The COVID-19 outbreak has negatively impacted many industries in the United States. However, it has boosted demand for cloud-based offerings, even as approximately 90% of companies use some sort of cloud service. Cloud spending increased 37% to $29 billion during the first quarter in 2020, growth experts predict will continue.
About 75% of enterprises have at least one application or a portion of it in the cloud, while 60% utilize cloud technology to store confidential data. Even the healthcare industry, which has been slow to adopt cloud computing, has been in on the action.
A survey by the Healthcare Information and Management Systems Society (HIMSS) found that an estimated 39% of healthcare information technology workloads are currently deployed in the cloud. A reported 35% of healthcare organizations hold more than 50% of their data or infrastructure in the cloud, and the global healthcare cloud computing market is expect3d to reach $65 billion by the end of 2026.
Why do so many enterprises, including those in healthcare, use cloud services? Several reasons, including limiting downtime and data loss, unlimited backup space, reduced storage and operating costs. Cloud services advantages include:
- reliable disaster recovery
- improved scalability and flexibility
- better use of resources
- remote file sharing
For healthcare providers, cloud computing gives them the enhanced capability to access patient data remotely. They can also share important information on preventative care, medication adherence, and post-hospitalization care plans with patients. It helps them securely maintain IoT devices and telehealth applications, deliver public health services, and promote population health initiatives.
The Cloud equips healthcare providers with a cost-effective method for complying with the Health Insurance Portability and Accountability Act (HIPAA). One of HIPAA’s key goals is to “assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public’s health and well-being.”
HIPAA requires any covered entity that creates, receives, or transmits protected health information (PHI) – i.e., healthcare providers, payers, and clearinghouses – to ensure they’re compliant with the Security Rule of HIPAA and its administrative, physical, and technical safeguards. PHI under HIPAA consists of 18 identifiers, such as names, dates, geographic data, social security and account numbers, email addresses, fingerprints, and internet protocol (IP) addresses.
According to Health and Human Services (HHS) HIPAA covered entities can use cloud services to store PHI. But each entity is responsible for assessing security risks and keeping their data secure. This comes with challenges, though.
Covered entities often encounter obstacles in complying, including keeping communication secure, protecting mobile devices, addressing outside threats, and a changing regulatory environment. Other challenges include data breaches and loss, distributed denial of services (DDoS) attacks, and user authentication. Besides malicious attacks, healthcare providers face accidents or errors by employees or contractors or an unintended process error.
Cloud security requires different tools and strategies than traditional IT security. This is because it consists of a highly-connected environment through which traffic can more easily diverge from typical perimeter defenses. It also requires more of a data-centric approach. Providers not able to properly secure their data have a markedly higher risk of a lack of compliance, which costs an average of $14.82 million and can lead to civil or criminal penalties for HIPAA violations.
Recommended Actions for Securing Cloud Data
To keep their HIPAA data safe in the cloud and ensure compliance with specific regulations, healthcare providers need to fully understand how PHI and other data should be stored in the cloud and take necessary precautions. Health care providers are required by the Health Information Technology for Economic and Clinical Health (HITECH) Act to have a Business Associate Agreement (BAA). This is a contract between a covered entity and a business associate (BA). A BAA establishes the permitted and required uses and disclosures of PHI by the BA. The BA will use PHI only as permitted by the contract or required by law, use appropriate safeguards and report any disclosures not permitted by the contract.
Typically, a business associate is a cloud service vendor, a managed service provider (MSP), or another organization that processes patient data. The BAA will also clearly detail the roles and responsibilities of each party involved in the process.
Another important action for healthcare providers interested in realizing the benefits of cloud computing is to choose a reliable cloud service provider (CSP). The provider should conduct in-depth research on its IT systems, operations, and needs and performing a cost-benefit analysis. Providers should have a comprehensive plan in place for their data and select a CSP that grows as they do.
Ensure Data Security in the Cloud
Providers are responsible for ensuring compliance for their own data. Even if they employ the services of a CSP with qualifications to do so. They should confirm their CSP meets all their HIPAA protocols and follows regulations on who can access their ePHI. The CSP must also possess up-to-date certifications for encryption levels and System and Organization Controls (SOC) auditing and reporting. The shared responsibility for the security of the data should be clearly defined to avoid any confusion.
Providers should ensure the service level agreement (SLA) they have with a cloud service provider includes specific information on how the CSP proactively meets cloud compliance requirements. HIPAA requires data stored on a hard drive is encrypted and accounted for 24/7. Therefore, providers should also verify that data handled by the CSP is properly encrypted.
A best practice to enhance cloud computing security are detailed and documented policies and procedures for achieving compliance. Even though their selected CSP has similar guidelines, a health provider should have their own. Devising and maintaining a cybersecurity response plan limits damage. It reduces recovery time and costs if a provider is the victim of cybercrime through a cloud breach.
The cloud-based RingRX platform was designed with strict security standards, meaning patient data is never at risk. We encrypt data to prevent unauthorized breaches and provide our clients with BAA at the start of their service. Check out our guide to HIPAA compliance, and contact us to learn more about how we can ensure your patient data is secure, letting you focus on your most essential task: patient care.