Healthcare Information Security

Cloud News

Maintaining Healthcare Security Compliance in the Cloud

While implementing new cloud storage options, covered entities must ensure they maintain strong healthcare security and HIPAA compliance.

By Bill Kleyman

- The evolution of the cloud has seen many healthcare organizations evolve from private, to public, and now to hybrid cloud platforms.

Healthcare security compliance critical in cloud adoption

In reality, almost every cloud environment within a public cloud has some sort of connection back to the central data center. So, at some level almost all public clouds are some percentage hybrid.

A recent Gartner report  indicates that 2016 will be a defining year for cloud, as private cloud begins to give way to hybrid cloud, and nearly half of large enterprises will have hybrid cloud deployments by the end of 2017.

"The market for public cloud services is continuing to demonstrate high rates of growth across all markets and Gartner expects this to continue through 2017," said Sid Nag, research director at Gartner. "This strong growth continues reflect a shift away from legacy IT services to cloud-based services, due to increased trend of organizations pursuing a digital business strategy."

There are good reasons that we’re seeing this kind of growth.

READ MORE: HHS Releases Updated HIPAA Cloud Computing Guidance

It’s easier to move into the cloud, there are more use cases for cloud computing, and data center providers are offering more services around cloud strategies. Also, the ability to see real cost savings by offloading CapEx costs can help healthcare organizations control their budgets while still expanding their data center and business.

With all of this growth and expansion, working with a powerful data center provider that will become your cloud partner makes perfect business sense.

But there are still some concerns out there. Primarily revolving around staying compliant, and keeping your healthcare data secure, which brings us to the next point.

Why are there still barriers to healthcare cloud adoption?

When cloud was first adopted as a business strategy there were still some pretty big barriers restricting many healthcare organizations from jumping on the bandwagon.

READ MORE: Regulations Drive Healthcare Cloud Security, Risk Standards

Data centers didn’t know how to scale properly, there were challenges with cloud services adoption, and IT simply didn’t understand how cloud could actually benefit the business. Furthermore, for healthcare shops, there was a serious challenge around compliance and better protection around PHI.

Today, the conversation is very different.

Cloud is much more mature and, believe it or not, your healthcare data center partner is ready to help. However, not every data center is built the same. With that in mind, compliance and security remain two of the biggest barriers to adoption.

There is, however, some really good news. Changes in policies and governance are now redefining how organizations can leverage cloud while still being absolutely secure and compliant. Data center providers have taken a number of extra steps to allow you to host compliance-driven workloads while still enhancing your business and the overall user experience.

How your data center can create compliance and security in the cloud

READ MORE: Utilizing Cloud Computing for Stronger Healthcare Data Security

When the concept of cloud was first brought to market, it was limited to organizations that weren’t bound by compliance. Furthermore, true cloud security had a bit of a ways to go.

Now, the conversation around cloud compliance and security are much different. In fact, laws and regulations are changing to directly support new kinds of cloud initiatives.

For example, the Omnibus rule (enacted as a change to HIPAA) now allows organizations to become business associates (BAs). A BA is any organization that has more than just transient access to data (FedEx, UPS, or USPS, for example).

An organization can sign the business associate agreement (BAA) allowing it to take on additional liability to manage PHI. Regulations are also changing how data center providers approach ecommerce and PCI-DSS as well.

At a high-level, data center providers intelligently control data through the cloud, the organization's servers and the payment gateway. This type of design allows your organization to continuously control the flow of sensitive information.

Eliminating the compliance and regulation barrier

For many healthcare organizations, managing complex compliance requirements has become a nightmare. As new regulations and requirements are introduced, achieving compliance becomes more complicated and time consuming.

Companies have turned to outsourcing to help with their compliance initiatives. The problem is, most service providers take a silo approach to managing requirements for multiple regulations. This results in inefficiencies and redundancies.

Fortunately, cloud and compliance have come a very long way.

For example, Akamai, Lockheed Martin, and the U.S. Department of Agriculture are all running “government clouds.”  Essentially, they are FedRAMP Compliant cloud service providers (CSPs).

Furthermore, if you examine the compliance matrix of your cloud provider, you’ll quickly see that you can now run cloud-based workloads with PCI DSS, FISMA, FedRAMP, SOC, DoD, and HIPAA compliance standards.

This kind of data center evolution dynamically changes the game for organizations, including those in healthcare that were once concerned about moving to the cloud.

Let’s look at two real compliance, cloud and data center use cases:

  • Use Case 1 – As a healthcare organization you need extra resources within a data center cloud provider to process large amounts of data. An organization does not want to spend additional budget dollars on internal resources and realizes that a pay-as-you-go model is optimal for their environment. They turn to a healthcare-ready data center or cloud provider for help. By knowing that this provider has signed the BAA and can process healthcare information, this healthcare organization was able to directly link their public cloud with their private data center.  Now, they’re able to use this cloud platform to migrate applications, workloads and data between their healthcare cloud and their private data center, which helps with security, data analytics and even efficiency. Furthermore, this organization can leverage other data center services as their data center provider has signed the BAA, which allows them to take on additional liability to manage PHI.
  • Use Case 2 – You are a VA Hospital that is bound by compliance, regulations and other factors that have previously prevented you from moving to the cloud. In addition, you may have data points which are extremely sensitive and must be absolutely controlled. You have a need to distribute data alongside applications to a widely distributed user base. Data center and cloud providers can deliver scalable, secure, high-performing, virtual data centers for government as well as healthcare mission-critical applications. This Infrastructure as a Service (IaaS) solution is designed to meet the mandates that federal agencies, government contractors, and system integrators are facing, including the Federal Data Center Consolidation Initiative (FDCCI), Cloud First and Shared Services. Now, as a government agency, you know that your data center is not only capable of dynamic expansion, those cloud-based workloads are also running securely and under compliance.

Here's the big point: If you’re a healthcare organization looking to move into cloud, know that there are great options to support your initiatives.

The critical part of this will revolve around initial planning and workload design. From there, work with your cloud or data center provider to ensure that your systems are under compliance and secured.

Even if you’re a government agency providing healthcare services, you can still utilize cloud, remain compliant, and create powerful security strategies. 

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks