President and CEO,
Atlantic.Net
There are many ways in which cloud computing can deliver services to healthcare organizations, helping them to better serve their patients and to grow securely. A report was released last year from a consumer advocacy group, with its thoughts on implementation of this technology for safeguarding protected health information (PHI) and for other healthcare uses. After establishing these benefits, this article clarifies where cloud stands from a compliance perspective.
CSCC: Widespread benefits of cloud
Created by the Cloud Standards Customer Council (CSCC), this report, “Impact of Cloud Computing on Healthcare, Version 2.0”1, suggests that there are three key ways in which cloud computing is of use to healthcare:
Economic: The first way in which healthcare leverages the cloud to its advantage is for its financial gains, which are manifold. You have better flexibility with your spending through cloud since you are buying services on-demand. The services may also be obtained more affordably than if you set up a data center yourself. You do not need to put a huge amount of upfront capital (capex) into infrastructure; instead, this IT system is purchased as you go, an operating expense (opex). Additionally, labor and maintenance for the IT system are part of the all-inclusive cost of infrastructure-as-a-service (IaaS). Because the staff is provided within the cloud platform or infrastructure service, you do not have to set aside additional funding for skilled IT personnel and training.
Operational: You want your operations to move as smoothly as possible. Cloud is optimized for scalability so that you can meet changes in demand in-stride, as with the holidays or publicity. Despite cloud’s bad rap for security and privacy, it actually is strong on these counts, as indicated by IT2 security3 experts4 (see further thoughts on security in the section below). Along these same lines, the CSCC states that the data centers of cloud providers are typically very secure against all the numerous types of threats that a healthcare organization might encounter. “Cloud services can offer sophisticated security controls, including data encryption and fine-grained access controls and access logging,” adds the nonprofit’s report.
Functional: While the functional advantages of cloud systems are diverse, and while it is reasonably simple to integrate cloud with other systems (based on their use of standard protocols and their web-based nature), technical and legal agreements still can make it complicated to integrate with EHR systems. While obstacles certainly exist, interoperability is a key concern of healthcare that is furthered by cloud environments. Cloud platforms are also well-built to enhance the desire for innovation and development (particularly true of Internet of Things, or IoT, and mobile applications). Cloud gives any authorized party the ability to access any part of your environment from any location with web access, through a wireless or wired connection. While economic and operational benefits are huge, the CSCC report suggests that the capabilities, through connections to a broader set of services, may be the most significant advantage of the cloud approach. “These services offer the opportunity to extend the capabilities available to health organization staff, in order to implement better ways of working, and to offer new services to patients,” notes the Council.
HHS position on cloud
The Office for Civil Rights (OCR) is the division of the Department of Health and Human Services (HHS) that is charged with regulation and enforcement of HIPAA-protected data (PHI/ePHI). This key federal-compliance agency also is responsible for releasing information that is educational, helping organizations that must be compliant with the healthcare law. The architecture of cloud computing has raised eyebrows in terms of security (since it is a construct created by coordinating numerous machines, enhancing reliability but also introducing new security concerns), so the OCR decided to release advice specific to this technology.
These recommendations5 state explicitly that cloud configurations are completely legal (in other words, meeting the agency’s strict security and privacy expectations) as long as an appropriate business associate agreement (BAA) is signed with the cloud service provider. “[A] covered entity or business associate may use cloud-based services in any configuration (public, hybrid, private, etc.) provided it enters into a BAA with the CSP.” The informational article goes on to state that the type of cloud model that is used should be properly reflected within the BAA’s terms, related to the treatment of risk. However, the important point is that cloud should be considered a HIPAA-compliant design within the right parameters.
Along with the BAA, the service level agreement (SLA) should be strong as well, says the HHS. Getting excellent agreements that will both be compliant and will properly protect all your data starts with the right choice of provider. As you review potential partners, look for experience and a niche commitment to protecting healthcare records.
References:
- www.cloud-council.org/deliverables/CSCC-Impact-of-Cloud-Computing-on-Healthcare.pdf
- https://www.infoworld.com/article/3010006/data-security/sorry-it-the-public-cloud-is-more-secure-than-your-data-center.html
- https://www.nytimes.com/2017/01/23/insider/where-does-cloud-storage-really-reside-and-is-it-secure.html
- https://www.atlantic.net/cloud-hosting/how-secure-is-the-cloud/
- https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html