HIPAA-Compliant Cloud Storage
Cloud storage solutions for advanced healthcare needs
Healthcare profitability requires managing large amounts of data to make accurate decisions while remaining compliant. How can organizations address issues around patient data portability, communication, privacy, and compliance? Healthcare is under pressure due to an aging population and the cost of care continues to outpace inflation. Providers struggle to communicate and coordinate patient care, and there are issues with accessibility, interoperability, and privacy permissions when collecting and storing patient data.
In addition to the aforementioned drivers for change exerting pressure on healthcare, big data is a significant factor in healthcare’s growth and change. The use of machine learning and artificial intelligence is driving the aggregation of data from multiple sources, and the use of telemetry systems is pushing the limits of storage capabilities. Decisions about whether to use cloud storage are complicated by concerns about security, compliance, responsiveness, and cost savings.
Healthcare CFOs in hospitals, imaging centers, surgical centers, and more are under unrelenting demands to reduce costs as profit margins continue to narrow. Medical directors must ensure better patient care, personalized to each patient and with individual information immediately accessible per HIPAA guidelines. The IT Manager must keep all of this electronic protected health information (ePHI) secure. Operations managers face competitors who use sleek marketing campaigns to boast of increased inpatient flow and operability targets. How can a single facility not just face these challenges, but also overcome them?
Background of HIPAA
The Health Insurance Portability and Accountability Act (HIPAA), signed into law in 1996, aims to improve the portability and accountability of health insurance coverage while establishing privacy and security guidelines. The HIPAA Privacy Rule, published in 2002, ensures that individuals’ health information is properly protected while allowing the flow of health information needed for high-quality care. Health plans, providers, and even contractors must meet these privacy requirements. The need for HIPAA compliance encouraged digitization of healthcare records, as outlined in the HITECH Act of 2009, which led to the Meaningful Use incentive program.
Healthcare providers who receive Medicare and Medicaid incentive payments must meet specific meaningful use requirements, including:
- Security risk analysis of protected patient health information
- Electronic prescribing
- Clinical decision support
- Patient electronic access to health information
- Increased patient engagement with their electronic records
- Participation in the health information exchange
- Actively reporting to public health and clinical data registries
Central to these criteria was the introduction of electronic health records (EHR). While today’s digital records mostly replace bulky files in physical storage, they do still have storage demands that can tax infrastructures and budgets. Patient data can encompass decades, contain information from multiple providers, and hold hundreds of imaging sequences from a single appointment.
The growth of medical record data is astronomical. In fact, some estimates put a 40% growth on data storage needs annually. Dealing with this level of electronic data is an enormous challenge, but when one considers the privacy conditions to be compliant with HIPAA, the complexity of maintaining responsive yet secure storage intensifies.
The need for storage and associated costs
Rising IT infrastructure costs are one more hurdle to managing data demands and privacy requirements. Hardware, software, and networks need regular updating and upgrading. Computers, mobile devices, medical devices, telemetry tools and other connected devices do more than produce data — they consume large amounts of bandwidth. Remote management programs and licensing fees for ubiquitous tools such as Microsoft Office and Adobe, not to mention vendor-specific applications, add to the bottom line. How does one decide how to best distribute limited funds in an environment with so many competing priorities?
Healthcare IT administrators not only have to worry about infrastructure costs, but also the potential cost of data loss. Natural disasters such as earthquakes, hurricanes, tornadoes, and fires can destroy servers holding digital health records. Unfortunately, the frequency and intensity of these kinds of disasters are increasing, according to climate data. Catastrophic floods from intense precipitation, river flooding, and coastal storm surge pose a significant risk to on-site servers that may not be designed to withstand such events.
Security breaches also pose a significant risk to electronic health records, and the healthcare industry faces the highest cost for data breaches compared to any other industry. Roughly half of data breaches occur due to human error or system glitches, while the other half stem from malicious intent or criminal activity. Recovering from all types of data breaches, including hacking and ransomware attacks, can be expensive. Healthcare organizations risk losing customer trust, with patients leaving the business for another one following a breach, leading to a churn rate of 6.7%, nearly twice the average of all other industries. In the “value-based” healthcare model, providers must demonstrate positive outcomes over time, and if patients lose confidence in data security, there will be no viable way to measure progress.
