Author: Chris Bowen
Chief Privacy and Security Officer and Founder, CISSP, CIPP/US, CIPT
Healthcare in the United States has quickly undergone a significant transformation. With implementation of the HITECH Act of 2009, by the end of 2010 most office-based doctors-57 percent-were using electronic medical records. The Affordable Care Act, passed in March 2010, added another incentive to the market to adopt new technology by encouraging the creation of Accountable Care Organizations (ACO) to organize knowledge, technology and healthcare teams around the needs of the patient.
Now tasked with choosing the best way to store and backup electronic protected health information, or ePHI, many healthcare providers are looking at cloud computing; new technology that has made the traditional data-hosting model cost-prohibitive and obsolete by offering rapid server deployment, near instant scalability and greater redundancy than ever before. While the benefits are clear, there are security and compliance requirements unique to the healthcare industry that must be considered when adopting cloud technology.
As providers adopt EMR, they are faced with immediate questions and decisions such as where to host the data-at their facility, at a traditional collocation data center or with a public or private cloud hosting provider-and regardless of location, how to comply with the stringent rules for safeguarding protected health information (PHI) as outlined in the HIPAA Privacy and Security Rules and HITECH Act.
Since hosting vendors store, transmit or process ePHI, they must comply with the same mandates for data protection as the healthcare provider. This usually requires them to sign a business associate agreement, which requires that healthcare provider vendors must:
- Comply with their contracts to secure PHI and control its use and disclosure;
- Have appropriate safeguards in place that satisfy the requirements of the HIPAA Privacy and Security Rules;
- Report all privacy and security incidents to the healthcare provider with whom it has a business associate relationship;
- Hold their agents and subcontractors to the same restrictions and conditions with which they must comply;
- Make arrangements to handle patient requests for PHI;
- Provide their clients with the necessary information to respond to patient requests to “account for all disclosures”;
- Be able to make their records related to PHI available to their clients if they are audited;
- Return or destroy all PHI if their contract expires or is terminated.
Regardless of the chosen location for data, for the majority of practices reality sets in when members of the management team are forced to become experts in the privacy and technical security of patient data throughout the “data lifecycle,” which encompasses the creation, distribution, use, maintenance, storage and destruction of data.
As healthcare providers migrate to new technology and seek to safeguard their patient data at each step of the lifecycle, they are faced with daunting topics such as encryption management, vulnerability monitoring and alerting, intrusion detection and prevention, audit logging and log management, patch management, connectivity, remote access and disaster recovery.
They hear buzzwords like NIST, multi-factor authentication, blended connectivity or even volume vs. transparent data encryption. They wonder how all of this technology relates to daily procedures and protocols. They seek to understand how to comply while trying to balance patient care and running a business.
If they consider hosting their data in-house, they are shocked when presented with the extremely high cost of expertise, redundancy and the physical infrastructure necessary to meet basic performance such as cooling, physical security and connectivity to the Internet.
Thankfully, healthcare providers struggling to navigate these new techno-compliance waters have found market-based solutions that can make their lives easier by utilizing cloud technology.
Cloud strategies are gaining significant traction as a solution to hosting data and as a means to easing the burden on healthcare providers as they migrate to EMR.
According to a study by IDG Enterprise Cloud Computing in January 2012, companies are investing heavily in cloud computing. A survey of 1,650 IT and business executives showed 34 percent of their IT budgets were allocated to cloud computing solutions and 63 percent expected to increase spending this year. In the survey, the greatest barrier to implementing cloud strategies was security, 70 percent, then data access, 40 percent, followed by information governance concerns, 37 percent.
Key considerations for healthcare cloud consumers
Moving to EMR requires the healthcare provider to safeguard electronic PHI. The rules do not specify where data can be stored and safeguarded, only that these safeguards are sufficient to be effective and operational.
In the healthcare environment it is critical to define safeguards around the right data, which can only be accomplished by taking inventory of the data and assessing the safeguards currently in place. This data inventory is the precursor for data classification.
HIPAA only regulates PHI, and so it is important to know which safeguards should apply to which dataset. When choosing what data to place in the cloud, knowledge of which data is located where is critical to maintain the custody of patient data from its creation to its destruction. (See Figure 1.)
Figure 1: The data lifecycle
If a healthcare provider chooses to adopt a cloud strategy, how does that provider ensure that their sensitive PHI is protected in a cloud environment? Furthermore, how can they ensure that they maintain an auditable chain of custody for that data using cloud technology throughout the lifecycle?
Cloud computing reference architecture
To begin, it is imperative that the healthcare provider understands at a high level where he/she fits in the cloud computing model. According to the National Institute of Standards and Technology (NIST) in Special Publication 500-292, the cloud computing reference architecture defines five major players: Cloud Consumer, Cloud Provider, Cloud Carrier, Cloud Auditor and Cloud Broker. (See Figure 2.)
Figure 2: NIST Cloud Reference Architecture
The definitions of each are as follows:
- Cloud Consumer: A person or organization that maintains a business relationship with, and uses services from, Cloud Providers. For purposes of this article, a Cloud Consumer is the healthcare provider.
- Cloud Provider: A person, organization or entity responsible for making a service available to interested parties.
