HealthITSecurity: Healthcare security considerations during cloud implementation
Many healthcare organizations are truly starting to embrace using cloud computing to store their electronic health records (EHRs) and now have a better understanding of the controls needed to properly manage patient data. But with the new HIPAA omnibus rule in effect and health data security being more and more top-of-mind as data breach incidents continue to happen, organizations are still cautious with cloud security.
Daniel Morreale, Vice President and Chief Information Officer of Kingsbrook Jewish Medical Center, gave some insight to HealthITSecurity.com about migrating his organization’s data to the cloud and the types of security considerations and concerns he had to manage in the process. Morreale and Kingsbrook chose ClearDATA, a cloud hosting service provider, and a big part of that decision was feeling comfortable with its security architecture. For example, ClearDATA works with its EHR software partners to enable encryption at rest, both on the storage arrays and backup as well as the application while it’s in use. Furthermore, it is up to date with HIPAA requirements and know what healthcare organizations need to be compliant.
Why did you pick ClearDATA and how did HIPAA and business associate agreements (BAAs) come into play?
One of the reasons we chose ClearDATA was because they specialize in healthcare and and understood the needs around protected health information (PHI) security and were willing to sign a BAA, which other companies (those not in healthcare) would not. We had trouble getting other companies to understand HIPAA requirements around healthcare data and BAAs, which means they assume responsibility for data and data breaches. For example, we tried moving some servers into the cloud with a local vendor, but had to back out of the deal when they refused to sign a BAA. Also, Google does not sign BAAs and that wouldn’t work for us, which caused us to rethink our email strategy. In fairness, I’m told the contract language contains an equivalent [to BAAs], but at the end of the day I don’t want to chase contracts every time a regulation changes.
ClearDATA was willing to sign a BAA and were aware of the new HITECH regulations as part of HIPAA. And we sat down and talked to them about the nature of their data centers and the agreements, as well as how portable the system is going to be and details about data ownership and disaster recovery (DR). The newer HITECH version of BAAs put more responsibility onto the trusted partners and ClearDATA was aware of those regulatory changes. Some other companies said, “What’s a BAA?” and didn’t exactly make a strong argument for themselves.
Can you talk a bit about implementing the ClearDATA platform?
We’re in the process of a migration onto the ClearDATA platform. Right now, we’re sending our backups to the cloud. And once we get that all stable and have a comfort level, we’ll start moving some of their clinical applications that are part of our clinical health records over to their hosted site. We want to make sure we understand all the capabilities and limitations of Software as a Service (SaaS) and Infrastructure as a Service (IaaS) is going to offer, so we’re learning it the real way in small steps.
What are some cloud security considerations and concerns?
Healthcare in general is a pretty cautious group and the sensitivity around health data is so high and regulated that people get nervous. However, when you balance out the cost of maintaining your infrastructure with the availability, scalability and portability that a cloud infrastructure gives you – I think there’s a strong argument [for cloud]. The question then becomes, “How do I secure my environment in the cloud and take advantage of all it has to offer?” We’ve already decide that we’re going to be “cloudy” and now it’s just a matter of understanding the security issues that are going to surround that decision.
The first fear that we needed to overcome was managing encryption keys, as we were figuring out whether we were going to do it or if it was going to be the vendor. Are the keys going to be in the cloud? Are we going to keep them locally? Right now, we opted to put the keys in the cloud and let ClearDATA manage them. There are also some software out there we’re exploring that’s a hybrid and would allow us to keep our keys locally. The one thing that scares me the most is corrupting our keys. I don’t believe we’ll ever get ahead of the hackers, but we can slow them down a little bit. The package with ClearDATA comes with an encryption routine, they’ll encrypt the data as it moves and is at rest.
What do you mean by “cloud portability”?
That means getting my data as far away from my physical device as possible. The past few years, New York has suffered some serious issues with its infrastructure because of hurricanes but we understand it’s an exposure and had to put our data somewhere else. As we made that decision, it became clear that we needed to do the same with our applications as well. That’s why we became “cloudy.”
Do you have an implementation timeline?
Our first couple medium-risk applications should be live in a month or so, and then we’re going to take a break and look at our experience. Then we can sit down and talk about moving some of our lower-risk applications and later have a coordinated effort to move the rest of the applications [to ClearDATA]. I’m hoping by the middle of 2014, we’ll have everything done. We’re able to do this with some speed because our systems are 90 percent virtualized right now.