In November, the global healthcare cloud market was valued at $63.55 billion and was projected to grow to $197.45 billion by 2032. Healthcare workers rely on the cloud for various day-to-day operations, including data storage and collaboration. The cloud is a primary target for cyberattackers trying to access patients’ protected health information (PHI). Cloud computing vulnerabilities can create serious consequences for healthcare providers, patients, and their PHI.
The Health Insurance Portability and Accountability Act (HIPAA) sets the rules and regulations surrounding access to and disclosure of PHI. The HIPAA Privacy Rule establishes the national standards to protect PHI, while the Security Rule creates a framework for the defense of electronic PHI (ePHI). To enhance data confidentiality, healthcare organizations must prioritize HIPAA compliance by using strong security measures.
HIPAA compliance promotes strong security, especially as data breaches in the healthcare industry increase. According to reports, the total number of individuals affected by healthcare data breaches from 2005 to 2019 was 249.09 million. Of these, 157.4 million individuals were impacted in the last five years alone.
See also: How to be HIPAA compliant without worrying about HIPAA compliance
Cloud computing service refers to the delivery of on-demand computing resources over the internet. Cloud providers can deliver access to a wide range of infrastructure, platform, software, and storage services. Such computing services are typically offered by cloud service providers (CSPs) that handle data management for other businesses and organizations. For healthcare organizations, this could mean storage and communication (e.g., email), among other services.
Well-known providers include Amazon Web Services (AWS), Microsoft Azure, and the Google Cloud Platform. In general, such third-party organizations offer healthcare organizations flexibility, scalability, and cost-efficiency. Examples of cloud computing services include:
More Info: What is a cloud-based data center?
Under HIPAA, healthcare organizations and their business associates are required to protect PHI. A business associate is an entity or individual that performs certain functions or activities on behalf of, or for, a covered entity that could involve access to protected, confidential patient information. CSPs are companies that offer computer resources and services, such as data storage and computing power.
Any CSP dealing with PHI on behalf of a covered entity would be considered a business associate and therefore be held responsible for the data’s protection in their care. This means that as a business associate, responsible for creating, receiving, maintaining, or transmitting PHI, CSPs need to comply with the Privacy, Security, and Breach Notification Rules to protect the data they handle. Healthcare organizations should only work with business associates that will sign a business associate agreement (BAA).
Furthermore, any covered entity and its vendors must implement reasonable and appropriate controls to limit access to information systems that maintain patient PHI, whether in paper or electronic form. Such safeguards would guarantee the confidentiality, integrity, and availability of PHI. In the cloud, these safeguards would involve securing the data and applications they store and run within the cloud.
Since the early 1990s, electronic health records (EHRs) have largely replaced paper records, giving providers and patients real-time access to information over the internet. According to the Centers for Medicare & Medicaid Services (CMS), EHRs hold the “key administrative clinical data relevant to that person’s care under a particular provider, including demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data and radiology reports.”
We have also seen the growth of telemedicine. A national study of 36 million working-age individuals with private insurance claims shows that telemedicine encounters increased 766% in the first 3 months of the pandemic, from 0.3% of all interactions in March to June 2019, to 23.6% of all interactions in the same period.
While cloud services provide numerous advantages, they also introduce risks related to data security, privacy, technical challenges, and service reliability. If a health cloud system is not properly secured, attackers can gain access to sensitive health data. Risks associated with the cloud include:
Organizations can face hefty fines and penalties for HIPAA violations and reputational damage that can affect patient trust and long-term viability. HIPAA violations can result in civil monetary penalties, ranging from $141 to $571,162 per violation, with an annual maximum of $2,067,813 for violations. The severity of the penalty depends on the level of negligence involved, the extent of harm caused, the organization’s compliance history, and the steps taken to correct the issue.
Related: What are the penalties for HIPAA violations?
Healthcare providers need to continuously monitor their systems after a breach for anomalies and/or strange behavior. If an organization suspects that its system has been breached, it should identify and confirm the situation, then take steps to stop the leak of PHI. They can continuously update and then implement more rigorous security measures to secure cloud access, such as training employees, using advanced access controls, regularly updating their systems, and developing incident response plans. They should also conduct thorough security audits and compliance reviews to identify vulnerabilities further. After detection and investigation, organizations must follow the Breach Notification Rule and notify affected individuals, the government, and the media.
HIPAA compliance involves continuously updating security measures to protect sensitive health information and avoid breaches. One of the first steps toward HIPAA compliance is conducting a risk assessment. This assessment helps identify vulnerabilities and develop strategies to address them. Other steps to avoid cloud threats include:
HIPAA compliance regulations aim to protect patient and employee health information. Adhering to HIPAA standards helps providers protect patient privacy, leading to strengthened relationships and better patient outcomes.
Final thoughts:
A person or entity that performs certain functions or activities on behalf of covered entities.
Cloud providers must comply with healthcare-specific regulations such as HIPAA to ensure lawful handling of patient data.
Dependence on external providers can introduce concerns around data ownership, control, and service reliability.
Yes, PHI stored in cloud storage must be encrypted both at rest and in transit, and access controls must be in place to restrict unauthorized access.
Healthcare organizations can use cloud storage providers for PHI, but they must ensure the provider signs a BAA and complies with HIPAA's security and privacy rules.
Yes, many cloud email services offer integration capabilities with third-party applications and services through APIs or built-in integration features. Users can integrate email with productivity tools, CRM systems, project management software, and other business applications to streamline workflows and improve efficiency.