solutions designed to defend your enterprise now and protect it for the future. Our cybersecurity team is made up of engineers and operators with decades of elite expertise in the fields of threat emulation and neutralization, security infrastructure development, and cyber risk analysis, providing a full spectrum portfolio of technical and managed partnership opportunities.