Editor’s note: Gathering Clouds is pleased to welcome noted thought leader, SVP of Cloud Technology Partners, and Cloud Player David Linthicum as a regular contributor. David is a renown expert in all things cloud computing, SOA, Health IT, SaaS, Big Data, and many more IT related topics. Check back every week for more from David!
Those charged with HIPAA security and compliance within healthcare organizations are quick to say “No” to cloud computing. Why? Clouds are not under their direct control, clouds are not typically up-to-date on existing and emerging healthcare regulations, and, most importantly, clouds are new and unproven. However, healthcare could be missing a huge opportunity.
There is a clear need to rethink the role of cloud computing by those charged with HIPAA security and policy. The trick is to understand the existing requirements, and then understand how the emerging use of cloud computing could provide compliant and secure HIPAA solutions. In many cases, leveraging cloud computing will improve upon the best practices and technology that exist today.
One of the things that those looking at cloud computing and HIPAA find most frustrating is dealing with myths versus reality when it comes to HIPAA Security and cloud adoption. The “addressable” requirements of the security rules tend to be the most difficult to meet. Thus, these addressable requirements have a tendency to fall off of the radar, and therefore could create issues with compliance.
HIPAA Security has three overall sections: Administrative, physical, and technical. Each section outlines things that should be done to remain compliant through the “implementation specification.” An example is the “technical safeguard” section that defines the standard for “transmission security,” and outlines how data should be protected through encryption.
So, what about cloud computing and HIPAA? First you need to realize that the cloud provider is an active participant, and thus must also adhere to security requirements, such as employee screening and physical access requirements. Our host, LogicWorks, is a good example of a cloud-based active participant, but you could have many.
Thus, you need a cloud computing provider that understands HIPAA, but most importantly, understands how to be compliant. This means they should become a trusted agent and owner of your data, and meet all of the security requirements, including encryption, integrity controls, transmission protections, monitoring, management, and physical security. They will need to pass the same audits, and should meet or exceed your expectations and requirements.
Keep in mind that cloud computing is not for all who have to deal with HIPAA security. In some instances, it’s not cost effective when considering the internal processing risks, cost of migration, or ongoing operational costs. You have to do your homework before making the jump.
However, in the vast majority of cases, cloud computing and HIPAA security are a good mix, assuming you partner with a cloud computing provider that knows what they are doing around HIPAA Security. To get comfortable with a provider, you need to ask the right questions and review their existing documentation.
In reality, this is the right move for most who have to deal with HIPAA compliance. You outsource the process of dealing with HIPAA security to those who are best equipped and funded to deal with it. Through economies of scale, a cloud computing provider that specializes in HIPAA compliance should both save you money as well as make your life easier.
By David Linthicum