Tim Brand understands why physicians are moving their protected health information (PHI) to the cloud. Cost savings is the main reason, but it also makes accessing the information easier, said Brand, vice president of the security and resiliency practice at Level 5 Technology Group in Pleasanton, California. The cloud also makes information inaccessible to staff, which can be a good thing. He said about 63% of breaches are physical—caused by a stolen laptop or briefcase or theft by staff.
Putting PHI on the cloud should not be taken lightly, however. Here is what you need to know.
Vetting a vendor
One of the first things to understand about cloud service providers (CSPs) is that none are “HIPAA certified” because the Office of Civil Rights has no certification for CSPs. But you should be looking for vendors who have protocols in place to comply with HIPAA requirements.
First, CSPs have to acknowledge they are a business associate. Mike Semel, president of Las Vegas–based Semel Consulting, said some groups will not do that. If this is the case, then move on.
Next, ask about the providers’ experience with cloud hosting. Just because they say they can handle your information does not make it so. Have them provide you with some references from other healthcare providers they have served.
Finally, here is a list of questions that can give you a pretty good idea of whether or not vendors have their ducks in a row.
- Do they have an annual independent audit of the data center and cloud operations?
- Do they perform a risk analysis? You don’t need to see the whole thing, but ask for their table of contents, which at least shows they have one.
- Are their employees trained in HIPAA compliance?
- Do they have a set of HIPAA policies and procedures in place?
- Do they have a business continuity plan?
- Do they run their own cloud platform or use one like Amazon or IBM? If not, who is their provider and is that contractor HIPAA compliant?
Aside from a business associate agreement, it may be a good idea to fold some HIPAA safeguards into a service level agreement you have with your provider. These can be used to map out things like system availability, data recovery, data retention and disclosure, return of data at the end of a contract, and downtime.
“It levels out the expectations of what you are expecting so you are both on the same page,” Semel said. “And if the CSP won’t sign, you have to ask yourself why not.”
Do not neglect your safety
One of Semel’s clients was told by a cloud service provider that he did not have to worry about HIPAA security in his office because everything was safe in the cloud. This is an incorrect perception, and not the first time he has heard this.
“I always find PHI in the local network—always,” Semel said.
Even if most of your information is stored in the cloud, there are probably e-mails or Word documents in office computers. If a laptop is stolen or the network is unsecured, your computers can be hacked, which means the cloud is vulnerable.
You will still need to do a risk assessment, and many experts recommend encryption of PHI. Encryption ensures that data uploaded and removed from the cloud is protected.
Some providers do what Semel calls reverse backup, where the office receives a copy of data to store. This ensures access to information in case the cloud provider is compromised or you want to switch vendors. This on-site data needs to be secured as well.
Another area to consider is your staff. Even if your information is in the cloud, you must manage user access. Some data should still only be accessed by certain employees under specific conditions. You will also need to watch for employee termination. If a staffer leaves, it is your job to notify the cloud service provider that the staffer should no longer have access to the cloud. Finally, staff should continue to be trained regularly on HIPAA compliance.
If you are unsure of how to manage your cloud-based data or choose a service provider, it might be wise to bring in an outside consultant to walk you through the process. A consultant can help you set up a plan, prepare questions for potential vendors and create a checklist for what security tasks still fall to you.
“Experts aren’t free, but if you look at what is involved if a data loss occurs, it makes sense to do this right the first time,” Brand said.