What are the challenges of PII data storage and privacy on cloud computing platforms?  How does a healthcare organization work with cloud computing vendors to address key information security and privacy compliance issues?  What are strategies for addressing the HIPPA privacy and security legal requirements and public trust concerns while in the cloud?

One key concern is cloud management.  There is an inherent vulnerability for private sector hospitals and healthcare organizations in their protection of data and/or network credentials from others while permitting access across employees, staff, attending physicians, patients and service providers from different devices.   How does a healthcare organization manage data duties and obligations among multiple cloud vendors and its own employees/IT?

First, establish best practices within your organization for cloud computing, privacy, compliance and network management and security.   Any cloud vendor should operate in accordance with those best practices for consistency and audit.

Second, select healthcare-experienced data centers and vendors (e.g., Rackspace, GE Health).   You always save money in the long run if you pick vendors who have already addressed healthcare compliance issues in their network design and operations.  Those vendors likewise will have seen your IT problems with their other healthcare customers and will have viable solutions to offer when your organization faces legacy system integration or other compliance issues.

Third, delegate responsibilities for HIPAA and HITECH compliance between cloud vendor and healthcare organization, to the extent legally permitted under applicable law.  Keep in mind that certain responsibilities can be shared between a cloud vendor and a healthcare organization, such as:

    ADMINISTRATIVE                        PHYSICAL                                 TECHNICAL
Security management processes      Access controls                           Access controls
Risk analysis                                      Disaster recovery                        Automatic log-offs
Sanctions for policy breach                ePHI disposal and removal        Audit controls for user activity
Information system activity                Security plans                              Authentication
Assigned security officers                  Records maintenance
Security awareness and training
Periodic security reminders
Malware protection
Password management
Security incident procedures
Periodic evaluations
Log-in monitoring
Security incident response

Fourth, establish technical safeguards for security at all levels of use of cloud (including back-up and transmission).  Use of all applications and systems in the cloud should be monitored for any unusual behavior in access to data and use of credentials.

Fifth, initially and regularly assess and test cloud vendor compliance with HIPAA and HITECH requirements (including security threats to data and responsiveness). Independent audits of cloud vendors can be useful measure of performance for a healthcare organizations’ IT manager.  Data center certifications and audit reports (like SSAE 16) also can yield valuable information on a cloud vendor’s actual operations.

Sixth, evaluate security impact of system or application updates for significant vulnerabilities to e-PII data exposure.  Many hackers have exploited weaknesses in commercially available software and servers or network protocols in order to gain entry into an organizations’ network and access to its data.

Lastly, execute written commercially reasonable contracts with the cloud vendor and/or update current contracts for compliance with recent HIPAA and HITECH Act regulatory requirements.   These contracts should include both a Business Associate Agreement and a Cloud Services Agreement.   Key clauses for cloud services include:

  • Electronic discovery notices and  protection/privilege log prior to law enforcement or subpoena disclosures
  • Regulatory compliance requirements for cloud networking management and infrastructure
  • Cyber rider insurance and indemnification
  • Security breach procedures (i.e. notice,  accounting for disclosures)
  • Service Level Commitments (performance standards)
  • Business continuity plans and transition
  • Integration with other organization systems
  • Remote data wipes for servers and devices
  • Security/policy monitoring