Cloud Storage Solution for Advanced Healthcare

When it comes to healthcare, profitability goes hand in hand with managing the explosion of data required to make accurate decisions while remaining compliant. How can organizations address issues around patient data portability, information transmissibility, communication between providers, privacy and security, and compliance? When constraints around trust and adoption of new procedures are likely, how can one area justify change that will ripple through an organization, creating new procedures and affecting the routines of front line providers?

Healthcare is in a state of flux, pressured by an aging population that requires increased care resources. Lifestyle choices of the past have come to reckoning today, while organizations work to educate and persuade patients to modify their behavior through wellness programs. In most developed nations the cost of care continues to outpace inflation. Health care providers struggle to communicate across disciplines and across organizational lines in attempts to coordinate patient care. Meanwhile, large amounts of patient data are collected and stored, left to languish in servers hither and yon, unable to be accessed by databases structured to only hold specific information. Compliance issues confound accessibility efforts, there is a lack of interoperability between applications, and a maze of privacy permissions to navigate.

In addition to the aforementioned drivers for change exerting pressure on healthcare, big data permeates all discussions of growth and change .

Organizations respond when they have to, when the discomfort becomes great enough to
motivate trying something different.

The ability to aggregate data from multiple sources is one factor for change, pushed by development and adoption of machine learning and artificial intelligence within the healthcare sphere. Telemetry systems strain the capabilities of site based storage. Decisions around the suitability of cloud storage, the security of it, questions around compliance and responsiveness of cloud storage in light of possible cost savings add elements of possibility and uncertainty.

Healthcare CFOs in hospitals, imaging centers, surgical centers, and more are under unrelenting demands to reduce costs as profit margins continue to narrow. Medical directors must ensure better patient care, personalized to each patient and with individual information immediately accessible per HIPAA guidelines. The IT Manager must keep all of this electronic protected health information (ePHI) secure. Operations managers face competitors who use sleek marketing campaigns to boast of increased inpatient flow and met operability targets. How can a single facility not just meet these challenges, but exceed them?

Background on HIPAA

The Healthcare Insurance and Portability and Accountability Act (HIPAA) was signed into law in 1996 with the intent to "improve the portability and accountability of health insurance coverage". Further developments established privacy and security guidelines. After a period of revision and comment, the HIPAA "Privacy Rule" was published in 2002. According to, this critical element of the Act is meant to, "assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being." Health plans, health care providers, digital clearinghouses, and even business associates and contractors such as billing, claims processing, and data analysis companies are responsible for meeting these privacy requirements.

The requirements to comply with HIPAA became an impetus to digitize healthcare records, as outlined in the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009, which then lead to the Meaningful Use incentive program.

Healthcare providers who receive Medicare and Medicaid incentive payments must meet specific meaningful
use requirements, including:
  • security risk analysis of protected patient health information
  • electronic prescribing
  • clinical decision support
  • patient electronic access to health information
  • increased patient engagement with their electronic records
  • participation in the health information exchange
  • actively reporting to public health and clinical data registries

Central to these criteria was the establishment of electronic health records (EHR). While today's digital records mostly replace bulky files in physical storage, they do still have storage demands that can tax infrastructures and budgets. Patient data can encompass decades, contain information from multiple providers, and hold hundreds of imaging sequences from a single appointment.

The growth of medical record data is astronomical. In fact, some estimates put a 40% growth on data storage needs annually. Dealing with this level of electronic data is an enormous challenge, but when one considers the privacy conditions to be compliant with HIPAA, the complexity of maintaining responsive yet secure storage intensifies.

The Need for Storage and Associated Costs

Rising IT infrastructure costs are one more hurdle to managing data demands and privacy requirements. Hardware, software, and networks need regular updating and upgrading. Computers, mobile devices, medical devices, telemetry tools and other connected devices do more than produce data-- they are greedy for limited bandwidth. Remote management programs and licensing fees for ubiquitous tools like Microsoft Office and Adobe, not to mention vendor specific applications, add to the bottom line. How does one decide how to best distribute limited funds in an environment with so many competing priorities?