Key Points
- Continually rising IT costs affect everything: hardware, software, bandwidth, and storage.
- Data storage can be lost to natural disasters in the blink of an eye.
- The cost of a data breach in healthcare is far more expensive than in any other industry, averaging $408 per person.
- Compared to the customers of other businesses, healthcare customers are more likely to take their business elsewhere after a breach.
What is cloud storage?
It seems like everyone is “in the cloud” or “migrating to the cloud” these days, or getting ready to deploy some sort of cloud-based service. But what does “cloud” actually mean? Simply put, cloud computing refers to using on-demand computing services, such as applications, power, and storage, that are stored on servers rather than on your own computer. This means that the information is accessed over the internet when needed, and you might only pay for what you use at that time. When we talk about “cloud storage,” we’re specifically talking about storage that’s located off site.
If you were to walk into a cloud storage facility, you’d see a large room filled with racks of servers and wires running overhead. Some areas might be separated for specific tenants who have purchased a certain amount of servers for their exclusive use. So that’s the physical, non-fluffy look at the cloud.
One purpose of that server farm is to provide Infrastructure-as-a-Service (IaaS). This is where servers and storage, networking, and data centers are managed by the vendor while the client remains in control of applications and operating systems.
Cloud storage is incredibly flexible, but it requires knowledge and skill to truly unlock its potential for maximum benefit. Mismanagement can lead to data loss, causing problems such as wasted money, hampered productivity, and even fines.
However, the opposite is also true. Properly managed healthcare cloud storage can lead to data retention, greater productivity, and cost savings. With secure patient records available at all times, healthcare providers can easily share information with other professionals. Large files can be stored without taking up too much space. Analytics programs can be applied to the data, providing valuable insights into patient throughput and even predicting readmission likelihood. Advancements in artificial intelligence can be utilized to work with flexible storage space, allowing for machine learning programs to decipher previously unusable records. As organizations move toward precision medicine, this will be even more crucial.
Key Points
Cloud storage is off-site storage. When information is needed, it is sent via the internet to the user.
Cloud storage has significant benefits:
- Flexible storage space
- Anywhere accessibility
- Data positioned for analytics
- Organizations prepared for future data-heavy healthcare developments
Well-managed healthcare cloud storage leads to data retention, greater productivity, and financial savings.
What are the main features of cloud storage?
- Flexible capacity: Healthcare data is expanding at almost 50% annually. The sheer amount of data can be overwhelming for healthcare organizations, but cloud storage provides scalability and the ability to leverage the data for greater power. With cloud storage, there's no need to worry about managing vast amounts of patient information.
- "Anywhere" accessibility: In the past, patient data was stored on site, limiting access to specific machines or local networks. However, cloud technology has revolutionized healthcare data storage, enabling providers to access EHRs from anywhere and using any device. This allows for real-time collaboration among specialists and teams of doctors across an organization, even from remote locations. Cloud storage also supports vendor-neutral DICOM image file transfer, avoiding file transfer readability issues.
- File versioning, archiving, & auto-sync: Automatic syncing allows patient information to be quickly accessible, enabling patients to use their data to make informed health decisions and ensuring HIPAA compliance. Versioning safeguards patient data in case of corruption or deletion. Cloud storage offers archiving of old files, compressing and storing them securely for future retrieval if necessary, while reducing costs.
- Redundancy: Many cloud storage plans offer options to store duplicate data in separate locations, where they can be preserved should natural disaster, fire, or attack affect one area. This ensures that downtime is minimized should the unfortunate occur. Data centers are geographically dispersed, so that regional events do not impact all locations.
- Encryption: Under HIPAA, ePHI must be encrypted both before uploading and while in transit. While it's not a HIPAA requirement, it is a good practice to encrypt data at rest. Cloud storage is neutral to the encryption used, whether it's AES-128, 192, or 256.
