With its inclusion of penalties as high as $1.5 million per violation, HIPAA’s Final Omnibus Rule sent an unambiguous message to healthcare providers on the critical importance of HIPAA compliance and PHI security.
“These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a healthcare provider or one of their business associates,” said HHS Office for Civil Rights Director Leon Rodriguez when the new rule was announced last year.
It’s no secret that HIPAA compliance and PHI security are among the factors that have long made healthcare IT executives wary of the cloud. Today, however, that’s changing, thanks in large part to advances in cloud technology, security protocols, intrusion prevention, and the in-depth healthcare industry knowledge of the ClearDATA team.
Managed Security Services
“Traditionally, many hospitals and other healthcare organizations have made the conscious decision to have dominion and control over their IT operations,” noted Lee Kim, director of privacy and security at the Healthcare Information and Management Systems Society (HIMSS). “The IT assets of these organizations have been historically kept on premises, but this is not necessarily so anymore. Many healthcare organizations have gone to the cloud.”
Advanced cloud hosting providers, such as ClearDATA, can provide greater security than what’s available from on-premises IT operations, Kim noted — it all depends upon the policies and practices of the provider.
“The hospital or other healthcare organization may subscribe to managed security services which the cloud provider may make available to help bolster the security of the PHI with which it is entrusted,” she pointed out. “These managed security services may include remote infrastructure management, which addresses management of endpoint security.”
‘Have the Proper Agreements in Place’
Healthcare organizations can also take several other steps to improve PHI security in the cloud.
“Make sure you have the proper agreements in place — as an example for HIPAA, a business associate agreement,” advised Christina Mazzone, information security officer with Partners Continuing Care.
“Legal counsel, purchasing and risk management departments should all be involved to review and understand the cloud vendor’s information security posture,” she said.
The Cloud Security Alliance offers several tools and documents that can help, Mazzone added, including its Cloud Controls Matrix, which is designed to help assess cloud-centric information security risks.
“You should understand the cloud vendor’s controls, such as: do they have encryption capabilities for storage and in transit? Does the vendor have audit capabilities, and what are they willing to share with you? What kind of security and privacy training do they conduct for their staff?” she said.
‘How Will You Retrieve That Information?’
Other key questions are whether the vendor does penetration testing, how regularly, and whether they will let you see the findings reports, Mazzone said. “What does their disaster recovery and business continuity plan consist of, do they test it, and are they willing to share the plan and/or test results?” she added.
Details about the vendor’s data centers — including where the information is stored — are also important, noted Maureen Buck, information security program manager with Partners, as is an explicit discussion of each party’s rights to the data.
“If the agreement is terminated, how will you retrieve that information?” Buck added.
In short, Mazzone concluded, “you want to make sure that the vendor has the same level of security — or better — than you do.”