In addition to addressing infrastructure cost considerations, healthcare IT administrators also need to consider the potential cost of data loss. Severe weather events such as earthquakes, hurricanes, tornadoes, and fires can destroy servers holding digital health records. Unfortunately, climate data shows an increase in frequency and intensity of these kinds of disasters.

Catastrophic floods due to intense precipitation, river flooding, and coastal storm surge especially threaten to immerse on-site servers that have not been designed to cope with natural disasters.

Security breaches also threaten electronic health records. About half of data breaches are the result of human error and system glitches. The other half of breaches are rooted in malicious intent or criminal behavior. The cost for all types of data breaches is steep, and for no industry as high as healthcare. In fact, the 2018 Cost of Data Breach Study ranks each industry's cost per breach. Healthcare sits at the top of the list, at $408 per person--almost twice the next highest, finance.

All breaches, including hacking and ransomware attacks, make recovery costly indeed. Churn, when customers leave a business for another one, is most noted post attack in healthcare, leading at 6.7%, almost twice the average of all other industries. This shows that customers must trust that their healthcare data is protected, and if they believe otherwise, they will take their business elsewhere. Given the "value based" model beginning to dominate healthcare today, providers must be equipped to prove positive outcomes over time. Should patients leave because of lack of trust, there will be no viable timeline to measure progress.

Key Points

  • Continually rising IT costs affect everything: hardware, software, bandwidth, and storage.
  • Data storage can be lost to natural disaster in the blink of an eye.
  • The cost of a healthcare data breach is far more expensive than in any other industry, averaging $408 per person.
  • Compared to other businesses, healthcare customers are more likely to take their business elsewhere after a breach.

What is Cloud Storage?

Cloud storage has been a much bandied about term, but as such, it is also shrouded in misconception to the point of being a buzzword. After all, isn't everyone "in the cloud" and "migrating to the cloud", or getting ready to deploy a cloud-based XaaS?

First, what exactly is meant by cloud? Cloud computing simply means using on-demand computing services. This can include applications, power, and storage, among other things. These are stored in servers, not on the user's computer and generally not on site. The information travels via the Internet to the user, who has access to it when needed, sometimes only paying for what is used at that time. Specifically, cloud storage refers to off-site storage. When a person walks into a cloud storage facility, after noticing the solid structure around it and getting through security, they would see a large room full of stacks of servers and banded wires running overhead. Some areas may be separated from the rest, as a particular tenant may have bought a set amount of servers for their exclusive use. That's the physical, definitely not fluffy, literal look at the cloud.

One purpose of that server farm is to provide Infrastructure as a Service (IaaS). This is where servers and storage, networking, and data centers are managed by the vendor. The client remains in control of applications and operating systems.

Because cloud storage offers a large amount of flexibility, it takes knowledge and skill to harness its potential for the greatest advantage. If the process is mismanaged, there is risk of data loss, which leads to hampered productivity, wasted money and even fines.

But the converse is also true. When well managed, healthcare cloud storage can ensure data retention, lead to greater productivity, and save money. Health care providers can access secure patient records at any time and share pertinent information with other professionals. Large files are stored without worry of taking up too much space. Data is positioned for the application of analytics programs that can lend insight to everything from patient throughput to predicting readmission likelihood. Advances in artificial intelligence, now widespread in radiology but expected to affect other medical disciplines, can be run on flexible storage space as needed. Machine learning programs that can decipher dark data, useful but previously unusable records because of data readability issues or mistaken beliefs that they were unimportant elements of a patient's record, will be able to work on "smart" EHRs as organizations move toward precision medicine.

Telemedicine, still in its infancy, is anticipated to grow annually by almost 20% over the next five years. All of those appointments will be digitally recorded and will need to be stored. Cloud storage will be necessary for future adaptation to healthcare developments.

