Healthcare IT is starting to get more comfortable about using the cloud to meet accelerating demands for their services. As we heard from Faith Regional Hospital in their recent webinar, using a HIPAA compliant cloud storage provider was the only way they felt they could cost-effectively store, protect, and manage the explosion of patient data such as PACS images.
However, the notion that patient data will reside in a public cloud raises IT concerns about HIPAA compliance and unauthorized access. And well it should. Personal cloud storage providers such as Box and Dropbox have made it too easy for doctors and nurses to move data to and from their mobile and BYOD devices. IT is left scrambling, knowing that HIPAA requirements for security, access control, tracking access, encryption, backup and disaster recovery may not be adhered to.
If you’re in healthcare IT and you want to offer HIPAA compliant cloud storage to leverage cloud scalability and economics, here are four questions you should ask your cloud provider.
1. Is the data being encrypted “in flight” and “at rest”, and if so, by whom?
Data encryption is a key control required by HIPAA. Patient data moving in and out of storage, whether it’s in the cloud or locally stored, must be encrypted. Equally important, control of that encryption should be in the hands of you, the healthcare provider, not the storage vendor or cloud storage provider. HIPAA Compliant Cloud storage providers should be able to assure you that at no point will they be able to decipher and read the data passing through their systems, even if their systems provide the encryption capability. The key thing for you to know is who generates and maintains possession of the encryption keys.
2. Does the cloud storage solution support your access control protocols?
If access to patient files is completely controlled by your healthcare organization’s authentication system, your cloud provider shouldn’t require this to change. Integration with existing user authentication protocols, password requirements, and on-prem Active Directory should be provided. There should be no “back door” to data in the cloud. Additionally, you should have a full audit trail of all access to files in the cloud, the same as locally stored files.
3. How does your cloud storage solution support data backup and disaster recovery?
If your on-premises file servers go down for any reason, how do you provide access to your files? HIPAA requires that all data be backed up at regular points (your recovery point objective, or RPO) and restorable in a reasonable amount of time (your recovery time objective, or RTO). What would happen if you lost access to your cloud storage? Would you have other ways of accessing the files quickly? For a more acute crisis that might impact an entire region, such as a natural disaster, will your patient data in the cloud quickly be accessible from another protected location?
4. Will the cloud storage provider sign a Business Associate Agreement (BAA)?
A BAA helps transfer responsibility for a breach of patient data to the cloud storage vendor. A BAA spells out how the vendor will report on and remedy a breach of data. Willingness to sign a BAA is the true test of your cloud storage vendor’s confidence they can protect your patient’s data.
Asking these four questions will help you confidently implement HIPAA compliant cloud storage for your healthcare organization. If you have other questions, comment below and let us know – we can always change the title!
To hear how one healthcare system made a successful move to the cloud leveraging Microsoft Azure and Nasuni, watch the on-demand webinar How a Leading Nebraska Hospital Cured its File Storage Growth Pains.