Assessing healthcare security compliance in the cloud

The "cloud" has almost become a buzzword in health IT, with many hospitals considering a shift to remote servers to reduce costs and improve scalability. However, some executives have hesitated, given the cybersecurity implications of accessing protected health information through the internet.

This content is sponsored by Microsoft

"It's like online shopping," Shaung Liu, chief technology officer of the provider division at Teladoc, said during a Microsoft-sponsored workshop at the Becker's Hospital Review 3rd Annual Health IT + Revenue Cycle Conference Sept. 21 in Chicago.

"When you first did online shopping nobody wanted to put their credit card in the cloud … you didn't trust it," he explained. "Now, everybody does."

Teladoc, a telehealth company that works with employers, insurers and health systems, opted to build its virtual healthcare platform for health systems in the cloud to ensure reliability, flexibility and scale.

"[Our] solution really has to scale," Mr. Liu said. "Every hospital system has their own white labeled solution, their own instance, their own subscription in Microsoft Azure, which completely isolates their data from any other client."

"We have to provide an experience that's trusted for the patient," he added, noting Microsoft's efforts to ensure compliance under privacy and security regulations in healthcare. "A platform that's willing to sign a [business associate agreement] with us tells us they're willing to treat our data with just as much security as we need in our industry."

Hector Rodriguez, worldwide health chief information security officer at Microsoft, weighed in on why Microsoft has worked to ensure Azure addresses information security concerns head on. "If you [as a healthcare provider] have to add the security layer … you need to rethink what you're doing," he said. "It costs a lot for you to be the security integrator."

For Mr. Rodriguez, sharing and accessing data through the cloud will be a necessity for complex healthcare projects, like precision medicine and virtual healthcare. However, he clarified he sees the "hybrid cloud" as the future of healthcare, in which hospitals weigh which processes belong on the cloud and which belong in an on-premise data center.

"We're hearing more and more about the modern data center being this deconstructed data center approach, so some on-premise, some co-located, some in the public cloud," he explained. "Infusion pumps, ventilators, those are never really going to be in the cloud. They may be connected to the cloud using Internet of Things-type technologies, but hospitals are a really great example of the hybrid model."

One way Microsoft has demonstrated its commitment to meeting regulations under HIPAA and the Health Information Technology for Economic and Clinical Health Act is through certification programs. The Health Information Trust Alliance approved Azure under one such certification, called the HITRUST Common Security Framework.

HITRUST Alliance, a nonprofit focused on information security guidance, developed the HITRUST CSF to provide businesses with a framework to establish compliance and risk management practices. The framework incorporates information protection standards from multiple industries, including healthcare.

"At HITRUST we're focused on building a community that works together, shares information and best practices, and applies them to a common framework so they can proactively manage the risk both within their own organization as well as that of their business partners," said Michael Parisi, vice president of assurance strategy and community development at HITRUST. "The HITRUST CSF provides a common means through which an entire industry, such as healthcare, can improve the security posture across the board, throughout the entire supply chain."

The HITRUST CSF, for example, incorporates standards to demonstrate compliance with HIPAA, based on a review of the HHS Office for Civil Rights' audit protocol. Its most recent version also includes guidance from the National Institute of Standards and Technology's Cybersecurity Framework.

Unfortunately, cybersecurity measures are not foolproof. To address this issue, Mr. Parisi emphasized holding vendors accountable.

"With the ever-changing threat and regulatory landscapes, it's critical that organizations take a risk-based approach to protecting health data and other sensitive information," Mr. Parisi explained, adding the importance of proactively conducting audits. "It's equally important to keep your vendors on your risk scorecard as, inevitably, you will want to know how their risk score will impact your own risk score. Tactically speaking, you'll want to know the answer to the question: 'Are your vendors within your defined service level agreement?'"

"It's a provocative conversation we're having about putting [personal health information] in the cloud," he continued, noting the majority of healthcare data — 80 percent, in fact — is expected to pass through the cloud by 2020, according to an IDC report. "[Data] has to be secure, private and compliant. That's the foundation of trust. If it doesn't start with security in mind, don't do it."

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Articles We Think You'll Like

 

Featured Whitepapers

Featured Webinars