But how can healthcare cloud storage make an immediate difference in a company's operation? Washington Heights Imaging, a large imaging provider for the greater New York area, used a legacy picture archiving and communication system (PACS) that was slow and did not have a user-friendly interface, providing a substandard overall user experience that hampered efficiency and productivity. When they moved to cloud storage, clients received improved turnaround speeds and ease of use. Patient results were automatically incorporated into their EHR so that doctors did not have to manually add radiology reports. DICOM files could be shared and accessed by various providers, and easily read on their existing radiology applications. Through a series of cascading organizational and technical changes made possible by cloud storage, IT costs were reduced by over half. The transition to cloud storage was seamless, and data redundancy in two separate data centers means that their records are secure from disaster or hacking attempts. And finally, because of greater client satisfaction and EHR interoperability, more doctors are referring patients there for imaging.

Key Points

  • Cloud storage is off-site storage. When information is needed, it is sent via the internet to the user.
  • Cloud storage has significant benefits:
    • Flexible storage space
    • Anywhere accessibility
    • Data positioned for analytics
    • Organizations prepared for future data-heavy healthcare developments
  • Well managed healthcare cloud storage leads to data retention, greater productivity, and financial savings.

What are the main features and functionality
imperative to cloud storage?

Cloud storage offers many possibilities and is able to be customized to a company's needs. There are, however, a few core features that all uses will have in common:
  • Flexible capacity According to the EMC Digital Universe report, healthcare data is growing at almost 50% per year. In 2013, all healthcare data combined was 153 exabytes. By 2020, the prediction is that there will be 2,314 exabytes. As a visual, imagine loaded tablets filling over 11 one thousand bed hospitals. Each health care organization contributes to that, and it can seem as if individuals are powerless under a deluge of data. Cloud storage offers a way to harness that deluge for power. The scalability inherent in cloud storage means that one does not need to fret about what to do with all of that patient information.
  • "Anywhere" Accessibility At one time, all of a patient's data was stored in files on site. A provider could access data when on certain machines or when logged into local networks. Now, through the power of the cloud, healthcare providers can pull up an EHR wherever they are, using whatever device they choose. This means that specialists can be consulted with in emergencies and offer valuable input based on records they see in real time. Teams of doctors spread throughout an organization can collaborate over files, even from home. Also, because cloud storage is vendor neutral, DICOM image files can be transmitted to users on various applications and not limited by file transfer readability issues.
  • File versioning, archiving, auto synch Automatic synching, when information from providers is automatically loaded into the file, means that patients will have the ability to see their information quickly. Considering that patients own their data and part of HIPAA Meaningful Use is for patients to be able to use their information to make personal health decisions, this feature allows for greater HIPAA compliance. File versioning is a safeguard of patient data, should it be corrupted or deleted. Cloud storage also offers the ability to archive data. Even though most people have a lifetime of health information, in reality it is only the last 18 months that is most often used and of which health care providers need frequent, reliable access. By creating a secure archiving environment, old files can be stored, but compressed and silent, so to speak, unless necessary. This ability to compress old information while maintaining its ability to be retrieved if needed is a cost saving feature of cloud storage.
  • Redundancy Many cloud storage plans offer options to store duplicate data in separate regions, where it can be preserved should natural disaster, fire, or attack affect one area. This ensures that downtime is minimized should the unfortunate occur. Data centers are geographically dispersed, so that regional events do not impact all locations.
  • Encryption Encryption, both before ePHI is uploaded and while it is in transit between locations is a HIPAA requirement. Keeping data at rest encrypted, while not a HIPAA requirement, is considered good practice. Cloud storage is neural to the type of encryption used--AES 128, 192, or 256.

Healthcare Cloud Storage Options

There are a variety of cloud storage options that can be designed to meet the needs of healthcare organizations of any size and budget.


This is the most primitive version of "cloud". It uses a company's own servers or other hardware on location to store data and provide cloud based software. In that, it is not IaaS but rather part of a strategy for deploying SaaS. It is not generally scalable nor does it offer other qualities that one associates with cloud storage. Do not confuse on-premise storage with private cloud storage, which is discussed below.


