Best Practices for PHI Data Security and Selecting the Right Cloud Computing ProviderApril 27, 2012
In recent months, cloud computing is a topic that is getting a lot of attention especially when applying the technology in healthcare. Cloud computing is becoming more attractive to medical organizations predominately due to the benefits that the technology offers including reduced enterprise IT infrastructure and power consumption costs, scalability, flexibility, and accessibility.
At the same time, cloud computing pose significant potential risks for medical organizations that must safeguard their patients protected health information or PHI while complying with HIPAA Privacy and Security rules. The increased number of reported PHI breaches occurring over the past two years along with ongoing HIPAA compliance and PHI data privacy concerns, has slowed down the adoption of cloud technology in healthcare.
To help medical organizations and providers mitigate PHI data security risks associated with cloud technology, consider the following five best practices when selecting the right cloud computing provider:
1. Understand the importance of SSL. Secure socket layer (SSL) is a security protocol used by web browsers and servers to help users protect data during transfer. SSL is the standard for establishing trusted exchanges of information over the internet. SSL delivers two services that help solve some cloud security issues which includes SSL encryption and establishing a trusted server and domain. Understanding how the SSL and cloud technology relationship works means knowing the importance of public and private key pairs as well as verified identification information. SSL is a critical component to achieving a secure session in a cloud environment that protects data privacy and integrity
2. Not all SSL is created equal. The trust established between a medical organization and their cloud computing provider should also extend to the cloud security provider. The cloud provider’s security is only as good as the reliability of the security technology they use. Furthermore, healthcare organizations need to make sure their cloud provider uses an SSL certificate that can’t be compromised. In addition to ensuring the SSL comes from an authorized third party, the organization should demand security requirements from the cloud provider such as a certificate authority that safeguards its global roots, a certificate authority that maintains a disaster recovery backup, a chained hierarchy supporting their SSL certificated, global roots using new encryption standards, and secure hashing using the SHA-1 standard. These measures will ensure that the content of the certificated can’t be tampered with.
3. Recognize the additional security challenges with cloud technology. There are five specific areas of security risk associated with enterprise cloud computing and medical organizations should consider several of them when selecting the right cloud computing provider. The five cloud computing security risks include HIPAA Privacy and Security compliance, user access privileges, data location, user and data monitoring, and user/session reporting. In order for medical organizations and providers to reap the benefits of cloud computing without increasing PHI data security and HIPAA compliance risks, they must select a trusted service provider that can address these and other cloud security challenges.
4. Ensure data segregation and secure access. Data segregation risks are a constant in cloud storage. In a traditional client hosted IT environment, the internal IT administrators of the organization controls where the data is located and the access granted to clinicians and support staff. In a cloud computing environment, the cloud computing provider controls where the servers and the data are located. Even though certain controls are lost in a cloud environment, proper implementation of SSL can secure sensitive data and access. A medical organization will know that they are on the right path to selecting the right cloud provider if they provide the organization with three key elements as part of their cloud hosting solution: encryption, authentication, and certificate validity. It is highly recommended for organizations to require their cloud provider to use a combination of SSL and servers that support 128-bit session encryption and should also demand that sever ownership be authenticated before one bit of data transfers between servers.
5. Make sure the cloud provider understands HIPAA compliance. When a medical organization outsources their IT infrastructure to a cloud computing provider, the organization is still responsible for maintaining HIPAA compliance with all Privacy and Security rules. Since healthcare organizations can’t rely solely on their cloud provider to meet HIPAA requirements, it is highly recommended to select a cloud provider that has experience with HIPAA compliance and has compliance oversight processes and routines in place. Cloud computing providers that refuse to participate in external audits and security certifications are signaling a significant red flag and should be dismissed from further consideration.
SSL is a proven technology and a cornerstone of cloud computing security. When a medical organization is evaluating a cloud computing provider, the organization should consider the security options selected by that cloud provider. Knowing that a cloud provider uses SSL can go a long way toward establishing confidence. The right cloud computing provider should be using SSL from an established, reliable and secure independent certificate authority. Furthermore, when selecting a cloud computing provider, healthcare organizations should be very clear with their cloud provider regarding the handling and mitigation of risk factors beyond SSL.
Medical organizations that effectively performs PHI security and HIPAA compliance due diligence as part of their cloud computing provider selection process, will be best positioned to consolidate IT infrastructure, reduce IT cost, mitigate the risk of PHI data breaches, and increase business sustainability resulting from the adoption of cloud technology. This outcome will allow healthcare providers to focus more of their energy and resources to patients thus improving care and outcomes.