In this second post on preparing your healthcare organization for cloud computing, I will address how healthcare businesses subject to HIPAA should carefully select a service provider with the capabilities to address HIPAA Privacy, Security, and Audit as well as provide secure, scalable, low cost IT infrastructure.
HIPAA’s Privacy Rule requires that individuals’ health information are properly protected by covered entities, meaning that patients’ “protected health information” (PHI) cannot be transmitted over open networks or downloaded to public or remote computers without encryption. Encrypting data in the cloud include standards for the encryption of all PHI in transmission (“in-flight”) and in storage (“at-rest”). The same data encryption mechanisms used in a traditional computing environment, such as a local server or a managed hosting server, can also be used in a virtual cloud computing environment as well as a complete firewall solution.
The Security Rule requires covered entities to put in place detailed administrative, physical and technical safeguards – such as access controls, data encryption, and back-up and audit controls – to protect electronic PHI. While data flowing to and from the cloud should be safeguarded with encryption, data that comes in contact with administrators or third-party partners may require different control mechanisms. To help you comply with HIPAA’s Security Rule, policies and processes regarding data and how to implement authentication, access, and audit controls must be in place to reduce the risk of a compromise from outside. HIPAA’s security safeguards also require:
- In-depth auditing capabilities,
- Data back-up procedures, and
- Disaster recovery mechanisms.
Service providers must be able to address these requirements. In designing a HIPAA-compliant system, you should put auditing capabilities in place to allow security analysts to drill down into detailed activity logs or reports to see who had access, what data was accessed, etc… This data should be tracked, logged, and stored in a central location for extended periods of time in case of an audit.
A major goal of HIPAA is to assure patients that their health information is properly protected while allowing the flow of information needed to provide and promote high quality healthcare for the public’s health and well being. The development of a business-focused cloud computing strategy, internal corporate data policies and an accompanying transformation roadmap can lead to the successful implementation of HIPAA applications and infrastructure in the cloud computing environment.