Hybrid Cloud

Hybrid, at its root, means of mixed components. In this case, there are a few versions of hybrid cloud, and the components vary. Public cloud is where a cloud storage provider manages and maintains the hardware and infrastructure, and deploys it via the internet. This is in contrast to private cloud, in which a single organization or corporation purchases, maintains, and manages every element of the system.
Hybrid cloud can be comprised of a private and public cloud. A company may choose to maintain local control of some information in it's own data center, however large or small that might be. It could also migrate other data to a public cloud vendor, or use a public cloud service to run SaaS and PaaS applications.
Hybrid cloud can also mean using two or more different public cloud service providers. Cloud storage has been widely used for over a decade, and some organizations have legacy systems that "have always been" part of a certain cloud provider's offerings, so the organization has never felt the need to change. Others use multiple clouds as a double-failsafe for critical data, or are in various stages of the merger-acquisition process and have yet to consolidate under one umbrella.

Private Cloud

In this, an organization contracts with a cloud hosting company to privately manage all of their data. Instead of sharing a bank of servers with other clients, a single organization rents or buys tenancy in a data center for its exclusive use and with a guarantee that there will be no other client using those dedicated servers, even ones which currently have no data on them. With a private pure cloud, the entire capacity of the system is purchased up front and paid for even when not in use. Benefits to this setup are that the hosting company still manages the system and maintains it, and that physical and cyber security already in place in the larger data center also guard the organization's private servers.

Public Cloud

Public pure cloud refers to cloud storage that is shared among a cloud storage provider's clients. Facilities are managed by the provider, and clients have the benefits of scaling up or down as needs dictate. Storage, computational power, and applications can be instantly provisioned for each client's individual situation. There is no need to pay for more than is being used, application availability is not limited, and security for all is intact. Being able to take advantage of this agility through economies of scale makes this an attractive model, as is the need for a lower up-front investment as compared to a private cloud model. The public pure cloud is also reliable, since it distributes resources across the entire network of data centers an organization's information is protected even if there is an issue at one location, the others can pick up the network load until the problem is resolved. For healthcare organizations using a public pure cloud, the reliability issue is a major factor in guaranteeing patient access for HIPAA compliance.

