How Healthcare Should Take Advantage of the Cloud

What You Need To Know About Healthcare Cloud Computing

In the past several years, the healthcare industry has undergone a radical transformation in response to technological advances and government regulations. Integrating advanced technologies like artificial intelligence (AI), machine learning, and the Internet of Things (IoT) into healthcare cloud systems enhances data management, predictive analytics, and personalized patient care. For instance, edge computing is emerging as a vital component, improving data collection and analysis for IoT devices in healthcare, which is particularly beneficial for real-time patient monitoring and treatment plans.

Traditionally, healthcare providers and facilities developed their in-house network infrastructure to meet the technological requirements dictated by the Affordable Care Act. However, due to the high costs of building a physical network infrastructure and some constraints imposed by a physical network, an increasing number of healthcare providers are turning to cloud computing. Mordor Intelligence predicts that cloud computing in healthcare will reach a market size of $49.14 billion in 2024, and grow to $83.93 billion by 2029, with a compound annual growth rate (CAGR) of 11.3%. The global healthcare cloud computing market is growing rapidly with no indication of slowing anytime soon. 

Table of Contents

1. Benefits of Healthcare Cloud Computing
2. Are Cloud Providers Considered Business Associates?
3. Why Outsource Infrastructure Management?
4. How Healthcare Organizations can Protect Themselves from Cyber Crime

Benefits of Healthcare Cloud Computing

Some of the ways that cloud computing benefits healthcare providers compared to traditional network infrastructures include:

• Cost: Physical network infrastructures are expensive to build and maintain. Building a network infrastructure can significantly increase a healthcare facility’s capital expenditure. There are costs associated with obtaining a location for the infrastructure, acquiring the necessary hardware and software, and hiring skilled personnel to operate and maintain the infrastructure. These additional costs can result in an erosion of profits for a healthcare facility. With cloud computing, these costs are assumed by a third-party vendor; the vendor provides and supports the virtual infrastructure. Healthcare facilities simply pay the vendor for the resources used, thereby saving a significant amount of money.

The Center for Democracy and Technology, a nonprofit public policy organization, shares that:

“Cloud computing can offer increased computing speed, capacity, flexibility, and security at significantly lower cost. Because Cloud Services Providers (CSPs) focus entirely on ensuring reliable, high-availability access to information technology resources, health care organizations (like others) may find that it is substantially cheaper to obtain these resources from CSPs rather than trying to provide them on their own from within their organization.” 

• Scalability: One area where cloud computing has a major advantage over traditional networks is scalability. With cloud computing, healthcare facilities can easily scale up or down their application use and data storage as needed. There is no concern that they might meet their data storage capacity and run out of space. This is especially important when developing a disaster strategy, as frequent data backups may be necessary.
• Collaboration: Due to the shift to the value-based care financial reimbursement model, greater collaboration is required by healthcare providers involved in the care of their patients. This collaboration requires the providers to exchange data so that they have the relevant medical information to make a diagnosis and develop a treatment plan. With cloud computing, data exchange is simplified as all relevant providers have access to the information in the cloud. This contrasts traditional networks where the medical information may be siloed and only readily available to some providers.
• Analytics: Analytics are usually performed to assess healthcare trends, research the effectiveness of treatment modalities, and develop innovative treatment solutions. Effective analytics and research require access to all relevant medical information. Data stored in the cloud provides a central repository that researchers and data analysts can access to perform their research.
• Improved patient care: Healthcare providers make medical diagnoses and offer treatment options to their patients based on the information available to them. With more medical information, providers can make more appropriate diagnoses and treatment recommendations. Cloud computing provides the ability to gather information from multiple data sources. In addition to the electronic medical record, data can also be retrieved from smartphones, smartwatches, and other medical devices. Having this data stored in the cloud makes it easy for providers to access them when treating their patients, thereby improving their care.

Are Cloud Providers Considered Business Associates?

