HIPAA and Cloud Computing
As scary as sending patient data to the cloud may seem, with proper planning it can be done safely and to good effect, some IT experts say.
Privacy breaches make headlines. Compliance and information security officers don’t like headlines—at least not if they’re about a privacy breach at their organizations. So when people talk about moving data to “the cloud,” CCOs, CIOs, and CISOs often get nervous.
Cloud Computing Is Not New
Cloud computing refers to obtaining computer-based services via the Internet rather than using one’s own IT infrastructure (local servers, PCs, laptops, etc.). Using the cloud involves uploading information to a third-party data center and, when protected health information (PHI) and financial information (FI) are involved, there are special risks.
The term may be new to some of us, but cloud computing itself is not, according to security expert Randall J. Romes, principal, CliftonLarsonAllen. The finance industry has been using it for years in the form of service bureaus. “I used to think of the computer WOPR from the movie War Games, but now we have more generalized applications such as Google Docs, Dropbox, and Windows Azure. Even Amazon offers cloud computing with its Amazon Web Services application.”
Romes’ partner Mark A. Eich points out that, while these kinds of hosted services provide greater availability and reduce the need for IT investment, there are practical considerations. “For example, people need to ask what will happen if the Internet goes down,” he says. “There are many brief outages in Internet connectivity, and there have been extensive failures after hurricanes and other disasters. Cloud service users need to have redundancy in their systems so they will be prepared for disruptions.” (An online search for “cloud computing outages” reveals many examples in recent years lasting from a few hours to many days.)
Privacy and Security Risks Come Together
Cloud computing multiplies the compliance risks for healthcare organizations, which have what Eich calls the “double joy” of possessing both PHI and FI. Providers have a hard enough time protecting data on devices they own. To send it off into the ethersphere somewhere raises privacy and security concerns, liability issues, and the possibility of hacking or identity theft.
Security expert, Bart L. Hubbs, CISSP, CISA, of Brentwood, Tennessee points out that the risks “come together in the cloud” for covered entities (CEs) and business associates (BAs). As he sees it, the regulatory landscape increases the risk and complexity for all parties due in large part to the HITECH Act.
“There are provisions in HITECH that significantly change the risk profile,” Hubbs says. “Before HITECH, BAs were only required to comply with the agreement they had with their covered entity. Now BAs must generally comply with HIPAA as though they were CEs themselves. This includes responsibilities concerning breaches and breach notification, so the risk of damage to reputations is increased for all parties.”
When a provider’s use of cloud computing involves individually identifiable information, the cloud computing vendor may become a BA and, thus, directly accountable under the HIPAA privacy and security rules. Also, depending on the cloud model being used (private, public, hybrid, etc.), there may even be third parties who can gain access to the information, thus increasing the risks. “Many cloud computing vendors are reassessing the idea of hosting PHI due to the risk of non-compliance,” Hubbs says.
These concerns are reflected in survey results published last December by the Ponemon Institute. Sixty-two percent of those responding reported that they are “moderate” or “heavy” users of cloud services, but nearly half (47 percent) are “not confident” that the cloud is secure and almost one-fourth (23 percent) are only “somewhat confident.” There are also fears of government and legal interference, according to another study.
Reasons to Use the Cloud: CAPEX to OPEX
Notwithstanding the risks and concerns, there are many legitimate motivations for cloud computing, according to Nilesh Chandra and Grace Lee of PA Consulting Group. These include, for example, the information-sharing needs of health information exchanges, accountable care organizations, patient-centered medical homes, and national clinical trials. All are reasons why providers and other CEs consider the cloud for some of their computing needs.
Consider “pharmacovigilance”—the collection, detection, assessment, monitoring, and prevention of adverse drug events. Lee points out that drug safety analyses require streaming of massive amounts of data from all over the world, and few organizations are equipped to handle the job with internal data centers and legacy systems.
“Companies that are early adopters of cloud technology for pharmacovigilance, regulatory, and clinical operations can more easily meet regulatory compliance requirements and can gain a competitive edge.” Lee says. “Cloud technology is a more efficient and cost-effective Big Data solution. It can be implemented faster than installing new internal systems or customizing existing ones.”
Similar examples include data for disease registries, clinical trials, and epidemiological studies. It would be nearly impossible for a single provider to manage the huge, unstructured data sets that these projects require. They need to be collected and indexed in a single place, and the cloud can offer those services on an as-needed basis.
