HIPAA and the Cloud: Five Questions Medical IT Teams Should Ask to Ensure Data Security and Compliance
In healthcare, it is critical for providers to protect the huge volumes of private patient data transmitted daily. A series of regulations, most notably the Health Insurance Portability and Accountability Act (HIPAA), hold providers to high standards, and the impending conversion to electronic health records (EHR) will further increase IT resource demands.
Achieving such compliance can be burdensome for practitioners, who specialize in treating patients, not managing IT.
In anticipation of the electronic movement, many small and mid-sized healthcare providers are turning to cloud computing as an effective way to tackle complex technology issues. By outsourcing IT infrastructure management, providers can free up resources to focus on patients instead of equipment. In addition, cloud computing delivers auditable security levels often difficult to achieve in small hospitals or practices.
Before approaching a cloud services provider, healthcare providers should ask several questions to determine if they are taking the right steps to fully reap the benefits of the cloud.
Has the Provider Passed a SOC Audit?
The Service Organization Controls Report 2 (SOC 2) is the standard for measuring the privacy and security of a cloud service provider’s data center. A SOC 3 seal provides a summary of the audit controls.
By demonstrating a successful SOC 2 assessment, a provider can show that its data center has undergone an in-depth audit to evaluate its controls over systems and services, including infrastructure, software, personnel, procedures and data.
What Safety Measures Does the Data Center Employ?
Critical data center elements to look for include:
- Intrusion prevention systems
- Data access controls
- Reinforced physical security at all data center entry points
- Enterprise and private firewalls
- Third-party antivirus monitoring
- A network diagram detailing the data center topology
Beyond demonstrating infrastructure compliance, the cloud provider should grant access to a chief security officer or comparable position who is well-versed in all areas of security, and can describe processes in detail.
How Secure is the Infrastructure?
During any cloud security evaluation, the health and maintenance of the underlying IT infrastructure is a great starting point. Cloud service providers can facilitate security for the storage and processing of data in many ways, including:
- Configuring servers using best practices, and sourcing hardware and software from leading manufacturers
- Installing operating systems and handling patch management
- Offering round-the-clock server and network monitoring
- Maintaining certified engineers and security professionals on staff
How is Data Managed?
Establishing roles and responsibilities upfront is essential for developing and maintaining a solid relationship with a cloud provider. Although the data is kept in the cloud provider’s center, medical IT teams must reaffirm that they own the information. As a result, the provider should be open and honest in outlining how it controls access to the facility, operating systems and data.
Additionally, healthcare providers should verify how their data is destroyed and removed, and ensure that materials are discarded in a restrictive fashion.
What is Included in the Provider’s Service Level Agreement?
Server outages can interfere with data access, causing significant bottlenecks in processing electronic health records. While no provider can guarantee that equipment will never fail, its cloud platform should be resilient and built to respond quickly and efficiently should it go down.
Medical teams should ask the cloud provider to show their Service Level Agreement (SLA) and read the fine print. The SLA should detail the specifics regarding the provider’s physical infrastructure, hardware and network components.
The transition to electronic health records only reinforces the importance of carefully selecting a cloud technology ally. While practitioners are ultimately responsible for compliance with regulations, your provider’s ability to demonstrate proper security levels will make your job easier.