(August 14, 2012): Cloud computing is in the process of revolutionizing the way that individuals and businesses store, receive, and use their data. You may have heard about it through companies such as Google, Apple, and Microsoft, all advertising sophisticated cloud computing services. But what are the risks your organization faces with respect to healthcare cloud computing?
I. What is Healthcare Cloud Computing?
Essentially, "healthcare cloud computing" is the process of using various offsite computer and server resources that are delivered to users remotely through the internet. You use a program on your computer to access data, software, and powerful processing resources at a remote location. Because nearly all of the data storage and processing is done remotely, there is less of a need for high-powered, sophisticated computers at a user’s location, meaning individuals and small businesses can access computer tools that had previously only been reserved for the largest of corporations. In fact, a recent survey by Microsoft found that 39% of small business owners were beginning to engage in some sort of cloud-based computing.
II. Risks of Healthcare Cloud Computing:
Reliance on healthcare cloud computing can expose a provider and his / her practice to a variety of very serious risks. Chief among these risks is the potential for a substantial privacy breach. Because data and data systems are maintained offsite, a provider, biller, or facility cannot ensure that the data contained on these remote servers is properly secure. As you know, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) governs the use of Protected Health Information (PHI) through its Security and Privacy Rules. These laws, administered by the Office for Civil Rights (OCR), protect the privacy of individual patients by setting out rules and repercussions concerning the wrongful use or disclosure of PHI. Under HIPAA, and the HITECT Act of 2009, there are 4 tiers of potential penalties a "covered entity" might face for wrongful use or disclosure or a security breach. Notably, nearly every healthcare provider is, at this point, a covered entity.
Despite an awareness that both known and emerging risks are present, many health care providers appear to have resigned themselves to the fact that the unparalleled convenience of healthcare cloud computing more than makes up for the potential dangers faced when using this medium. Notably, many cloud computing services advertise that they are HIPAA compliant or have undergone an SAS 70 Type II audit. Be careful - these audits can greatly vary in terms of their adequacy and sophistication, and may continually fail to meet the standards of HIPAA and HITECH. On top of this, as a health care provider, you are not in a position to ensure that the cloud computing company will continue to meet these standards. In any event, should a breach occur – you will still be on the proverbial "hook" with OCR and its auditing contractors for any breaches that might occur. Your decision to store PHI on a cloud computing server will not alleviate you of your obligation to safeguard patient medical records and personal information. You are ultimately responsible for PHI entrusted to you by your patients, not the cloud service provider. There are a number of technical security concerns that you should understand:
First, how is data stored at the 3rd party site? Is the data of all clients thrown together on one server or on one hard drive, or does each client have a dedicated server? In addition, what if a server has a technical failure? If such an event occurs (as it inevitably will), the 3rd party vendor needs to completely destroy any PHI on their servers and have an available backup to ensure that the data still exists in some form. It is difficult for both you and the 3rd party vendor to guarantee this.
Second, transferring data to and from your "cloud" must be done through a secure channel (that is, "https://"). You need to specifically inquire with a cloud vendor whether a dedicated, secure connection can be established so that the "highway" through which your data passes cannot be accessed by others.
Third, the interface your organization uses to interact with the remote cloud server is at risk for security breaches, and you should ensure that the 3rd party host has developed properly secured interfaces. Again, this can be hard to do.
Finally, and probably most importantly, what about the employees of the remote cloud service? They generally have access to a substantial amount of sensitive data, and you have no ability to train, discipline, or terminate those individuals should wrongdoing occur. As you know, next to the theft of laptops and other mobile electronic devices, curious employees accessing unauthorized PHI is the most common type of breach under HIPAA. Couple that with a 3rd party vendor whose employees over whom you have no control, and it could mean substantial trouble if an individual employee wants to start exploring your patients’ medical records.
As a result of these serious concerns, we strongly recommend that providers continue to use an internal server stored onsite. While it can be more expensive, it’s the only true way to ensure that your patient’s PHI is protected in accordance with HIPAA’s Privacy and Security Rules. In addition, you should consider conducting an internal HIPAA audit of your physical security, administrative safeguards, and electronic transmissions. Importantly, this audit should be done through counsel, so that any concerns may be reasonable covered by the attorney-client privilege.
Robert Liles counsels providers on HIPAA compliance risks, HIPAA breach notification and implementing effective compliance plans. In addition, Robert performs gap analyses and internal reviews, trains healthcare professionals on compliance issues, and represents providers in Medicaid and Medicare post-payment audits and appeals. For a free consultation, call Robert today at: 1 (800) 475-1906.