Cloud

Is HIPAA Compliance Possible in Public Cloud Environments?

Strategic planning and thorough audits are key to keeping data safe in the public cloud, healthcare and security leaders say.

Nathan Eddy

Nathan Eddy works as an independent filmmaker and journalist based in Berlin, specializing in architecture, business technology and healthcare IT. He is a graduate of Northwestern University’s Medill School of Journalism.

Public clouds, which deliver scalable computing services via third-party providers, offer many promising benefits to healthcare organizations.

Despite the growing acceptance and deployment of cloud technology, concerns about HIPAA compliance and security remain top of mind. Just 7 percent of healthcare organizations say they consider public cloud to be the most secure choice, compared with hybrid cloud and nonhosted private cloud options, according to a March survey by Nutanix.

Cloud vendors are responsible for the physical security of the offsite infrastructure and facility that handles users’ data. But healthcare organizations also have key responsibilities, such as configuring firewalls, patching operating systems, and assigning access and privileges to the right people.

“The cloud is more secure than your data center, because these cloud providers offer security for millions of consumers, so they’re better at it than a hospital CIO can be,” says cloud industry veteran Gerry Miller.

The real danger, he says, is how organizations use the cloud, which underscores the importance for healthcare IT teams to properly configure their cloud environment.

“There’s no magic HIPAA dust that’s sprinkled over the cloud to ensure you’re safe,” Miller says.

Preparing for Public Cloud Migration in Healthcare

Practicing good digital hygiene to protect patient information and HIPAA compliance — ongoing efforts that include self-audits and self-assessments — is critical, no matter where a system is in the migration process.

“Healthcare organizations need to audit an external framework and implement a program that is measurable and standardized,” Miller says. “Many now require their third-party vendors to be HITRUST-certified to prove that a community of outsiders is practicing the same level of data hygiene.”

HITRUST (formerly, the Health Information Trust Alliance) created a security framework to help organizations meet a range of standards, including those required by HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Over time, misconfiguration of public cloud services presents another big vulnerability for healthcare organizations, says Chris Bowen, chief privacy and security officer for ClearDATA, a healthcare public cloud security firm.

“‘Compliance drift’ happens easily, as continuous deployment models are pushed through, and it can be a really big issue,” he says. “Sometimes, the configuration you put in place might drift out of compliance — someone unchecks an encryption check box with a line of code or inadvertently expands a permission group.”

That’s why healthcare organizations must clearly identify where sensitive, protected health information is flowing and bolster defenses around that data before moving to a public cloud.

“Don’t just take a compliance-based approach, but a risk-based approach,” Bowen says.

Thoughtful and Strategic Planning for Cloud Deployment

Geisinger, a Danville, Pa.-based health system, is currently conducting a public cloud assessment as part of a multiyear migration plan encompassing more than 1,500 applications — including its EHR platform. Leaders there know that the move is a significant undertaking.

“Ultimately, we are responsible for protecting our customers’ information as much as possible and not being negligent in any way,” says John Kravitz, the organization’s CIO.

Meeting that obligation, he adds, means working closely with Geisinger’s CISO and security team to ensure data control and access guidelines are followed throughout the migration process, tapping the expertise of outside partners with cloud security experience when needed.

It also means preparing for — and preventing — any potential hurdles.

“People need to take the time to understand the cloud is different than on-premises, because you don’t want to make a mistake when configuring. That’s the part we’re painstakingly going through now, including penetration testing from the outside,” Kravitz says. “It’s a new frontier for a lot of us, and we have to make sure we get this right.”

Taking Internal Responsibility for Cloud Security Measures

A healthcare organization’s CISO must be the resident expert on HITECH and HIPAA to figure out what capabilities are needed to meet compliance standards.

Forming a cohesive strategy with all members of the IT department is an important step, says Wes Wright, CTO at Imprivata, an IT security company.

“The question is, what do I need to implement in order to meet these capabilities that are over and above the security posture? That’s the most important due diligence you have to do,” he says.

Wright, whose experience with public cloud started 10 years ago as CTO and CIO at Seattle Children’s Hospital, agrees that the security of public clouds is generally accepted. Still, he says, it’s incumbent on health IT teams to find out what additional security tools are available to ensure compliance is attained, and maintained over time.

After all, “someone’s got my health information too,” he says.

Orbon Alija/Getty Images