Even more routine applications—billing services, for example—can avail a small provider that does not have and/or cannot afford a well-developed IT infrastructure and the personnel to manage it. Thus, using the cloud can have significant operational benefits, the most apparent of which is economy of scale. If used carefully, cloud computing can avoid huge human and capital expenditures and turn computing into a more manageable operational cost.
A Careful Approach Is Needed
Romes emphasizes the importance of choosing one’s cloud vendor carefully. “Health care is a big industry, and there’s been a rush to market by some new cloud vendors,” he says. “They don’t always understand health care. They may claim to be ‘HIPAA certified,’ but it’s not clear what that means. I don’t know of any accrediting body for HIPAA compliance.”
In addition, when choosing a cloud vendor, a lot of organizations only conduct a superficial analysis, adds Eich. “They run through a checklist based on the HIPAA Security Rule and think that they’re good to go. But the regulations are just Security 101. Compliance is not the same as true security. You have to go beyond barebones compliance and ensure that someone in the organization is managing the exceptions.”
All the experts stress the importance of due diligence when evaluating cloud service providers. Here are some of the things they suggest you need to do:
- Perform a risk assessment, cost/benefit analysis, and vendor due diligence
- Understand exactly what services are to be provided (applications, functions, processes)
- Specify security and privacy obligations up front, including the vendor’s BA responsibilities
- Be sure you know who will have the data, where it will be located, and who will have access
- Clarify precisely the rights of ownership, custody, control, and access
- Evaluate how your operations would be affected if there is a privacy breach or loss of data
- Provide for redundancy in the event of service outages
- Be prepared to perform ongoing vendor management
- Specify who will manage security exceptions and communications with the vendor
- Review/update all relevant organizational policies and conduct education
A Hybrid Approach May Work for Some
As more PHI resides in the cloud, the risks escalate and there are HIPPA and HITECH implications to consider, says Chandra. “Due to these risks, many healthcare organizations are taking a conservative approach and testing the waters with cloud-based storage and processing for non-identifiable aggregate data only,” he says.
Until concerns about security and privacy protection are fully addressed, cloud computing will be limited to only a small subset of all healthcare and clinical data, Chandra says. But he adds, “A hybrid approach, combining cloud and internal computing environments, can be safe and effective.”
Using the hybrid approach means that clinical data are stored in the cloud without individually identifiable attributes like name and address. The PHI is de-identified and only a unique, randomized identifier is stored in the cloud. The same unique identifier is stored on internal environments along with the individual identifiers. This allows for maximizing the advantages offered by cloud computing—scalable, on-demand computing capacity—while still maintaining patient privacy.
“This approach has only seen limited adoption thus far,” according to Chandra, “but some of our clients have used it to good effect.”
J. Stuart Showalter, JD, MFS, is a contributing editor to HFMA’s Legal & Regulatory Forum.
Interviewed for this article:
Randal J. Romes, CISSP, CRISC, MCP, PCI-QSA, is principal, CliftonLarsonAllen.
Mark A. Eich, CPA, CISA, is partner, CliftonLarsonAllen.
Bart L. Hubbs, CISO, is with RegionalCare Hospital Partners, Brentwood, Tenn.
Nilesh Chandra, is business architect, PA Consulting Group.
Grace Lee, is pharmaceutical and regulatory expert, PA Consulting Group.
Sidebar: Cloud References and Resources
The following publications from the National Institute of Standards and Technology:
- NIST Special Publication 800-144: Guidelines on Security and Privacy in Public Cloud Computing
- NIST Special Publication 800-145: The NIST Definition of Cloud Computing
- NIST Special Publication 800-146: Cloud Computing Synopsis and Recommendations
- NIST Special Publications 800-53: Recommended Security Controls for Federal Information Systems and Organizations
The following publications from the Cloud Security Alliance:
- Security Guidance
- Cloud Controls Matrix
- Top Threats to Cloud Computing Report
The Federal Financial Institutions Examination Council’s Outsourced Cloud Computing
The Information Systems Audit and Control Association’s Cloud Computing Management Audit/Assurance Program
Forum members: Please share your insights, questions, and comments about this article. You can use the “inshare” button at the top of this web page or visit the Legal & Regulatory Forum’s LinkedIn discussion board.
- What is your organization’s PHI and FI storage approach? Are you using the cloud in any way? Why or why not?