Healthcare cloud storage options
On-Premises
This is the most primitive version of the "cloud." It uses a company's own servers or other hardware on location to store data and provide cloud-based software. In that, it is not IaaS but rather part of a strategy for deploying SaaS. It is not generally scalable nor does it offer other qualities that one associates with cloud storage. Do not confuse on-premises storage with private cloud storage, which is discussed below.
Hybrid Cloud
Hybrid cloud combines different cloud components, and can refer to a mix of private and public clouds or the use of multiple public cloud providers. In a private cloud, an organization manages all system elements, whereas a public cloud provider manages and maintains the infrastructure. A company may choose to keep some information on its own data center while migrating other data to a public cloud vendor. Hybrid cloud can also be used as a double-failsafe for critical data or as part of the merger-acquisition process.
Private Cloud
A private pure cloud is an arrangement in which an organization hires a cloud hosting company to exclusively manage all of their data. Rather than sharing a bank of servers with other clients, the organization rents or purchases tenancy in a data center with a guarantee that there will be no other clients using the dedicated servers, even if they are currently unused. In this setup, the organization purchases the entire capacity of the system up front and pays for it even when not in use. The benefits include having the hosting company manage and maintain the system, as well as physical and cybersecurity provided by the larger data center protecting the organization's private servers.
Public Cloud
Public pure cloud is a cloud storage model where a provider manages facilities that are shared among multiple clients. Clients can easily scale up or down their storage, computational power, and applications based on their needs, without paying for more than what is being used. This model offers agility, economies of scale, and lower upfront investment compared to private cloud models. It also provides reliability by distributing resources across multiple data centers, ensuring continuous access to information even if one location experiences issues. For healthcare organizations, reliability is crucial to ensure patient access and HIPAA compliance.
Healthcare compliance requirements and cloud storage security
Entities handling health data fall into different categories: healthcare provider, healthcare plan, and healthcare clearinghouse are all covered providers. A cloud storage provider is a business associate and must meet HIPAA privacy and security requirements. Both parties must sign a business associate agreement (BAA) agreeing to the terms of data exchange and possession. Cloud storage providers must also adhere to compliance guidelines for individual hospital practices and private insurers.
Physical Security
While securing ePHI in a cloud setting is different from that in a clinical environment, cloud storage providers still provide a high level of security for all client data. Facilities are structurally sound and equipped with automatic power backups to protect against weather events. Guards staff entrance points, and identification is required for access. Servers are locked with keycard IDs and limited permissions, and private pure cloud areas are isolated with fencing and additional locks. Manned security cameras record the entire setting, making healthcare cloud storage likely more physically secure than on-premises storage.
Cybersecurity
Healthcare providers should encrypt data before it leaves their offices and while it is in transit, which is one of the most vulnerable stages in any data exchange. Healthcare data should also be encrypted while at rest, as it is sensitive, regulated, and protected information. Regardless of the encryption type, the healthcare organization should possess the private key without any backdoors for the cloud storage provider. A comprehensive security plan should include intrusion detection and prevention systems (IDPS) with signature-based and anomaly-based intrusion detection capabilities and automated response features, technical personnel on staff, and cloud access security broker (CASB) compatibility.
Insurer Compliance
Health insurance companies, as covered entities, need to ensure HIPAA compliance of any data they handle. Verifying patient data security is crucial for them to avoid legal action for insufficient ePHI protection since most healthcare providers accept private insurance. Insurance companies must meet both compliance and security obligations, including eligibility for cyber liability insurance, to avoid civil and federal penalties. Note that each insurance company may have unique compliance and security requirements that must be examined individually.
HIPAA-Compliant Cloud Storage
HIPAA has two sets of rules: the Physical Rule, which pertains to all protected health information, and the Security Rule, which pertains only to electronic protected health information. The federal government declared that a cloud service provider is "directly liable for failing to safeguard ePHI in accordance with the HIPAA Security Rule and for impermissible uses or disclosures of the PHI." In a nutshell, the Security Rule requires that business associates (BAs):
- Ensure confidentiality, integrity, and accessibility of ePHI
- Protect against reasonably anticipated threats or hazards to ePHI
- Protect against reasonably anticipated losses or disclosures of ePHI
- Ensure compliance by its workforce
As part of the Security Rule, HIPAA requires BAs to establish and maintain administrative, physical, and technical safeguards. These safeguards dictate the creation of access processes and trainings of a workforce to be compliant, toward creating a physical environment of security, and the creation of access authentication, and transmission security and controls. The HIPAA Security Rule has over 70 combined standards and implementation specifications, so describing each of them in depth is beyond the scope of this document. However, interested readers can delve deeper by reading some of the many government publications that address this issue.
FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that standardizes security assessment, authorization, and continuous monitoring for cloud products and services, with the goal of providing a uniform set of risk assessments for every federal agency that uses cloud storage. By having a set of standards for security controls, government agencies can use an authorized list of FedRAMP providers instead of having to evaluate each cloud storage provider's security protocols individually. FedRAMP compliance is a rigorous process that demands collaboration with a federal agency, annual certifications, review by a third-party authorization organization, and extensive documentation of facilities, processes, and procedures, including proof of contingency plans. HIPAA and FedRAMP compliance demonstrates a provider's commitment to high standards of service and operational excellence.
Key Points
- A cloud service provider is a business associate under HIPAA and is required to follow privacy and security rules for safeguarding ePHI.
- Physical security is provided through limited human access and comprehensive structural design.
- Cybersecurity is accounted for with required encryption, IDPS, and possibly a CASB for additional gateway protection.
- Private insurers also strive to safeguard ePHI and may have different or additional security requirements.
- HIPAA-compliant cloud storage must meet many requirements to protect the confidentiality, integrity, and access of ePHI.
- FedRAMP is a federal initiative to streamline the process of government agencies moving to the cloud. In order to become an authorized FedRAMP cloud service provider, an organization has to go through a thorough vetting process.
What to look for in a HIPAA-compliant cloud storage provider
HIPAA-compliant cloud storage business relationships begin with a business associate agreement (BAA), but also should have a service level agreement (SLA) that outlines specific responsibilities. According to hhs.gov, SLAs can include provisions that address such HIPAA concerns as:
- System availability and reliability
- Backup and data recovery
- Manner in which data will be returned to the customer after service use termination
- Security responsibility
- Use, retention, and disclosure limitations
- How old is the data center hardware and the software used to manage it?
- How much downtime, if any, is anticipated during the transition period?
- What preventive measures have the provider taken to avoid separation failure (when data from different tenants is inadvertently stored together)?
- How does the cloud service provider prove data deletion?
- Are the cloud storage facilities staffed 24/7 with technical and security personnel?
- Will they share their audits, especially regarding security and financials? Sharing financials can prove stability and display both transparency and sustainability. Performing regular audits is part of being HIPAA-compliant.
- Have they ever had a security breach? How was it handled, and what have they done to prevent future breaches?
- What kind of background checks are performed on employees? Do employees receive continuing education on best practices in cloud storage and compliance issues? As a potential HIPAA business associate, employee training is a mandated element of compliance.
- What is their HIPAA disaster recovery plan? If they don’t have one, consider finding a cloud storage provider with more experience in healthcare data storage.
- There are certifications for almost everything under the sun. What certifications does the cloud storage provider have, and what do they mean? Perform due diligence here.
How do you know it's time to consider HIPAA-compliant cloud storage?
- You anticipate running out of data storage with your current facilities.
- You have legacy systems nearing end of life and need to determine next steps.
- Budget overruns leave you scratching your head to find more economical tech alternatives.
- Security concerns have led you to reevaluate current norms.
- You have interoperability conflicts and need a vendor-neutral storage solution.
- File uploads are s-l-o-w and work quality and efficiency is suffering, not to mention the heat tickets.
- You have realized you do not adequately meet the network diversity requirements of HIPAA.
- Imaging file quality is suffering, and your DICOM provider is requesting an upgrade.
- You understand the pivotal role that AI and machine learning will play in future healthcare and want to position your organization to take advantage of the latest advances.
- You are finding it difficult to staff positions with individuals who are highly competent in data management, network administration, and security protocols, and who can solve complex, interconnected healthcare technical problems.