- Cloud Auditor: A party that can conduct independent assessments of cloud services, information system operations, performance and security of the cloud implementation.
- Cloud Broker: An entity that manages the use, performance and delivery of cloud services, and negotiates relationships between Cloud Providers and Cloud Consumers.
- Cloud Carrier: An intermediary that provides connectivity and transport of cloud services from Cloud Providers to Cloud Consumers.
Overcoming data security concerns in the cloud
While many cite security as a concern when moving data to the cloud, Lothar Determann aptly points out in Data privacy in the cloud-A dozen myths and facts in The Privacy Advisor, that cloud computing in itself is not bad for security but only as secure as the entity handling the data, regardless whether the entity is a cloud provider or if the entity is hosting the data themselves. He clarifies, “Moving data to the cloud can be a bad thing for data security if the vendor is weak on security and careless. It can be a good thing if the vendor brings better technologies to the table and helps the data controller manage access, data retention and data integrity.”
Typically, cloud providers focused on protecting ePHI have the resources and focus necessary to bring better technologies to the table to help the healthcare provider more effectively manage access, data retention and integrity than most individual practices and hosting providers that lack healthcare focus. Others fail when the cloud provider spins up a virtual machine and expects the cloud consumer to take the security and management controls.
For healthcare providers wondering where to begin, one of the best ways to overcome concerns about data security in the cloud is to carefully evaluate cloud providers and their approach to management, security and accountability. Compliance with healthcare regulations requires that the healthcare provider maintain visibility into where its data is stored throughout the lifecycle and who has access to that data at each stage. Abstracted cloud environments can make this a difficult task.
Healthcare cloud consumers should conduct the due diligence necessary to ensure that their ePHI is protected. At a high level, the healthcare provider should conduct the following due diligence on a potential cloud provider:
Determine the cloud provider’s focus. No one provider can do all or know all. Is the provider a general provider, or does it focus on a specific segment of the market, such as financial services, healthcare, e-mail, CRM? Understanding the focus of the cloud provider will help the cloud consumer understand the core competencies of the cloud provider.
- Will the cloud provider seek to understand the cloud consumer’s data lifecycle? Will the lifecycle be documented and periodically reviewed as new technologies or systems are added?
- Is the cloud provider’s workforce required to undergo background checks?
- Like the healthcare provider, does the cloud provider’s workforce undergo HIPAA and Security Awareness training and adhere to “Minimum Necessary Use” principles?
- Will the cloud provider employ on behalf of the cloud consumer-not just provide options for-adequate security mechanisms that meet or exceed what healthcare providers must implement in their own facilities if they were to host locally, and will those security mechanisms satisfy legal requirements for reasonably safeguarding patient data? This review should consider security controls such as system activity monitoring and alerting, unique user enforcement, end-to-end vulnerability management and intrusion detection and prevention. The cloud provider should also be able to address encryption requirements, backups and restore testing and all other safeguards recognized by either widely accepted security framework, such as NIST or HITRUST’s Common Security Framework.
- Has the cloud provider been independently audited for its security controls? Is the cloud provider SSAE 16 or SAS70 Type II certified?
- What other service offerings of the cloud provider are there, and do they complement cloud and security offerings?
- Where are the physical systems located, and does that cloud provider own them or borrow computer resources to meet spikes in demand? The location of the data is an important consideration. Latency in accessing data could be an issue if the data is located off the main backbone of the Internet. If the data is located in a different country, there could also be regulatory jurisdictional issues and legal uncertainty.
- How available and reliable is the cloud provider? Availability and reliability are typically best effort with general cloud providers. But best effort may not be good enough for critical application loads. Also, the healthcare provider needs to have continuity plans in place if the service were to cease permanently.
- What administrative, technical, physical and organizational policies and procedures are in place and designed to ensure that the cloud provider safeguards patient data? Are those policies and procedures sufficient to be effective, and are they operational? Do they mirror the same standards as the healthcare cloud consumer?
With mobile phone and tablet use growing among doctors, nurses and other hospital employees, the newest threat to ePHI security is accidental employee error. A recent Health Data Management article warns, “Internal security threats have always been legion, and now that there’s a mobile device in every pocket, the situation is down-right scary…it’s important for companies to be vigilant and monitor data traffic through log analysis and access management, and to keep track of mobile device or external storage media use…Malicious or not, breaches of protected health information cost money and damage institutional reputations. And with the HHS Office for Civil Rights starting audits for compliance with the HIPAA privacy and security rules, and with audits for electronic health records meaningful use compliance on the horizon, the cost could be even higher-like accusations of filing a false claim of attesting for meaningful use.” Choosing a cloud provider versed in HIPPA compliance will help healthcare providers broaden their policies and procedures to include data stored in the cloud, which will further help mitigate the risks and costs associated with both external and internal security breaches.
At the end of the day, the healthcare provider must safeguard patient data at every step in the lifecycle at every location. This requires that the cloud provider have a keen understanding of HIPAA compliance, system and data security and the nuances of a healthcare practice. It also requires that the cloud provider work in tandem with the cloud consumer to ensure an auditable chain of custody can be used to demonstrate compliance.
If a cloud strategy is chosen, ensure that the cloud provider works with the healthcare provider in defining that lifecycle and proving that safeguards exist and are effective at every stage.