Over
the last year, more so with the focus on the Omnibus Rule requirements
coming to a head, I've been hearing a lot of discussion around the how
to when it comes to betting managing these requirements.
When we speak about HIPAA, invariably the two components of data security and data privacy arises.
In the traditional data centers, database managers and data owners know where their data resides and implement the necessary processes to preserve privacy and audit access.
However, when we move to the cloud, the cloud being all about data, we are looking at servers, network, and storage that are abstracted. This raises concern that data owners may not necessarily know where their data sets physically reside and we are looking at Cloud Service Provider (CSP) employees who will be handling confidential patient data or Personally Identifiable Information (PII).
Of importance here is that when it comes to leveraging the cloud ecosystem for healthcare segments, the foremost concerns are around HIPAA and the HITECH Act compliance capabilities and meaningful use provisions.
Most of us within the Healthcare IT world have an understanding of meaningful use.
According to HealthIT.gov
"Meaningful use is the set of standards defined by the Centers for Medicare & Medicaid Services (CMS) Incentive Programs that governs the use of electronic health records and allows eligible providers and hospitals to earn incentive payments by meeting specific criteria."
The goal of meaningful use is to promote the spread of Electronic Health Records (EHR) to improve health care in the United States.
Benefits of meaningful use of EHRs include:
When we speak about HIPAA, invariably the two components of data security and data privacy arises.
In the traditional data centers, database managers and data owners know where their data resides and implement the necessary processes to preserve privacy and audit access.
However, when we move to the cloud, the cloud being all about data, we are looking at servers, network, and storage that are abstracted. This raises concern that data owners may not necessarily know where their data sets physically reside and we are looking at Cloud Service Provider (CSP) employees who will be handling confidential patient data or Personally Identifiable Information (PII).
Of importance here is that when it comes to leveraging the cloud ecosystem for healthcare segments, the foremost concerns are around HIPAA and the HITECH Act compliance capabilities and meaningful use provisions.
Most of us within the Healthcare IT world have an understanding of meaningful use.
According to HealthIT.gov
"Meaningful use is the set of standards defined by the Centers for Medicare & Medicaid Services (CMS) Incentive Programs that governs the use of electronic health records and allows eligible providers and hospitals to earn incentive payments by meeting specific criteria."
The goal of meaningful use is to promote the spread of Electronic Health Records (EHR) to improve health care in the United States.
Benefits of meaningful use of EHRs include:
- Complete and accurate information.
- Better access to information.
- Patient empowerment.
In
the healthcare world, organizations are positioning to attain
meaningful use. This to capture the incentives allocated by the Federal
Government as well as to ensure that reimbursements do not face jeopardy
for providers not in line with the meaningful use provisions.
As healthcare practitioners and organizations increase the use of technology solutions in delivering clinical care, their IT departments are faced with additional stress to provide availability on demand and operate data center approaching 99.999 percent availability. In most cases this is a major challenge that can lead to the risk of unscheduled outages and costly solutions.
What I'm increasingly seeing is a lack of IT Security and Operational resources to monitor, manage and continually assess security within some organizations.
This is no fault of anyone, but rather demand is outpacing supply for skilled ITSec professionals, possessing a good mix of business need understanding, an ITSec track record with automated and manual testing skills, as well as ability to find "new" threats to any one system.
Assuring high availability for healthcare applications, means meeting up-time requirements; and in today's environments will require access to more than one data center for fail-over and continuity or even for managing a DDoS attack be they through dispersed cleaning sites or other traffic management processes. This can significantly impact the overall capital investment in data center infrastructure for healthcare organizations.
Looking to the cloud as a solution is not only the next step in services but will ensure high availability of clinical applications. This will allow a healthcare organization to leverage the expertise and financial stability of an established CSP. Another advantage of leveraging a cloud ecosystem, is that of rapid provisioning and deployment, with the ability to change compute capacity as demand changes.
Thus in the event of failure, server instances can be seamlessly moved to alternate hosts or in anticipation can be clustered to provide redundancy.
Some may ask whether it is risky to transfer data from site to cloud. The answer is no as a majority of organizations move data over the Internet via encryption channels. Where we can see concerns arising is with the hand-off of data into the (CSP) environment.
In a seamless environment all data will have site to site encryption up to and including storage. Where we can see some separation is with healthcare application vendors support.
In the cloud, it is a given that we can have a number of people with access to the physical servers and storage that cloud consumers have no control over. For an IT Security person this will elicit conflicting concerns as on one hand there is the presupposition that complete control is being relinquished which can only be assured with prescriptive precautions defined by a CSP.
