The use of cloud technology has grown exponentially since the early 2000s, especially within the healthcare industry. In fact, global spending on the cloud is expected to be valued at over $89 billion by 2027. Unfortunately, many healthcare organizations that use the cloud don’t understand the benefits, costs, and vulnerabilities of the technology. Moreover, some organizations don’t recognize that using such technology and demonstrating HIPAA compliance means having and following a strategic healthcare cloud management plan.
HIPAA compliance is a legal requirement in the healthcare industry that protects patients’ privacy and ultimately lets organizations focus on patient care. Healthcare providers who embrace new technologies, such as the cloud, and manage their use effectively can leverage data and digital tools to deliver better health outcomes.
More info: The HIPAA compliant cloud services checklist
The cloud is a virtual environment that allows easy access, computing, networking/sharing, and storage. The healthcare industry is vast, so we understand why healthcare organizations use cloud services for storage, infrastructure, hosting, and/or software and file sharing. Surveys show that between 70% and 80% of health organizations have adopted the cloud in some manner. Some advantages to healthcare organizations that employ the cloud include:
While the advantages are obvious, the use of the cloud also offers an increase in security risks through misconfiguration/misimplementation, poor access controls, shared tenancy flaws, and supply chain vulnerabilities. The rise in cloud services and cloud computing means organizations need to ensure that they use the technology securely and create a management plan to stay on top of such issues.
See also: HIPAA cloud computing: Top ten frequently asked questions
The Health Insurance Portability and Accountability Act (HIPAA) sets national standards that safeguard the privacy and security of individuals’ protected health information (PHI). The HIPAA Privacy Rule sets the guidelines for using and disclosing patients' data. Then, the Security Rule sets the necessary administrative, technical, and physical safeguards to protect PHI. The act applies to healthcare organizations and their business associates that might handle PHI on behalf of providers.
A cloud provider would be considered a business associate of a healthcare organization and would be responsible for patient data stored and/or sent through their services. Its cybersecurity must be HIPAA compliant and while essential, encryption alone is insufficient to ensure the confidentiality, integrity, and availability of PHI as required by the Security Rule. Good cloud security must be layered and encompass numerous strategies such as:
The cloud offers users more flexibility and convenience but also increases a healthcare organization’s attack surface. That is why it is vital to protect a patient’s confidentiality over the cloud.
Many cloud companies are available, but not all meet HIPAA requirements of encryption, data backup, and access controls. Furthermore, not all will provide HIPAA assurance through a signed business associate agreement (BAA), which outlines permissible uses and disclosures of PHI and ensures that business associates are accountable for safeguarding patient data.
Before choosing a healthcare vendor, the following questions should be asked of them to see if they are business associates that can work with PHI.
Do they provide services or perform functions for healthcare providers, health plans, or healthcare clearinghouses?
Are their services or functions integral to a covered entity’s operations?
Do they have a contractual agreement or arrangement with a covered entity to provide these services?
If the answer to these questions is yes, the company qualifies as a business associate and should adhere to HIPAA’s regulations. Thus, they are responsible for following the HIPAA Privacy, Security, and Breach Notification Rules. HIPAA compliant business associates must implement a layered approach to security. In general, healthcare organizations should recognize that any business that they work with, even those that don’t handle PHI, should be HIPAA compliant and should be managed appropriately.
According to Google, “Cloud management is the organized management of cloud computing products and services that operate in the cloud. It refers to the processes, strategies, policies, and technology used to help control and maintain public and private cloud, hybrid cloud, or multicloud environments.” It is a wide-ranging strategy that allows organizations to properly manage cloud computing companies, resources, and services.
Such a comprehensive management plan should outline cloud policies, procedures, and usages to ensure the technology’s optimal security and cost-effectiveness. The point of the plan would be to manage cloud resources efficiently, and the benefits of a proper cloud management plan include increased efficiency and access to data, reduced costs, enhanced security, improved scalability and flexibility, and better control and visibility.
Without a proper management plan, an organization opens itself up to cyberattacks and even vendor compromise, when cyberattackers access PHI through a third-party organization.
Like all aspects of healthcare, cloud technology needs to be properly vetted and secure. Organizations should ask themselves the following questions, among others, to create a comprehensive cloud management plan.
What do you need to use the cloud for? What activities?
What resources are needed for you to use the cloud?
What costs are involved with the cloud technology needed?
How do you plan to screen, monitor, evaluate, and audit the cloud?
How do you plan to communicate clearly with cloud business associates?
What type of security do you want cloud companies to employ?
What PHI needs to be shared or stored over the cloud?
How can you minimize patient health data on the cloud?
What security will need to be used in-house to secure the cloud?
What is the plan for a business associate’s noncompliance and vendor compromise?
How will your healthcare cloud management plan be updated, as needed?
A cloud company would be directly responsible for safeguarding any PHI and must be HIPAA compliant, along with the healthcare organization it works for.
By properly overseeing cloud business associates with a solid management plan, organizations can effectively work with cloud companies that:
In the event of noncompliance, covered entities need to address the issue directly with the business associate using defined processes found within their healthcare cloud management plan. Unfortunately, it may be necessary to terminate a business relationship. Through constant monitoring with a strong cloud management plan, healthcare organizations can ensure that cloud companies (and themselves) meet their HIPAA standards and protect patient information.
Related: HIPAA compliant email: The definitive guide
May a HIPAA covered entity or business associate use a cloud service to store or process PHI?
Yes, as long as the covered entity or business associate enters into a BAA with the cloud vendor. As a recap, the BAA establishes the permitted and required uses and disclosures of PHI by the business associate performing services for the covered entity or business associate. The BAA also contractually requires the business associate to appropriately safeguard ePHI. This includes implementing the requirements of the Security Rule. It should be noted both covered entities and business associates must conduct recurring risk analyses to identify and assess potential threats and vulnerabilities to ePHI.
Business associates must implement a multifaceted approach with physical, administrative, and technical safeguards to secure PHI:
Business associates must act swiftly in the event of a PHI breach. They must report the breach to the covered entity and depending on the severity and scale of the breach, notifications to affected individuals and the U.S. Department of Health and Human Serivces’ Office for Civil Rights are required.
Patients retain significant rights concerning their PHI. These rights include accessing their information, requesting amendments, and filing complaints if they believe their privacy rights have been violated by business associates. Business associates must respect and safeguard these rights.