Yes, It’s Safe to Manage PHI in the Public Cloud and Here’s Why Life Sciences Should
PHI needs its Hippocrates, and it may have found it in the cloud.
Hippocrates is honored for systematizing Western medicine. He freed it from an incompatible patchwork of superstitions, legends, and magic by implementing methodologies for the treatment of diseases, including preventive measures and diagnostics.
Surprisingly, this mirrors the challenges surrounding Protected Health Information (PHI) today — disparate data sources, preventative measures required to ensure data safety, and diagnostic systems to identify security or compliance weaknesses.
PHI needs its Hippocrates, and it may have found it in the cloud.
The Evolution of Life Sciences Companies
Leveraging PHI in the cloud is an overarching endeavor among large life sciences organizations, and they’re using it like a steamroller to smooth the road to improved R&D momentum, security and compliance, speed to market, and manufacturing and clinical trial efficiencies. Meanwhile:
Small to midsize companies that have not fully leaped on the PHI-in-the-cloud bandwagon are seeing the benefits and beginning to feel the pressure to follow suit.
The growing need for compliant, protected, scalable solutions in an unpredictable environment — suffused with regulatory sprawl and surprisingly elevated levels of malicious activity — will naturally lead life sciences companies to reevaluate their current PHI management practices. An example of this vast regulatory expansion: according to a 2018 report by Fortune Magazine, the GDPR compliance costs to U.S. companies with over 500 employees could reach $150 billion annually.
With this regulatory explosion already underway (California Consumer Privacy Act, a mirror of GDPR, was passed just one month after the EU’s act came into law), many life sciences organizations may find that their on-premise data centers are not suitable — compliance-wise, security-wise, or scalability-wise — for the expanded capabilities needed to succeed in the evolving healthcare environment. To address the overly-regulated, ultra-competitive, maliciously-targeted state of the industry, life sciences and pharmaceutical companies are applying the cloud’s advantages to various divisions of their enterprise.
Benefits By Drug Life Cycle Phase
From a clinical trial perspective, there are public cloud APIs that allow life sciences organizations to de-identify patient data sets so they can then run clinical trials against them, accelerating the trials and reducing the overall cost. With this de-identified data, they can run trials using machine learning. The cloud’s ability to dial-up or dial down processing power as needed is a great enabler for machine learning, which requires massive computational capacity when running algorithms but requires very little when not in use. In addition, the cloud enables collaborators to work together in a secure and centralized environment, promoting communication between stakeholders, expediting research findings, and enabling organizations to bring new therapies quickly to market.
Regarding drug manufacturing, the ability to store PHI securely and compliantly in the public cloud can encourage better data collection through connected IoT devices, data analytics, and machine learning. This gives life sciences near real-time insights into their data and research. The reduced response time to changing market demands can foster an increasingly dynamic production capacity that makes them that much more competitive.
Cloud computing has been widely employed in drug marketing to increase access by sales and marketing teams to up-to-date information. This has improved the relationships between sales reps and physicians by enabling drug companies to play a more educational role, as well as having better access to data. And that data—once processed through advanced cloud analytics—can be used as input for future drug development.
Your PHI Protection Action Plan
The innovations and benefits are worth the precautions that must be taken to protect PHI. Protecting your PHI is achievable, particularly if organizations leverage third–party expertise to acquire the needed support. Let’s look at four strategies to help protect your PHI.
- PHI inventory considerations.
Having a thorough PHI inventory is the first thing you can do to protect PHI.
From a risk and liability perspective, how can you protect your data if you don’t know where your PHI is? It’s important enough that any cloud services provider must make it an essential part of its clients’ security risk analysis. It is also critical to be aware of which of your business associates have access to your PHI — you must know who has contact with the PHI you are entrusted with, and you’ll need BAA coverage for any of those associates accessing your PHI.
Encryption strategies to protect your PHI.
A knowledgeable cloud services provider will help ensure your PHI is encrypted while in motion and at rest. If you must ship PHI on a hard drive, it must be encrypted in a GPS container that creates a chain of custody that is tracked from its point of origin to its destination. What makes the lack of data encryption a tragedy of Shakespearean proportions is that the encryption process is so simple and so inexpensive — but you’d be surprised how often it’s overlooked.
Read any good audit logs lately?
System audit logging is not only an effective way to protect your data and your organization, it’s also a HIPAA requirement. You must have active audit logging. To ensure that you do, simply make sure audit logs are always turned on. Frankly, it takes time to review audit logs, but in the event of a security incident, those audit logs will prove valuable during your investigation. They will help you determine if, when, where, and how it occurred. If your cloud provider doesn’t offer audit logging, switch to one that does.
Updating legacy systems—the most-often missed strategy
If outdated software is no longer supported, it’s a vulnerability. If any older servers are no longer supported, and therefore vulnerable, sunset those servers into the cloud with a healthcare-dedicated, provider. If the lack of CapEx dollars or other resources keeps you from updating your software, talk to a healthcare cloud expert about a potential migration plan, including determining which workloads to move first.
The Promise of PHI in the Public Cloud
Drug marketing that improves relationships with physicians and patients while providing critical feedback for better drug development; data-responsive manufacturing that can help improve speed, scale and simplicity; new research capacities that promise to advance the delivery of quality patient care … these are the possibilities PHI in the cloud can offer r— if they go hand in hand with prudent strategies to protect data and ensure compliance. While managing PHI requires diligence, these extraordinary opportunities can come closer to realization with the right partner to support the journey. After all, behind each piece of PHI is a patient — and those patients are worth it.