Home

Wikitip

Heakthcare IT and the Cloud

Over the last few weeks I've been hearing a lot of discussion around HIPAA. When we speak about HIPAA, invariably the two components of data security and data privacy arises.

In the traditional data centers, database managers and data owners know where their data resides and implement the necessary processes to preserve privacy and audit access.

However, when we move to the cloud, the cloud being all about data, we are looking at servers, network, and storage that are abstracted. This raises concern that data owners may not necessarily know where their data sets physically reside and we are looking at Cloud Service Provider (CSP) employees who will be handling confidential patient data or Personally Identifiable Information (PII).

Of importance here is that when it comes to leveraging the cloud ecosystem for healthcare segments, the foremost concerns are around HIPAA and the HITECH Act compliance capabilities and meaningful use provisions.

So what is meaningful use? According to HealthIT.gov

"Meaningful use is the set of standards defined by the Centers for Medicare & Medicaid Services (CMS) Incentive Programs that governs the use of electronic health records and allows eligible providers and hospitals to earn incentive payments by meeting specific criteria."

The goal of meaningful use is to promote the spread of Electronic Health Records (EHR) to improve health care in the United States.

Benefits of meaningful use of EHRs include:

• Complete and accurate information,
• Better access to information, and,
• Patient empowerment.

In the U.S. healthcare world, organizations are positioning to attain meaningful use. This to capture the incentives allocated by the U.S. federal government as well as to ensure that reimbursements do not face jeopardy for providers not in line with the meaningful use provisions.

As healthcare practitioners and organizations increase the use of technology solutions in delivering clinical care, their IT departments are faced with additional stress to provide availability on demand and operate data centers approaching 99.999 percent availability. In most cases this is a major challenge that can lead to the risk of unscheduled outages and costly solutions.

Assuring high availability for healthcare applications means meeting uptime requirements, and in today's environments will require access to more than one data center. This can significantly impact the overall capital investment in data center infrastructure for healthcare organizations.

Looking to the cloud as a solution is not only the next step in services but will ensure high availability of clinical applications. This will allow a healthcare organization to leverage the expertise and financial stability of an established CSP. Another advantage of leveraging a cloud ecosystem, is that of rapid provisioning and deployment, with the ability to change compute capacity as demand changes.

Thus in the event of failure, server instances can be seamlessly moved to alternate hosts or in anticipation can be clustered to provide redundancy.

Some may ask whether it is risky to transfer data from site to cloud. The answer is no, as a majority of organizations move data over the Internet via encryption channels. Where we can see concerns arising is with the hand-off of data into the (CSP) environment.

In a seamless environment, all data will have site-to-site encryption up to and including storage. Where we can see some separation is with healthcare application vendors support.

In the cloud, it is a given that we can have a number of people with access to the physical servers and storage that cloud consumers have no control over. For an IT security person this will elicit conflicting concerns, as on one hand there is the presupposition that complete control is being relinquished, which can only be assured with prescriptive precautions defined by a CSP.

The cloud computing ecosystem is still evolving and still lacks industry-wide certifications. As we mature within this ecosystem, the intent is to drive toward processes, best practices and certifications which would provide legal protection that can reduce the complexities of a long negotiation and complex SLA requirements.

Within a regular data center or even a small IT shop, as an IT security leader one of my first expectations for any shop is some form of centralized logging with automation. Similarly by transferring such a mindset into the cloud ecosystem (they are after all data centers) any healthcare customer security leaders expect the assurance that detailed reporting is a given.

Having worked on the security strategy and assessment separately for a few cloud computing projects, I have seen first-hand that access rights was a major focus. In light of this, it is not a complex process to segment solutions for healthcare. As a result any access to servers and storage dedicated to a healthcare customer by anyone within a CSP organization will be logged and thus can provide the assurance of controls around access.

From a legal perspective, more specifically talking contracts, healthcare customers expect the provision of strong financial penalties to indemnify against a breech as well as to hold the CSP accountable.

Some CSPs are moving to providing a HIPAA Business Associate Agreement (BAA) for their healthcare customers. The assurance provided by their BAA demonstrates meeting the compliance requirements (enabling the physical, technical, and administrative safeguards required) of the HIPAA and the HITECH Acts.

In closing, I will state that HIPPA compliance and cloud computing do not have to be in conflict. Rather healthcare entities can leverage the benefits of the cloud, coupled with the necessary due diligence and legal contracts to meet their needs.

View Another Wikitip

Featured Case Study

Financial giant goes green

The corporate IT group of a very large, worldwide financial organization with 100,000 employees, has initiated an ongoing “greening” process. This is focused largely on reducing energy use both to decrease the corporation's carbon footprint while creating a net savings in operational costs over the lifetime of new, more energy-efficient equipment, including new storage systems.

read more...

Featured How-To Note

Planning a Green Storage Initiative

Fluctuating energy prices have heightened electricity and energy consumption as a major issue within the technology community. IT is a significant consumer of energy and IT energy costs have been rising disproportionately because of continued investment in denser IT equipment. Estimates from the EPA and others indicate that IT will account for 3% of energy consumption by 2012.

read more...