AlexTo aid healthcare providers who are interested or are looking to make the next step to a cloud solution, here are three mission-critical questions you need to examine before signing on the dotted line with cloud vendors.
The Institute for Critical Infrastructure Technology recently reported an alarming 47 percent of Americans had their healthcare data compromised in the past 12 months. The healthcare industry has been the most heavily targeted in terms of reform and regulations, yet it is seemingly the most under-prepared in terms of infrastructure compliance. The economic advantage to move to a cloud-based infrastructure is becoming more of a popular choice in the industry, given that it can quell some of the surrounding concerns plaguing HIPAA compliance and the cloud.
Are your data centers regulated by SAS 70 Type II (SSAE16)?
If vendors don’t have a Statement on Auditing Standards (SAS) 70 Type II, then they shouldn’t even be in compliant hosting. Period. This is the hallmark of a well-run PCI/SOX/HIPAA compliant infrastructure. A SAS 70 Type I only states that policies and procedures exist, although it does not ensure that the Business Associate (aka cloud vendor) adheres to them. SAS 70 Type II takes it a step further and actually tests the controls and operations over a specified time period. SAS 70 Type II guarantees a much more comprehensive and transparent environment to secure your data.
A Statement on Standards for Attestation Engagements (SSAE) 16 is the latest auditing standard and currently replaces the SAS 70 standard as of 2012. Data centers and managed service providers that host systems pertinent to their customers' reportings are absolutely accountable for pushing certain controls and procedures in those systems.
Compliance with current auditing standards significantly increases the security and management of patient data and it is vital to know that your vendor also understands that importance.
Further steps include a provider showing you evidence of aggressive penetration testing performed on their systems. This exemplifies that they are indeed serious about treating your data with integrity and is an excellent sign to show off on HIPAA audits.
How will cloud providers design a HIPAAÂ compliant architecture?
Since 2009, the Federal Government has been encouraging a "carrot" and "stick" approach to motivate the move towards the usage of electronic health records (EHRs). Billions of dollars in incentives are provided to healthcare providers if they play by the rules made by the Health Information Technology for Economic and Clinical Health (HITECH) provisions of the American Recovery and Reinvestment Act (ARRA).
The "stick" in this case, represents the enforcement laws carried out by the Office of Civil Rights (OCR) for violating HIPAA rules. These results can accumulate fines with upwards of thousands and sometimes millions of dollars in penalty. Covered Entities also receive a permanent etch in history for being inducted into the HIPAA Wall of Shame.
Make sure that the architecture can be built to meet the metrics outlined for Meaningful Use. As a reward for designing a compliant infrastructure, the Medicare and Medicaid EHR incentive programs will reimburse healthcare providers with incentive payments for implementing certified Health IT modules. Once your architecture is tested to meet the standards and criteria regulated by the U.S. Department of Health & Human Services (HHS) it needs to become certified by the ONC-Approved Accreditor (ONC-AA).
Ask your provider to explain the outcomes of your architecture build. It should provide flexibility to customize health IT to support physicians, allow open application program interfaces (APIs) to flourish and play nicely with the infrastructure, and should prioritize interoperability by Federal Standards to promote real-world uses of the technology. There should never be any business models that would otherwise inhibit or impede data from being readily available when it comes to the needs of patients.
Find out how your cloud solution addresses protected health information (PHI) and what specific ways the architecture is being designed to meet Meaningful Use.
What am I responsible for and what is the vendor responsible for?
By far the most misunderstood element between healthcare providers and cloud vendors. Many vendors like to advertise that they will take full responsibility (usually after the fact an incident occurs, conveniently), but ultimately it’s up to the healthcare provider to practice HIPAA compliant regulations. Vendors can send emails, warning red flag behaviors, and monitor for unusual activity, but both sides need to acknowledge responsibility in the event of a breach, outage, or data leakage.
Take the time to go over your Business Associate Agreement (BAA) and discuss in detail what expectations should apply for both parties so that a mutual understanding is signed, sealed and delivered.
By investigating these three aspects, this will ensure that you are practicing the due diligence on achieving HIPAA compliance with the cloud by:
- Reducing the risk of non-compliance with HIPAA regulations
- Achieving higher returns on investment (ROI) than you would with an in-house solution
- Advanced data encryption and password management
- Detailed audit tracking that approves external and internal compliance inspections
- Enhanced security surrounding potential breaches/threats
- Reduced capital expenditures (CapEx)
The investment in planning your cloud Infrastructure as a Service (IaaS) should allow you to manage your care through protected access and grant safe sharing of health information. Start filling the skills and resource gaps of your IT department so you can focus on solving patient needs, instead of playing "Operation" on servers.