Healthcare Compliance Requirements and
Cloud Storage Security

Entities that touch health data fall into different categories: Health Care Provider, Health Care Plan, and Health Care Clearinghouse are all considered Covered Providers. Another category, Business Associate, is "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity." A cloud storage provider falls under the category of Business Associate, and must meet HIPAA privacy and security requirements under federal law. A Business Associate Agreement (BAA) must be signed where both parties agree to the terms of data exchange and possession. And while individual hospital practices and private insurer compliance requirements do not specifically fall under HIPAA law, cloud storage providers still must adhere to those guidelines that pertain to access to ePHI.
Camera Physical Security
Providing for the physical security of ePHI is admittedly different than accounting for the numerous access points afforded in a clinical setting. So while there is not the same need for secured devices, locked offices, and other such access controls, the cloud storage provider does provide a high level of general security for all client data. Structurally sound facilities provide protection from weather events, and automatic power backups continue to power servers, cooling apparatus, and power dependent security devices such as locks and cameras. Entrance points are staffed by guards, and identification is required as well as a reason for an individual's presence and a guest log with recorded legal ID. Once in, bays of servers are also locked with physical access controlled by keycard IDs with limited permissions. Private pure cloud areas that do not take an entire server bay are isolated with fencing and additional locks. Multiple manned security cameras record the setting. In this respect, healthcare cloud storage is likely more physically secure than private, on-premise examples.
cyber security Cybersecurity
Encryption was briefly mentioned in the section on the features of cloud storage, but cybersecurity is a topic of vital importance that deserves further discussion. Data should be encrypted before leaving the health care provider's office, and should also be encrypted while in transit, which is one of the most vulnerable areas in any information exchange. Healthcare data, even while at rest, should also be encrypted, as it is protected, regulated, and sensitive information. Regardless of the type of encryption used, the private key should be only in the possession of the healthcare organization with no backdoor for the cloud storage provider. Intrusion Detection and Prevention Systems (IDPS) should be in place, with signature-based and anomaly-based intrusion detection capabilities and automated response features. In addition, the facility should be staffed with technical personnel should their intervention be necessary. And finally, the cloud storage platform should provide or be compatible with a Cloud Access Security Broker (CASB). This is a gateway agent that applies additional security measures between cloud storage vendors and cloud storage clients.
Insurer-Compliance Insurer Compliance
Health insurance companies, as Covered Entities, have skin in the game wanting to make sure that any data they touch is HIPAA complaint. Because most health care providers accept private insurance, verifying that the security of data associated with each patient protects the insurance company from possible legal action alleging that they did not appropriately secure ePHI. Insurance companies have compliance and security requirements they have to meet not only as Covered Entities, but also to qualify for Cyber Liability Insurance. Neglecting any aspect of this opens up the insurance company to civil and federal penalties. Individual insurance companies' compliance and security requirements may have differences from HIPAA compliance guidelines, and need to be examined on an individual basis.
hipaa_icon HIPAA Compliant Cloud Storage
HIPAA has two sets of rules: the Physical Rule, which pertains to all protected health information, and the Security Rule, which pertains only to electronic protected health information. The federal government declared that a cloud service provider is "directly liable for failing to safeguard ePHI in accordance with the HIPAA Security Rule and for impermissible uses or disclosures of the PHI." In a nutshell, the Security Rule requires that Business Associates (BA):
  1. Ensure confidentiality, integrity, and accessibility of ePHI
  2. Protect against reasonably anticipated threats or hazards to ePHI
  3. Protect against reasonably anticipated losses or disclosures of ePHI
  4. Ensure compliance by its workforce
As part of the Security Rule, HIPAA requires BAs to establish and maintain administrative, physical, and technical safeguards. These safeguards dictate the creation of access processes and trainings of a workforce to be compliant; toward creating a physical environment of security; and access authentication, and transmission security and controls. The HIPAA Security Rule has over 70 combined standards and implementation specifications, so describing each of them in depth is beyond the scope of this document. However, interested readers can delve deeper by reading some of the many government publications that address this issue.
fedramp_icon FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services ( The purpose behind FedRAMP is to have a standard set of risk assessments for every federal agency that uses cloud storage. The Federal Information Security Management Act of 2002 (FISMA) requires that Federal agencies implement information security controls. This also applies to contractors who manage information systems on behalf of the US government. In a push to utilize cloud capabilities and meet the requirements of FISMA, FedRAMP was created. Part of the intent behind FedRAMP is that by having a set of standards for security controls, government agencies in need of a cloud storage provider could go to a list of authorized FedRAMP providers instead of each agency having to individually evaluate each cloud storage provider's security protocols. This vetted list would save time and money, and hopefully allow agencies to be more productive in their areas of specialization instead of IT Management duties. The FedRAMP compliance process is strenuous, demanding collaboration with a federal agency and a readiness report, application for limited annual certifications, review by a third party authorization organization, and a great deal of documentation around the facility, process and procedures in place, possible use cases, and exhaustive proof of contingency plans. When a cloud service provider is both HIPAA and FedRAMP compliant, they show a dedication to maintaining a high standard of service and operational excellence.

Key Points

  • A cloud service provider is a Business Associate under HIPAA and is required to follow privacy and security rules for safeguarding ePHI.
  • Physical security is provided through limited human access and comprehensive structural design.
  • Cybersecurity is accounted for with required encryption, IDPS, and possibly a CASB for additional gateway protection.
  • Private insurers also strive to safeguard ePHI and may have different or additional security requirements.
  • HIPAA compliant cloud storage must meet many requirements to protect the confidentiality, integrity, and access of ePHI.
  • FedRAMP is a federal initiative to streamline the process of government agencies moving to the cloud. In order to become an authorized FedRAMP cloud service provider an organization has to go through a thorough vetting process.

Closing Thoughts

We live in a data-dependent landscape. Having the tools to store and process the ever increasing amounts of data our lives produce powers our ability to respond to change with agility. This ability comes with responsibilities, legal mandates for storage and use as well as ethical considerations tied to such personal information as healthcare data. Moving beyond talk of compliance and technical conditions, the irony is that all of these 0s and 1s actually open the doors for us to be better humans. Data lends the insight, but we are the ones who can act on what it reveals. Wise use of the massive amount of healthcare data compels us to create a better emergency waiting experience, provide individualized care to rural populations who lack transportation to state of the art facilities, to monitor vital functions from afar and remotely regulate anomalies. This data can be used to train machines to see imagining abnormalities and lead to quicker intervention, can catch genetic resistance to different chemotherapies, or find a previously unknown pharmaceutical therapy.

