A recent Google search brought me to a health IT blog, Life as a Healthcare CIO, and the post entitled The Reality of SaaS. The author discusses whether or not SaaS/cloud computing is appropriate for EHR (electronic health record) hosting – he reinforces the fact that “current regulatory and compliance mandates require that you find a cloud hosting firm which will indemnify you against privacy breaches caused by security issues in the SaaS hosting facility.”
While especially true now, he also groups the IaaS (Infrastructure as a Service) in with the SaaS, mentioning a quote from the CIO of the Beth Israel Deaconess Care Organization:
While the article goes on to describe their issues with ISPs and network connections, the fact remains that many mid-sized healthcare SaaS organizations still struggle with both meeting regulatory requirements and fully maintaining their own IT infrastructure that must support mission critical applications – oftentimes ones that are also critical to patient health and life.
Some cloud service providers can offer a fully HIPAA compliant cloud that is both audited and managed by professionals to relieve the pressure off of healthcare SaaS companies. However, a diligent assessment of the service and provider is required, particularly with the final rule dictating that business associates (cloud providers) are subject to fines if they don’t meet compliance requirements for securing protected health information (PHI).
An anonymous healthcare security professional commenter remarked on the need for covered entities to do a proper assessment, and not merely take the sales rep’s word when it comes to assessing a cloud provider. He/she brings up a few good points to evaluate:
- Where the data may be replicated for redundancy
- Who has potential access to your data
Another issue is with cloud service organizations that use offshore entities and locations – since HIPAA is a U.S. law enforced by our government, the rules don’t apply overseas. When choosing a cloud service provider, ask if they own and operate their own HIPAA compliant data centers or colocation facilities, and where they are located. Better yet, request a tour of their data centers. The last point made was that the BAA (business associate agreement) is only a fraction of what needs to be evaluated – a relevant statement when other compliance and security factors are at play with a cloud provider.
HIPAA is not the only regulatory standards that organizations should look for – find a list of audits and reports that you should look for in a cloud/data center provider in State of Cloud Security: Vetting Applications and Cloud Providers for Compliance and Security. Download our HIPAA Compliant Hosting white paper for a complete guide to secure hosting.
Life as a Healthcare CIO: The Reality of SaaS
You might also like:
HIPAA Breach Lessons Learned: Store PHI in HIPAA Compliant Data Centers; Not Locally
While no records were broken when it comes to number of health records disclosed per data breach, the top HIPAA breaches of last year still come with some hard lessons learned about technical and physical security. Learn from their mistakes … Continue reading →
How the Final Omnibus Rule Affects HIPAA Cloud Computing Providers
The long-awaited final modifications to the HIPAA Privacy, Security, Enforcement and Breach Rules were introduced Thursday. The 563-word document outlines the changes that were initially slated for implementation last summer (remember the omnibus rule?). So how do these modifications affect … Continue reading →
Cloud Infrastructure as a Service (IaaS) Spending to Exceed $72 Billion by 2016
According to a Gartner market analysis report on cloud services over 2012-2016, cloud infrastructure as a service (IaaS) spending will exceed $72 billion, with a compound annual growth rate (CAGR) of 42 percent. Cloud infrastructure as a service (IaaS) providers … Continue reading →