A common concern among many healthcare providers when they’re either considering moving to the cloud or embarking on their journey to the cloud is how to ensure HIPAA compliance.
While experts agree that it is absolutely possible to be HIPAA compliant in the cloud – and the benefits of the cloud are, quite frankly, too good to pass up – healthcare providers still need to do their due diligence to ensure compliance.
With the cloud, HIPAA compliance isn’t solely up to one party involved (and there are usually at least two parties involved – the healthcare provider and the cloud vendor – if not more). This means HIPAA compliance is shared, Adam Greene, a partner at Davis Wright Tremaine, LLP, said at HIMSS 2018 in Las Vegas.
Greene made the point that this type of shared security and shared HIPAA compliance only works if everyone involved knows their responsibilities.
As a healthcare provider, here’s what you should pay attention to when considering or working with a cloud vendor:
While storing your healthcare information up the cloud may seem as though you are storing it in a mystical, untouchable place, the truth of the matter is that your information resides somewhere out there in a physical data center. This means that healthcare providers should look into the physical security a cloud provider has in place, Greene said. He added that physically secure cloud providers will keep the location of their data centers a secret and won’t normally let people walk through their data centers.
Internal access controls and encryption
Greene posed the question: If someone at the cloud provider decides, “I want to go look at customer data”, what’s stopping them?
Healthcare providers looking for or using the services of a cloud vendor rely on the vendor to provide effective controls over the admins, for example. This also includes ensuring the appropriate encryption is in place as well, Greene said.
He also pointed out that certain controls may be entirely on the cloud vendor, such as patching up any detected vulnerabilities, while other controls, such as encryption, may be in control of the healthcare provider.
Enable audit logs
Check that your cloud provider offers auto audit logging capabilities and, if so, it may be up to the customer to turn them on as well as set how long they will be maintained, Greene said.
Greene also made the point that audit logs that are turned on but never reviewed aren’t very valuable and that the Office for Civil Rights is looking for more proactive auditing.
Risk analysis and risk management
HIPAA requires that cloud service providers who are working with a healthcare provider and, therefore, are a business associate, must conduct their own risk analysis. However, Greene said that this applies to the healthcare provider, the covered entity, as well.
While both the cloud vendor and the healthcare provider should be conducting risk analyses, these analyses should look different. For example, how do you address the potential risks facing a cloud service provider with respect to confidentiality? It is expected that the cloud provider address this in a risk analysis but not the healthcare provider. However, the healthcare provider may have to do a higher level of analysis and there has to at least be a high level of risk analysis of the cloud provider by the healthcare provider as well.
In addition, both the cloud vendor and healthcare provider should have their own risk management plans in place as well.
Greene said that cloud providers must have their own set of internal administrative safeguards in place. This means that if there’s an administrator who has access to patient data, is there someone watching them and what they have access to? It’s important that the cloud vendor have someone in place to watch to see if individuals within the cloud provider are not abusing their access, he said. Greene added that cloud vendors should have a security officer and have internal access management in place.
Finally, Greene advises that healthcare providers should understand what happens with the cloud services they’ve chosen when an emergency happens. It’s important to check whether the cloud provider has redundancy so that you can still gain access and whether there are any emergency remote operations, for example. Greene also advised to decide which applications are most important to you. For example, Greene pointed out that if your EHR is in the cloud, that may be a top priority while business analytics may be a lower priority. Therefore, it’s important that you ensure your EHR remains up and running should a disaster happen.