The Do’s and Don’ts of Healthcare in the Cloud

It has been a year already since our last “Health in the Cloud” event we organized together with our partners from IBM Bluemix and Watson. Since then, the statistics of healthcare in the cloud have improved exponentially — more and more providers are migrating to the cloud storage and more and more Cloud vendors are claiming their HIPAA and HITECH compliance, promising security and savings.

Obviously, the saving aspect is true, however, what about the security and compliance of it all? There are numerous HIPAA checklists you can take to make sure you have done all that is needed. If you are interested The Office of the National Coordinator for Health Information Technology (ONC) created a free security risk assessment tool to help you in a step by step checklist through all the HIPAA requirements.

But before you go off to fill one of those we wanted to give you a top overview of what to look for before choosing your cloud vendor, and what their promises actually mean when it comes to implementation, migration and the use.

There are some obvious uses of cloud tech in healthcare, such as for Data storage and backup, but what we see more and more product companies in health tech doing is directly deploying backend and core code on the cloud. We could also see the direct benefits of using the cloud for:

• Disaster recovery
• Data Processing and analytics — in 2016 IDC Health Insights reported that providers are leveraging cloud implementations for mobile and analytic capabilities
• Building an ecosystem for providers, payers (accessibility, sharing etc)
• Further evolution and improvement of the electronic health records

Or for example, improving precision medicine databases or telemedicine capabilities.

Looking at all of the potentials of the cloud tech in health tech we recognize of course the remote file-sharing options, building custom applications, expanding storage actually allowing the entire Health IT infrastructure to evolve. Cloud adoption is becoming more comfortable for providers. According to the abovementioned IDC survey, 41.5% of respondents from hospitals said they were more comfortable with the cloud than in the past. Even Gartner predicted that by 2021 public cloud service providers will process more than 35 percent of the healthcare industry’s IT workloads. A number that will all the safety concerns seems really promising. In the meantime in 2018, not all vendors claiming compliance with HIPAA and HITECH are the best solution for a healthcare organization or even actually compliant. This is why before choosing a cloud vendor there needs to be a Q&A with the vendor to understand better the offering.

For one of our clients in the past, we built a Virtual Compliance Manager because even though the cloud storage the client was using was HIPAA compliant it did not solve the compliance issue for their solution.

So what does that mean? First of all, you need to sort things out internally — establish an adequate compliance program and develop internal processes the enable the compliant use of the cloud services. This is basically the stance of all compliant vendors with whom you can sign for example the business associate agreement. Thus, cloud storage vendor becomes a business associate by storing the PHI on behalf of the healthcare org (thus the services being HIPAA compliant).

One of the greatest frights is the access and security of the cloud, especially after so many data breaches in the past two years, from the culprits of lost/stolen devices (phones, laptops, thumb drives). The HITECH act even included a notification requirement — so after 500 individuals have been affected by a PHI breach (from unsecured protected health information) the vendor must inform the Office for Civil Rights and inform them of the breach.

So thinking about moving to the cloud?

First, let’s understand the nomenclature:

• SaaS allows users to access centrally stored data through a web browser. Used mostly for organizations with small IT departments since this does not entail a lot of maintenance and is usually performed by the vendor itself. Saas solutions are mostly used for EHRs, certain management systems, and HIE.
• PaaS allows more operating control over cloud environments allowing organizations to build and deploy custom applications without having to build or maintain the infrastructure. Organizations with dedicated developers working on a custom app would benefit from this model.
• IaaS allows the most control over storage, networks, and other allowing the deployment and use of operating systems and apps. The vendor still has control and ownership of the cloud infrastructure, but the user/client has control over the OS, storage and custom apps deployed.

Second, think about available options whether to go for one of the biggest and most common vendors such as AWS, Azure, Google Drive, Onedrive, Box? Or maybe Healthcare specifically focusing exclusively on the best use of healthcare. We believe in the later. For the past 16 years, we have solely focused on health tech and that has allowed us to maintain a zero-breach code history. So, if you wish to explore some of the niche-specific cloud options you may want to take a look at what our friends at Cleardata are doing, especially with one of their solutions Multi-cloud Platform.

Third and final, consult your IT vendor before making the decision to move to the cloud, and especially when choosing the cloud vendor. Depending on your internal processes, core systems, and data format there will always be a challenge to set up internally for the migration and deployment to the Cloud (customization of the services that not all cloud vendors offer especially if you are not a key account).

Originally published at https://blog.vicert.com on July 9, 2018.