Security issues may be one of the final barriers to engaging in cloud computing, according to Rick Kam, president and co-founder of ID Experts.
"Cloud computing poses great risks for healthcare organizations, providers and entities responsible for safeguarding protected health information [PHI]," said Kam. "Healthcare entities are responsible under Federal HITECH and HIPAA regulations for the security of PHI in the cloud, though they often have little or no control where or how this data is moved, processed, or stored."
Kam outlined the following six tips for mitigating your cloud computing risks.
1. Have business associates sign an agreement. According to Kam, covered entities should review the terms and conditions of a cloud provider's service-level agreement (SLA) to fully understand what their liabilities and risks are, and to be prepared to "absorb" those risks. "Detecting responsibility for a data breach among cloud managers, storage providers and application developers is nearly impossible," he said.
2. Limit user access. Larger covered entities can offset dangers with a private cloud, said Kam. "They simply limit access to their own organization and subsets, such as business associates," he said. "Smaller covered entities are at the mercy of the cloud providers they can afford."
3. Research applications. Cloud-level applications present problems when it comes to security, said Kam. At the same time, federal law mandates that access to PHI be controlled and limited to the "minimum necessary" data fields required for the purpose involved. "This means access is limited to only authorized and authenticated users, and that IT can log and audit all accesses," he said. "But this is a function of the application itself – and not all applications are designed to meet such security needs." Additionally, he continued, another issue remains with application interoperability and the inability to move data smoothly and securely between applications, leaving data at risk for exposure. "Developing standards and protocols for interoperability between two applications is important," said Kam. "[It's] up to the vendors but is often not a high priority."
4. Secure third-party validation. Smaller covered entities have little say in the way a cloud provider secures the PHI in their care, said Kam. In turn, one way to "level the playing field" is for clinics and other small covered entities to work with a medical association or organization to create a certification for cloud providers that meets HITECH and HIPAA security requirements. A similar program already exists in the federal government, he pointed out: FedRAMP, or the Federal Risk and Authorization Management Program.
5. Take an inventory of PII and PHI. According to Kam, an inventory provides a complete account of every element of personally identifiable information (PII) and PHI an organization holds with either paper or electronic format. "It helps to determine how an organization collects, uses, stores and disposes of its PHI," he said. "A PHI inventory reveals the risks for a data breach, so organizations can strategically protect PHI data and best plan for a response based on real information." An inventory of PII and PHI, he added, as well as a privacy and security risk assessment, can help demonstrate compliance and mitigate the impact of a data breach.
6. Develop an incident response plan (IRP). An IRP is an effective, cost-efficient way to help organizations meet HIPAA and HITECH requirements while developing guidelines related to data breach incidents. "The IRP designates roles and provides guidelines for the response team's responsibilities and actions during a privacy incident and provides instructions on determining notification requirements, including to regulatory authorities," said Kam.