While cloud providers have generally been considered and treated as business associates in the industry, recent modifications make it even clearer that data center operators are officially considered business associates and are also directly liable for being compliant with the HIPAA standards that apply to business associates. The federal documentation on the subject states:

A data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis. Thus, document storage companies maintaining 26 protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold.  To help clarify this point, we have modified the definition of “business associate” to generally provide that a business associate includes a person who “creates, receives, maintains, or transmits” (emphasis added) protected health information on behalf of a covered entity.

As mentioned in Healthcare Organizations: Seeking a Cloud Provider? BAAs Required, healthcare organizations must be cautious about signing with ‘HIPAA-ready’ or ‘HIPAA certified’ cloud hosting providers. Being ‘HIPAA compliant’ or ‘HIPAA audited’ means they have undergone an independent audit, preferably measured against the latest OCR HIPAA Audit Protocol that outlines each requirement and auditor testing criteria.

If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don’t use the cloud service. – David S. Holtzman of the Health Information Privacy Division of OCR during a speech at the Health Care Compliance Association’s 16th Annual Compliance Institute.

Another point they make is that business associates must also adhere to the Breach Notification Rule – including the subcontractors of business associates. For an example of a breach notification clause in a business associate agreement (BAA), read our BAA Breach Notification Clause.

Covered entities and business associates should take note – “these proposed changes would make covered entities and business associates liable under § 160.402(c) for the acts of their business associate agents, in accordance 61 with the Federal common law of agency, regardless of whether the covered entity has a compliant business associate agreement in place.”

While business associates and agents are directly liable under HIPAA, covered entities are also directly held responsible for any actions of their business associates and other contractors down the chain of command, making a great case for why it’s important to choose your HIPAA cloud hosting provider carefully. Healthcare Software as a Service (SaaS) companies, EHR providers, and other supporting healthcare vendors need to ensure their cloud Infrastructure as a Service (IaaS) providers undergo annual HIPAA audits, train their staff in security, and have the policies and procedures in place that adhere to security guidelines.

For more information, read our Mobile Security white paper on how to secure electronic protected health information (ePHI) while using mobile devices in the workplace. It is ideal for any healthcare organization interested in implementing a secure BYOD (Bring Your Own Device) environment.

Why Outsource Infrastructure Management?

Healthcare organizations can greatly increase their revenue-generating capabilities by pushing infrastructure management to a HIPAA compliant vendor. IT resources can be reallocated to support more end users and development, providing better in-house service of their core applications and increasing development time deployments.

If you’re entrusting protected health information (PHI) to a cloud vendor, choosing an experienced provider gives you assurance that they know what’s specifically required to protect data and applications under health IT law. Check their independent audit reports, history of security and compliance, as well as their ability to provide healthcare client references.

Through our experience, and showcased in our Case Studies, companies chose to colocate their servers with OTAVA® and our HIPAA compliant data centers for a number of reasons:

• A HIPAA compliant data center using the latest technology without the hardware investment
• Increased revenue generating capability and ROI for IT resources
• A data center that offers high availability and an offsite IT disaster recovery solution.
• Personalized service and support from OTAVA’s technical team.

Our other healthcare case studies provide successful examples of HIPAA compliant cloud, private cloud and colocation solutions for companies faced with IT challenges:

How Healthcare Organizations can Protect Themselves from Cyber Crime

Cyber criminals are being drawn to the healthcare industry like moths to a flame and providers are more vulnerable as the sharing of electronic health records proliferates.

To help diminish both those trends, the Institute for Health Technology Transformation (iHT2) recently compiled its “10 Steps to Maintaining Data Privacy in a Changing Mobile World.”

With a goal of explaining “how healthcare organizations can best protect themselves from the rapidly growing threat of security breaches and medical identity theft,” the paper is compiled by CIOs and security consultants who describe best practices for preventing these incidents and suggesting “how to deal with the proliferation of electronic data on the web and on mobile devices, which has created many new avenues for cyber attacks and the theft of personal health information.”

The paper ends with 10 suggested strategies to follow, each of them worth investigating further. For brevity’s sake, let’s take a look at two of the suggested strategies that are particularly relevant to our secure and compliant data hosting world.

