08-08-13 | Blog Post

Center for Democracy & Technology Clarifies the Healthcare Cloud

Blog Posts

The Center for Democracy and Technology, a nonprofit public policy organization, has recognized cloud computing as a viable solution for data use – from email and document storage to specialized enterprise services such as CRM software and full servers.

They acknowledge the healthcare industry’s general uncertainty about cloud security, but in response, state that “there is nothing inherently dangerous about cloud computing…healthcare organizations should be able to benefit as much as other sectors have from cloud computing.”

Relevance: the ONC (Office of the National Coordinator for Health Information Technology; the federal entity behind health IT legislation and innovation) retweeted the CDT’s article, Demystifying HIPAA and the Cloud, therefore somewhat legitimizing its credibility.

The CDT released a cloud computing FAQ – while they define cloud infrastructure as a service (IaaS) as:

In this model, the CSP focuses on providing hardware, networking and associated maintenance only. All aspects of the hardware configuration, operating systems, software installation, and maintenance are the responsibility of the customer.

Distinctions are sometimes drawn between “public” and “private” cloud services. This FAQ focuses on “public” cloud computing services — those in which health care entities use a third-party CSP for some or all of their cloud computing needs.

It’s important to note that some cloud service providers do offer private clouds – meaning your SAN (Storage Area Network) disks, hosts and servers are completely dedicated to your organization. This means all of your compute, memory and disk performance is reserved for only your use, whenever you need it.

Additionally, HIPAA compliant clouds can provide additional reassurance that your ePHI is secure, particularly if your cloud service provider has undergone a HIPAA audit to ensure they are following the physical, administrative and technical security standards required to protect healthcare data.

In response to the question, “Is a cloud service provider (CSP) a business associate under the HIPAA Privacy Rule?” The answer is yes.

The CDT’s cloud FAQ also answers the question, “Can healthcare providers choose to store protected health information (PHI) in the ‘cloud,’ and why might they want?” with:

Cloud computing can offer increased computing speed, capacity, flexibility, and security at significantly lower cost. Because CSPs focus entirely on ensuring reliable, high-availability access to information technology resources, health care organizations (like others) may find that it is substantially cheaper to obtain these resources from CSPs rather than trying to provide them on their own from within their organization.

Other benefits they list include:

  • CSPs have routine processes in place for software and hardware upgrades
  • Cloud computing is very flexible and can scale to a healthcare provider’s needs – large and unexpected demands are easy to accommodate
  • No large upfront capital investments typical of traditional IT infrastructure
  • CSPs can offer a greater level of data security that healthcare providers might not be able to achieve on their own – however, it can’t be assumed data will be protected up to the HIPAA Security Rule standards

Another point they make is that “HIPAA compliance” is not a certification or compliance regime recognized by the Dept. of Health and Human Services, a valid point indeed. Claiming compliance isn’t the same as delivering on the promise of data security and “a track record of working securely with PHI” – so check your HIPAA hosting provider for healthcare cloud case studies to verify they are familiar with the healthcare field and can successfully offer secure solutions that work.

The CDT goes on to list specific types of certifications that a healthcare provider should consider when selecting a CSP, including:

  • PCI DSS – Credit card transactions
  • SSAE 16 – Financial reporting standards
  • ISO 27001 – Information security standards
  • FIPS 140 – Cryptographic module standards

If you’re interested in reading more about HIPAA and healthcare clouds, you might want to check out:

What to Look for in a HIPAA Cloud Provider
The deadline draws near – September 23, 2013 marks the date of when both business associates (now including cloud service providers) and covered entities must meet the HIPAA Omnibus rule, released in January to update the 15-year-old law. A refresh … Continue reading →

No Encryption or BAAs: Keep PHI off Unsecure Clouds
Google Drive, formerly Docs, is a free collaboration tool that can be used to store and manage large amounts of data – unless that data falls under the scope of protected health information (PHI); that is, personal patient health record … Continue reading →

How the HIPAA Cloud Protects PHI for Physician Software as a Service (SaaS)
How does the HIPAA compliant cloud support and enable progression of health IT and patient care? By creating a high availability, reliable data and application hosting infrastructure that’s secure enough to meet healthcare industry data security compliance regulations, like the Health … Continue reading →

FAQ: HIPAA and “Cloud Computing” (PDF)

Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved