Healthcare IT in the clouds is no longer a trend. It’s a fact. Almost every single software company and healthcare organization that has a heavy investment in IT has been progressively recreating its products or services in the clouds.
Cloud providers, although reluctant at the beginning, have been organizing and structuring themselves to support healthcare and its sensitive data. It’s not uncommon for some of them to sign tailored BAAs (Business Associate Agreements) with their customers.
“SOC 1 reports are utilized for service organizations reporting on controls relevant to internal control over financial reporting (ICFR). SOC 2 reports will be utilized for reporting on controls for the growing list of I.T. related organizations, such as cloud computing, Software as a Service (SaaS), managed services, along with data centers, just to name a few.”
(Links to source http://www.ssae16.org/).
Some cloud providers have HIPAA compliant services. Amazon Web Services provides the following ones:
- Amazon Elastic Block Store (EBS) – Amazon EBS provides persistent block level storage volumes for use with Amazon EC2 instances in the AWS Cloud.
- Amazon Elastic Cloud Computing (EC2) – Amazon EC2 is a web service that provides resizable compute capacity in the cloud.
- Amazon DynamoDB – Amazon DynamoDB is a fast and flexible NoSQL database service for all applications that need consistent, single-digit millisecond latency at any scale.
- Amazon Simple Storage Service (S3) – Amazon S3, provides developers and IT teams with secure, durable, highly-scalable object storage.
- Amazon Elastic MapReduce (EMR) – Amazon EMR is a web service that makes it easy to quickly and cost-effectively process vast amounts of data.
- Amazon Elastic Load Balancing (ELB) – Amazon ELB automatically distributes incoming application traffic across multiple Amazon EC2 instances in the cloud.
- Amazon Relational Database Service (RDS) – Amazon RDS makes it easy to set up, operate, and scale a relational database in the cloud.
- Amazon Glacier is a secure, durable, and extremely low-cost storage service for data archiving and long-term backup.
- Amazon Redshift is a fast, fully managed, petabyte-scale data warehouse that makes it simple and cost-effective to analyze all your data using your existing business intelligence tools.
With the aforementioned services you can build almost any healthcare information technology product or service in the clouds.
Aside from several proof-of-concepts with Microsoft Azure, I haven’t worked with other cloud providers other than AWS, and every time I’ve been in a project that’s required the selection of a cloud provider, AWS has been the winner because at the time the decisions had to be made, they have been the only provider willing to fully accommodate the strict HIPAA privacy requirements and sign the BAA.
But simply utilizing the HIPAA compliant AWS services does not necessarily translate into your product or services being HIPAA compliant. As an enterprise healthcare IT architect you would still have to make sure you create environments that protect the sensitive data you process and store with the right policies, procedures, processes and technologies for security, privacy, encryption and monitoring.
The following HIPAA technical safeguards for security and privacy have to be supported through policies and procedures, and technologies other than the services provided by AWS:
164.312 (a)(1) – Access Controls – These are the technical policies and procedures for electronic information systems access that maintain electronic protected health information [PHI] in order to allow access only to those persons or software programs that have been granted access rights.
164.312(b) – Audit Controls – These refer to the implementations of hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information [PHI].
164.312(c)(1) – Integrity – This refers to the policies and procedures to protect electronic protected health information [PHI] from improper alteration or destruction.
164.312(d) – Person or entity authentication – This refers to the implementation of procedures to verify that a person or entity seeking access to electronic protected health information [PHI] is the one claimed.
164.312(e)(1) – Transmission Security – This refers to the technical security mechanisms to guard against unauthorized access to electronic protected health information [PHI] that is being transmitted over an electronic communications network.
HIPAAs requirements are very reasonable and any organization that processes and hosts sensitive information would want to meet or exceed them. If you follow the NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations guidelines than you are most likely safe and sound.
In today’s situation where healthcare data is being sought after by unscrupulous characters, it’s paramount that it is protected around the clock.
Many CIOs in the recent past were hesitant to move to the cloud because of fears of their data being out of their control. There is no way in this world where a local data center can have higher security safeguards than that of the AWS cloud. AWS has top security engineers that have created a robust infrastructure that assists, along with other tools, in creating or maintaining a continuous up-to-date, trusted environment that is well-capable of hosting the most sensitive data. But you still have to do your part. You would be saving a lot of money since AWS would be taking up the bulk of the work.
If a CIO is serious about protecting the sensitive information of the patients their services and products serve, then moving to the cloud would be a smart move.
There are some areas where the cloud promises more than what it can deliver. But it’s not necessarily the providers’ fault. For example, elasticity is touted as something that is inherently available. But no matter how much elasticity the cloud provider has to offer, little can be done if you use technologies that have rigid licenses for the use of their products.
Others assume that since it’s a pay-as-you-go and use model that the cloud is cheap. It’s not. Elasticity, ubiquity and other niceties come at a price. It may not be as costly as a physical data center but it is definitely not cheap. Constantly monitoring usage and costs is an important activity when you run a cloud.
The ubiquity aspect of the cloud is especially good for healthcare since this enables an improved platform for interoperability. If all of healthcare were in the clouds, interoperability wouldn’t be the elusive unicorn we’ve been chasing for several decades. It wouldn’t be a magical solution but it would help significantly.
But healthcare interoperability should modernize itself. And it is doing so with the current HL7 FHIR attempt. Interoperability with cloud ubiquity is better suited for web technologies and standards such as: REST, OAuth2 and SAML.
Healthcare IT is definitely being recreated in the clouds. CEOs and CIOs are trusting it more and they feel they can be successful in a shorter span of time.
Hardware procurement times is drastically lower. And this alone is a great incentive to move into the clouds. The Healthcare IT tsunami triggered by HITECH and Meaningful Use drove crazy more than one CIO. Keeping up with the constant changes was a nightmare. Procurement was slow and the demand was intense. No wonder we witnessed such a fast spinning revolving door with the CIO positions across the country.
We are still a long ways from being 100% cloud-based due to some technologies that are dependent on local products and services. Radiology and imaging have a huge reliance on local IT due to the fact that many of the machines that perform the image capturing and the anomaly detections or diagnostics are physical Class II or Class III medical devices.
Predicting 2016 as the year of the cloud is just foolish, the cloud has been in full motion for a few years now. It’s just adding up enough to be noticeable. And Nostradamus said that dwelling in the clouds is the future of humanity, didn’t he?
More to come …