The cloud computing ecosystem is still evolving and as such there is still a lack of industry-wide certifications. As we mature within this ecosystem the intent is to drive toward processes, best practices and certifications which would provide legal protection that can reduce the complexities of a long negotiation and complex SLA requirements.
Within a regular data center or even a small IT shop, as an IT Security leader one of my first expectation for any shop is some form of centralized logging with automation. Similarly by transferring such a mindset into the cloud ecosystem (they are after datacenters) any healthcare customer security leaders expect the assurance that detailed reporting is a given.
Having worked on the security strategy and assessment separately for a few cloud computing projects, I have seen first-hand, that access rights was a major focus. In light of this, it is not a complex process to segment solutions for healthcare.
As a result any access to servers and storage dedicated to a healthcare customer by anyone within a CSP organization will be logged and thus can provide the assurance of controls around access.
From a legal perspective, more specifically talking contracts, healthcare customers expect the provisions of strong financial penalties to indemnify against a breech as well as to hold the CSP accountable.
Some CSPs are moving to providing a HIPAA Business Associate Agreement (BAA) for their healthcare customers. The assurance provided by their BAA demonstrates meeting the compliance requirements (enabling the physical, technical, and administrative safeguards required) of the HIPAA and the HITECH Acts.
In closing, I will state that HIPPA compliance and cloud computing do not have to be in conflict. Rather healthcare entities can leverage the benefits of the cloud, coupled with the necessary due diligence and legal contracts to meet their needs
As healthcare practitioners and organizations increase the use of technology solutions in delivering clinical care, their IT departments are faced with additional stress to provide availability on demand and operate data center approaching 99.999 percent availability. In most cases this is a major challenge that can lead to the risk of unscheduled outages and costly solutions.
What I'm increasingly seeing is a lack of IT Security and Operational resources to monitor, manage and continually assess security within some organizations.
This is no fault of anyone, but rather demand is outpacing supply for skilled ITSec professionals, possessing a good mix of business need understanding, an ITSec track record with automated and manual testing skills, as well as ability to find "new" threats to any one system.
Assuring high availability for healthcare applications, means meeting up-time requirements; and in today's environments will require access to more than one data center for fail-over and continuity or even for managing a DDoS attack be they through dispersed cleaning sites or other traffic management processes. This can significantly impact the overall capital investment in data center infrastructure for healthcare organizations.
Looking to the cloud as a solution is not only the next step in services but will ensure high availability of clinical applications. This will allow a healthcare organization to leverage the expertise and financial stability of an established CSP. Another advantage of leveraging a cloud ecosystem, is that of rapid provisioning and deployment, with the ability to change compute capacity as demand changes.
Thus in the event of failure, server instances can be seamlessly moved to alternate hosts or in anticipation can be clustered to provide redundancy.
Some may ask whether it is risky to transfer data from site to cloud. The answer is no as a majority of organizations move data over the Internet via encryption channels. Where we can see concerns arising is with the hand-off of data into the (CSP) environment.
In a seamless environment all data will have site to site encryption up to and including storage. Where we can see some separation is with healthcare application vendors support.
In the cloud, it is a given that we can have a number of people with access to the physical servers and storage that cloud consumers have no control over. For an IT Security person this will elicit conflicting concerns as on one hand there is the presupposition that complete control is being relinquished which can only be assured with prescriptive precautions defined by a CSP.
The cloud computing ecosystem is still evolving and as such there is still a lack of industry-wide certifications. As we mature within this ecosystem the intent is to drive toward processes, best practices and certifications which would provide legal protection that can reduce the complexities of a long negotiation and complex SLA requirements.
Within a regular data center or even a small IT shop, as an IT Security leader one of my first expectation for any shop is some form of centralized logging with automation. Similarly by transferring such a mindset into the cloud ecosystem (they are after datacenters) any healthcare customer security leaders expect the assurance that detailed reporting is a given.
Having worked on the security strategy and assessment separately for a few cloud computing projects, I have seen first-hand, that access rights was a major focus. In light of this, it is not a complex process to segment solutions for healthcare.
As a result any access to servers and storage dedicated to a healthcare customer by anyone within a CSP organization will be logged and thus can provide the assurance of controls around access.
From a legal perspective, more specifically talking contracts, healthcare customers expect the provisions of strong financial penalties to indemnify against a breech as well as to hold the CSP accountable.
Some CSPs are moving to providing a HIPAA Business Associate Agreement (BAA) for their healthcare customers. The assurance provided by their BAA demonstrates meeting the compliance requirements (enabling the physical, technical, and administrative safeguards required) of the HIPAA and the HITECH Acts.
In closing, I will state that HIPPA compliance and cloud computing do not have to be in conflict. Rather healthcare entities can leverage the benefits of the cloud, coupled with the necessary due diligence and legal contracts to meet their needs
