Caveat emptor: Protecting PHI in the cloud
June 24, 2014 in Medical Technology
When it comes to leveraging the cloud for healthcare IT, I see two prevailing dynamics over and over. The first is that most organizations understand the benefits of the cloud – reliability, speed, scalability – very well. But when it comes to enjoying those benefits by partnering with the right provider, these same organizations are frequently lost.
This is especially true when it comes to security and compliance – and it’s especially tough for busy healthcare IT professionals who want the assistance of a trustworthy provider. They know the cloud is uniquely suited to protect and optimize their PHI, but they often have no idea which provider can deliver it. Why is this so difficult? One glaring problem is the number of snake oil claims made by some providers. Consider these examples from actual websites:
- “Guaranteed 100% HIPAA compliant”
- “We handle all of the technical requirements”
- “We passed an independent HIPAA audit with 100% compliance against the new OCR HIPAA audit protocol”
If you’re not well-versed in HIPAA, you might think these claims sound pretty appealing. Who wouldn’t want a quick and easy solution to all of their compliance and security needs? That’s the healthcare IT dream, right there. But these claims are misleading, and here’s why.
Where’s the beef?
To start, consider what it means to be HIPAA-compliant: it means you have assessed risks and threats as they pertain to the way you handle your PHI – and that you have implemented a security program that adequately addresses those risks. This isn’t a checklist of tasks a provider can satisfy on its own; rather they need to consider all of the specific needs and nuances of your organization. So what if they claim they are HIPAA compliant? That doesn’t guarantee their security controls will help you address your HIPAA compliance requirements. Your compliance hinges on whether you’ve built a robust security program that’s tailored to your risk scenario – and you need to understand how the controls your vendor is providing to you address your risks.
This silver bullet approach ultimately trivializes HIPAA compliance and leaves customers open to threats and failed audits. Remember, risk management extends beyond your cloud. Think of non-digital threats and vulnerabilities like medical paperwork left out in a public area or a fire that destroys valuable paper records. Becoming HIPAA compliant means developing processes and policies that protect all PHI in all ways necessary.
It’s probably obvious by now that these outlandish vendor claims are designed to win business rather than educate and protect healthcare IT teams. So it’s not surprising that it can be frustrating to sort through the hype and find detail on the provider’s actual services. It’s like that old Wendy’s commercial where Clara asked, “Where’s the beef?” There’s a whole lot of smoke and mirrors out there, but not much meat.
Let’s be clear about one thing. Your organization can absolutely enjoy the benefits of a great healthcare cloud. It’s just a matter of becoming a smart cloud consumer and adopting a healthy “buyer beware” attitude toward wild marketing claims.
Separating the wheat from the chaff
First of all, a good provider should always be transparent and welcome your questions. They should offer full visibility into how your data and assets are being protected, with details on how their services directly impact your risk profile and compliance status. The division of compliance responsibilities should be clearly delineated in your BAA as well.
If they try to assure you that they’re “100 percent compliant,” ask for specific details on how they can preemptively identify and correct your specific compliance weaknesses. Ultimately it’s not what providers say but what they do that shapes your security and compliance – so asking questions like those outlined below to help you make an informed choice:
- Can they show you documentation that backs up their HIPAA compliance claims? This should include independent audit reports that cover the scope of the assessment, the controls framework used and how you can leverage this compliance.
- Do they provide information on the specific security controls that are included with their service? Have they mapped their services and security controls to the HIPAA/HITECH requirements?
- Does the vendor use third parties to provide your services? Have both they and their subcontractors been independently assessed?
- What is their security posture? Do they offer only one layer of protection? Or do they utilize a layered security model where tools and strategies work together, such as DDoS mitigation, firewalls, IP reputation filtering, multifactor authentication and anti-malware?
- How will your data be segregated from other tenants on the infrastructure, including your network traffic, data, and virtual machines? Ask specifically how they can guarantee their other tenants will not impact your security or performance.
This may sound like a lot of legwork, but it’s essential if you want to avoid investing in the wrong partner. Remember, it’s your organization that’s on the line when it comes to compliance; if a breach occurs, you’ll pay the fine, suffer the embarrassment, and deal with the internal fallout. Clearing up all confusion on compliance, security and providers is the first step toward avoiding that fate. Stay informed and cut through the hype to find a provider with the expertise you need to protect your PHI and satisfy HIPAA compliance.