HIPAA AND THE CLOUD: THE CLOUD MAY NOT BE THE ANSWER

What Is HIPAA?

HIPAA, or the Health Insurance Portability and Accountability Act, provides a set of extremely strict standards for securing medical information.  To be certified, a data center must comply with several steps including training, government audits, reporting, and guarantees for data security.  Any breach of these standards could result in hefty fines and penalties.

HIPAA And Cloud Security

These days we hear a lot about “The Cloud”.  Everyone is moving to the Cloud, or so they say.  But what about enterprise organizationsHIPAA CLOUD where restrictions on data integrity and confidentiality are governed by strict standards?  Standards such as HIPAA make moving to the Cloud very difficult.  An organization would need to guarantee security of their data at every point of data movement.  Any “insecure” connection between data origin and data destination opens the organization to the potential of a data breach, and is therefore a recipe for disaster and violation.

HIPAA And Colocation

There is hope.  Data centers and colocation facilities provide private, caged environments where hospitals and medical organizations store their data for off-site backup such as hot and cold backup sites.  HIPAA compliant data centers provide these organizations with a guaranteed level of data security and ease of mind.

Data centers provide physical security in terms of access restrictions with locks, man traps, monitoring, video surveillance and fraud detection.  Data centers provide network security through use of firewalls and switch ACLs (access control lists) to protect health data as it is transmitted.  If there is a data breach, HIPAA compliant data centers are required by law to report any detected data breaches.  Hospitals, insurance companies, medical billing organizations, and vision/dental/medical care providers all are required by HIPAA to make sure the confidentiality and integrity of their data is safe.

HIPAA Data Concerns

One of the biggest concerns of medical organizations is availability of data.  It would not be a good thing if a patient undergoing treatment is told they cannot be operated on because “the systems are down”.  Data centers use backup power systems such as generators and very large UPS systems to ensure power remains steady during a primary power system blackout.

In the event of a fire, data centers use a variety of fire suppression systems to isolate the source of the fire and immediately suppress the fire through use of chemical and air restriction systems such as FM-200.   A HIPAA compliant data center undergoes an audit for both power and fire suppression systems.

Another concern of HIPAA for medical information security is a requirement of constant vulnerability and risk assessment.  Data centers with managed services provide regular vulnerability assessments to give medical organizations up-to-date reports on the status of the vulnerability of their systems to specific threats, if found.  These reports are then used to determine a risk assessment strategy which allows the medical organization to work with the Managed Services team of a data center to overcome or accept the risk.

  • Make sure the data is never stored off shore. If the data is physically moved out of the country, it may be subject to international laws which may put you out of compliance.
  • Strict physical security measures must be in place to protect your data. All servers should be in cages, with redundant power supplies, video surveillance must be stored, live security guards, fire suppression systems, etc… .
  • Know where your data is physically stored, the number of copies of the data and if the data has been completely deleted when requested. Many companies use cloud systems for non-private or non-identifiable information.
  • When you delete data in a cloud environment, make sure you also delete the index and overwrite the data blocks. When virtual servers and data are frequently moved around from location to location, this could create a potential security hazard.
  • Under the Patriot Act, the government may make a request to access patient information which is stored on the cloud provider’s server(s). If a gag order is issued to prevent the cloud provider from disclosing a breach, the healthcare provider will not be able to notify the patient that their personal information has been compromised which is required under HIPAA.
  • Under HIPAA, healthcare providers are required to provide patients with information on data handling practices. Unfortunately many cloud providers are hesitant to disclose their internal information security since it might be a violation of the provider’s security practices.

HIPPA Guidelines

HIPAA guidelines include what is needed to be achieved, but not how it was to be achieved. The Office of Civil Rights enforces HIPAA , which has describes how HIPAA compliance is to be measured through audit protocols. These protocols guidelines how auditors measure HIPAA compliance. The protocols cover 165 specific points of regulatory compliance, which includes 88 related to the privacy and breach notification rules and 77 related to the security. Within HIPAA requirements, many points are required to be followed while others are designated addressable. To comply with any audit, all required elements are to be satisfactorily achieved; the addressable requirements are not really optional and fall withing the law requirements determined to be covered by Protected Health Information.

HIPAA compliant data centers have technical, physical, and organizational guidelines, restrictions, and safeguards.  But they will also have administrative safeguards such as:

  • Security Incident Procedures
  • Information Access Management
  • Security Awareness and Training
  • Assigned Security Responsibility
  • Workforce Security
  • Business Associate Agreements (for data center Vendors and Consultants)
  • Contingency Plan

With these in mind, there are a few options for keeping costs down.  Some hospitals keep a hot site backup, meaning all medical data moves nearly instantly to another site.  Facilities also use cold site backup where medical data is moved at less frequent intervals such as daily or weekly, depending on how the organization determines risk.

HIPPA Data Backup

HIPAA compliance for hot or even cold backup sites is difficult to achieve, but not impossible.  A direct, private network between the organization’s primary data center facility and their secondary colocation site at a data center ensures medical data is kept private.

How does a medical organization keep data private using the Cloud?  The solutions provided so far are nearly impossible to become HIPAA compliant. If a company is offering HIPAA compliant cloud services for medical organizations such as hospitals, medical insurance companies, dental/vision/medical care providers, or extended health facilities, be sure to ask for a HIPAA compliance report.  Chances are, your organization will stick with, or choose to use data center colocation instead.
 

DataCenterAndColocation, www.DataCenterAndColocation.com, is one of the largest colocation site consulting firms in the United States specializing in hospitals, pharmaceuticals, universities and medical services. They represent approximately 3000 data centers and colocation centers. At no cost to clients, they identify specific space, location, power and security requirements, solicit proposals, professionally analyze the responses, compare the strengths and weaknesses, negotiate pricing and deliver highly competitive bids for colocation. They also perform comparative analysis for in-house vs. design build services, wholesale data center space and data connectivity.