- Healthcare cloud security is no longer a topic that can be ignored by covered entities and business associates. With the proliferation of mobile devices, the push toward interoperability, and an increasingly connected digital industry, cloud options could potentially benefit organizations.
However, the privacy and security aspects need to be considered to ensure that sensitive data is not compromised as an organization moves to the cloud. But what exactly needs to be done before a healthcare provider implements cloud storage options? Is cloud storage even the right answer for all covered entities?
HealthITSecurity.com will review some of the larger points to healthcare cloud security, why organizations would consider it, and what some of the necessary security measures should be when implementing the approach.
What is the cloud?
As previously mentioned, cloud services can help healthcare organizations become more connected in the increasingly digital industry. Covered entities could also use cloud storage to keep certain information off site. However, it would still be accessible from various locations.
This approach could be helpful if employees are working remotely or if they need to have the ability to be mobile and access information from more than one location. For example, if a physician travels between healthcare provider locations, he or she may need to access certain data from both facilities.
Organizations can also consider the following three types of public cloud storage options:
- Software as a service (SaaS)
- Platform as a service (PaaS)
- Infrastructure as a service (IaaS)
In SaaS, the cloud service provider provides access to certain software functions, such as word processing or email. Any software upgrades and other maintenance will also be handled by the cloud service provider. With PaaS, customers might have remotely accessible computing power, and will be able to run some of their own applications. As with SaaS though, customers are not required to handle ongoing maintenance.
Finally, IaaS is when the cloud service provider focuses strictly on hardware, networking and associated maintenance. Any maintenance issues, such as software installation, will instead be handled by the customer.
Why should the cloud be considered?
Cloud storage is not part of a federal requirement, such as in HIPAA regulations. However, it could help healthcare organizations cut down on operating or storage costs, streamline services, and even allow covered entities to spend more time on maintaining software, platforms, or infrastructure.
A secured cloud environment can also improve data center economics and user productivity, according to HealthITSecurity.com contributor Bill Kleyman. In a recent article, Kleyman explains that as more devices are used within a cloud environment, organizations could “offload the collection of data, quantification of information from IoT devices, and even entire application environments into a secured cloud environment.”
“Remember, a healthcare organization is a business entity as well,” Kleyman writes. “With a secure hybrid cloud, you’re allowing users and the business to quickly adapt to the many aspects of the current market. You create a device-agnostic architecture capable of secure content delivery.”
Using the cloud can also assist healthcare organizations in clinical research projects, as Intel recently proved with its new Collaborative Cancer Cloud (CCC). The new platform hopes to enable secure clinical and research data sharing among participating institutions.
Eric Dishman, Intel Fellow and General Manager of Intel Health & Life Sciences Group, explained in an interview with HealthITSecurity.com that CCC will allow large amounts of patient genomic data to be analyzed in a distributed way that does not compromise health data privacy or security.
For example, the CCC software analytics platform creates a secure container, which helps to ensure that data remains de-identified and that the organization never actually loses control if its information.
“It's still under their control and hopefully they've got the right security in place for the data center,” Dishman said. “And it's also protecting whoever is doing the query. If a researcher is using that, and they have a really interesting algorithm or new drug they're doing research on, they don't want to share with all of these other places. So that secure container is really connecting both parties. But the moment it's left your data center, that secure container then dissipates any data that was used, and just the results go back to the host institution.”
How can you ensure healthcare cloud security?
As with any technology, it is important to take the necessary steps toward creating comprehensive privacy and security. A healthcare provider should not just suddenly decide to use cloud storage options without doing research and ensuring that they can put the proper tools in place to manage cloud computing.
Compliance, regulation, and security are the main barriers for healthcare organizations when it comes to implementing cloud technology. Even though HIPAA regulations still allow for cloud storage, it does not remove the need for healthcare providers to remain HIPAA compliant. By creating a detailed business associate agreement when working with a cloud service provider, healthcare organizations are taking an important step to ensure that all applicable parties understand their obligations and roles in keeping sensitive data secure.
Moreover, selecting a cloud service provider that is able to meet a healthcare organization’s goals and needs is key. Covered entities need to decide what they want to accomplish, and why cloud services were deemed necessary. For example, does a provider want to virtualize an application that holds PHI? Or maybe a provider is looking to deploy virtual desktops to certain employees.
As with any new technology, it is important for covered entities to conduct research and make sure they are implementing the right option for their technical and daily needs. Healthcare cloud security cannot be an afterthought, and must be one of the main drivers as organizations make the switch.