The first deals with something we’ve already covered:

Get business associate agreements. All outside partners and service providers, including cloud storage providers, should sign BAAs acknowledging their responsibility to protect PHI. You should also require business associates to upgrade their security procedures.

A recent Ponemon study revealed that 73 percent of organizations are either “somewhat confident” (33 percent) or “not confident” (40 percent) that their business associates would be able to detect, perform an incident risk assessment and notify their organization in the event of a data breach incident as required under the business associate agreement. … Only 30 percent are “very confident” or “confident” that their business associates are appropriately safeguarding patient data as required under the Final Rule.

To fully manage cloud security risks, we recommend you go beyond business associate agreements and review the provider’s complete policies, procedures and processes. The business associate agreement should outline policies and procedures. Review a copy of your cloud provider’s independent HIPAA audit report, if they invested in one, and check that they’ve been audited against the OCR HIPAA Audit Protocol.

The second suggested strategy deals directly with cloud security:

Choose your cloud provider and cloud type carefully. A cloud service provider should sign a BAA and be HIPAA compliant. Healthcare providers might find the public cloud enticing because of cost efficiencies, but a hybrid cloud might be preferable because it allows them to control their data.

The iHT2 report cites a HIMSS focus group of senior health IT executives that said they are “more comfortable using a private cloud” than a public cloud and were “more likely to store administrative data than clinical data in the cloud.”

The report also cites legal expert John DeGaspari recommending healthcare organizations wanting to use a cloud vendor should make sure the company has a comprehensive set of security procedures. At a minimum, DeGaspari says, the vendor should have third-party certification from an entity such as Services Organization Control (SOC) 2.

OTAVA — which is backed by independent HIPAA, PCI, SOC 2 and Safe Harbor audits — produced its own list of what to look for in a HIPAA cloud provider:

1. Encryption. Do they offer encryption of data at rest and in transit with their cloud solution? Or do you have to spend more time and resources to add another encryption service on top of their cloud to make it work? Encrypting data exempts you from the HIPAA Breach Notification Rule and keeps data confidential even if accessed.
2. HIPAA Report on Compliance (HROC). The final HIPAA rule says cloud providers are considered business associates. Wouldn’t you rather your cloud provider has already undergone a third-party audit of their services to ensure your data safety and compliance (and to save you the trouble of paying for another audit of your business associate)? Don’t just take their word for it – review a copy of their HIPAA audit report and check they’re audited against the OCR HIPAA Audit Protocol.
3. Business Associate Agreement (BAA). Check on their policies around data breach notification, data termination, data access and what services they provide that help you meet compliance.
4. Private clouds. A HIPAA compliant private cloud environment can give you dedicated compute, memory and disk performance, meaning your resources are always reserved for you when you need them. Some public cloud setups allocate resources to other tenants on a first-come, first-served basis, meaning you may be out of luck.
5. Disaster recovery and offsite backup. The HIPAA Contingency Plan standard requires covered entities to establish and implement a backup and full disaster recovery plan to recover systems that contain electronic protected health information (ePHI) – having one for the cloud ensures your data is always available regardless of a natural disaster.

The Center for Democracy and Technology lists specific types of certifications that a healthcare provider should consider when selecting a third party vendor, including:

• PCI DSS – Credit card transactions
• SSAE 16 – Financial reporting standards
• ISO 27001 – Information security standards
• FIPS 140 – Cryptographic module standards

At OTAVA, we understand the cloud needs of healthcare facilities. We have experts available to work with you in developing a unique cloud solution for your healthcare facility. Contact us today for more information about our services.

References:
HHS: Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules (PDF)

Related Articles:

HIPAA Hosting Provider BAAs Need to Reflect HHS Final HIPAA Privacy & Security Rules
Does your HIPAA hosting provider have a legal BAA (business associate agreement)? I just got off the phone with our attorneys who are updating our business associate agreement to reflect the changes required in the HHS final HIPAA Privacy and … Continue reading →