Practically speaking, all of this data needs storage. Storage that is flexible, scalable, and secure. Reducing costs to hold this data, being able to contribute to better patient outcomes while saving money, and meeting federal healthcare use and storage initiatives are the immediate reasons for selecting reliable and secure HIPAA compliant cloud storage. All of the good things mentioned above are long-term benefits that require long-term storage solutions.

What to Look for in a HIPAA Compliant Cloud Storage Provider

HIPAA compliant cloud storage business relationships begin with a Business Associate Agreement (BAA), but also should have a Service Level Agreement (SLA) that outlines specific responsibilities. According to, SLAs can include provisions that address such HIPAA concerns as:

  • System availability and reliability
  • Backup and data recovery
  • Manner in which data will be returned to the customer after service use termination
  • Security responsibility
  • Use, retention and disclosure limitations

Before reaching the SLA level, organizations considering cloud storage should ask questions and compare different providers. Those questions could include the following:

  1. How old is the data center hardware and the software used to manage it?
  2. How much downtime, if any, is anticipated during the transition period?
  3. What preventive measures have they taken to avoid separation failure (when data from different tenants is inadvertently stored together)?
  4. How does the cloud service provider prove data deletion?
  5. Are the cloud storage facilities staffed 24-7 with technical and security personnel?
  6. Will they share their audits, especially regarding security and financials? Sharing financials can prove stability and display both transparency and sustainability. Performing regular audits is part of being HIPAA compliant.
  7. Have they ever had a security breach? How was it handled, and what have they done to prevent future breaches?
  8. What kind of background checks are performed on employees? Do employees receive continuing education on best practices in cloud storage and compliance issues? As a potential HIPAA business associate, employee training is a mandated element of compliance.
  9. What is their HIPAA Disaster Recovery Plan? If they don't have one, consider finding a cloud storage provider with more experience in healthcare data storage.
  10. There are certifications for almost everything under the sun. What certifications does the potential cloud storage provider have, and what do they mean? Perform due diligence here.

Due diligence in all of these areas is critical. Maintaining the integrity, reliability, and accessibility of patient data is of paramount concern. These questions are a jumping off point to get conversations started, but engaging the expertise of an independent auditing company is worth serious consideration, as they may see areas of potential strength and weakness that are not readily apparent to those without significant experience in managing the cloud migration of highly sensitive information, especially on an enterprise level.

A successful cloud storage migration begins with a thorough analysis of the current and anticipated needs of the healthcare facility and the financial resources for such a change. The organization should ensure that it is HIPAA compliant in how it currently handles data, so that irregularities are not simply being transferred to a new environment. Project managers with enterprise level cloud migration experience will be necessary for a large scale, successful migration.

Because such a migration will affect everyone who touches an organization's ePHI, there needs to be a strong champion with C-level authority and leadership to enact such a change. There will be a ripple effect, and resistance from some is to be expected. Activating a multi-departmental internal change team that can mobilize robust internal PR, marketing, and education initiatives could be an essential element in making a technical transition effective on a system-wide, human level.

How does an organization know it's time to consider HIPAA
compliant cloud storage?

  • You anticipate running out of data storage with your current facilities.
  • You have legacy systems nearing end of life and need to determine next steps.
  • Budget overruns leave you scratching your head to find more economical tech alternatives.
  • Security concerns have led you to reevaluate current norms.
  • You have interoperability conflicts and need a vendor neutral storage solution.
  • File uploads are s-l-o-w and work quality and efficiency is suffering, not to mention the heat tickets
  • You have realized you do not adequately meet network diversity requirements of HIPAA
  • Imaging files quality is suffering, and your DICOM provider is requesting an upgrade
  • You understand the pivotal role that AI and machine learning will play in future healthcare, and want to position your organization to take advantage of the latest advances
  • You are finding it difficult to staff positions with individuals who are highly competent in data management, network administration, security protocols, and who can solve complex, interconnected healthcare technical problems.