Public clouds are growing in popularity. According to a recent HIMSS Analytics survey, 83% of healthcare organizations are already using cloud-based resources. But what about HIPAA/HITECH? How much of a risk are you assuming when you transmit Personal Health Information (PHI) data over the public internet and store it in a public cloud?
In this post, I’ll go into some of the things you need to know about HIPAA/HITECH compliance in a public cloud, specifically focusing on Azure and AWS, by far the two leading public cloud providers. Then, I’ll go into some considerations you’ll need to think about before you make the leap to the public cloud.
Here’s What You Need to Know About Azure & AWS Before Moving Your PHI Workloads to the Public Cloud
The first thing you need to know is that no cloud platform, public or otherwise, is inherently HIPAA compliant. That’s probably not news to you, but it needs to be said. Secondly, Azure and AWS can absolutely be used to create a HIPAA/HITECH compliant cloud environment – but they must be set up and maintained by seasoned staff with expertise in both HIPAA/HITECH compliance and the platform(s) you choose.
In our opinion, neither Azure or AWS is inherently better for the healthcare industry. At a high-level, they both cover the basics, though sometimes in slightly different ways:
Shared Responsibility Model – Both Azure and AWS follow what they call a “shared responsibility model.” AWS makes a distinction between “of” the cloud and security “in” the cloud. AWS handles infrastructure security, including the physical security of the data center itself. The customer is responsible for the security of everything else.
Azure’s shared responsibility model reflects the broader space Microsoft occupies in the market. For example, Microsoft also offers SaaS business applications including Office 365 and Dynamics 365. In that space, the responsibility for identity and access management is shared between Microsoft and the cloud customer.
Direct, Private Connections – Both Azure and AWS offer direct, private connections which bypass the public internet thereby reducing some of the security risks and concerns inherent in shared resources. (Note: This does NOT eliminate the need for encryption.) Azure’s Express Route is generally marketed as a “high availability” option, which offers greater reliability, faster speeds and lower latency than the standard connections. AWS offers Direct Connect, a similar (although not identical) ability to link directly to your AWS cloud environment. While also marketed as a high availability solution, AWS also touts their solution as a way for customers with bandwidth heavy workloads to reduce costs.
To be clear, HIPAA/HITECH compliance does not explicitly require a direct, private connection to your public cloud. What it does require is a security assessment and the mitigation of risks. So, if PHI data for which you are responsible is stolen and the cause is found to be your public internet connection, you could still be held liable. We highly recommend you not leave anything to chance and use either Direct Connect or ExpressRoute when deploying PHI workloads in a public cloud.
Virtual Private Cloud – Both AWS and Azure also offer a virtual private cloud (VPC), an isolated section of their cloud that is yours and yours alone. Again, while not expressly required by HIPAA/HITECH, we highly recommend setting up a VPC to ensure compliance.
Business Associate Agreements – Last but not least, both Microsoft and Amazon offer signed Business Associate Agreements (BAA), something that IS required for HIPAA/HITECH compliance. On a related note, even if you decide the public cloud is not for you and you prefer to house your workloads on a private, hosted cloud managed by a cloud service provider, you still need a signed BAA from that provider.
The Devil is in the Details
You can set up a HIPAA/HITECH environment, but whether or not you should is another matter altogether. We tell clients to consider two important questions before migrating their workloads to a public cloud:
Are your applications fit for the public cloud? If you have a legacy application that handles PHI that isn’t designed for the cloud, the public cloud may be too risky. That’s because older applications don’t always have the built-in security protocols required for secure cloud computing. This is especially true if the application hasn’t been updated in a while. Before migrating these applications to any cloud environment, public or private, consider upgrading to a newer cloud-ready version.
Do you have the expertise and bandwidth? More and more, this is the issue faced by the customers we help. First, HIPAA requires that all covered entities conduct a risk assessment at least once a year and more often is recommended. Any change to your IT infrastructure, especially migration of workloads to the cloud, should trigger a new HIPAA security assessment. To properly conduct that assessment requires more than just a cursory knowledge of the environment gained from reading blog posts like this one.
Once you’ve decided the risks can be mitigated, you need the experts who can set up your cloud environment to address those concerns. Both AWS and Azure have numerous optional offerings that can help with compliance, but unless the implementor understands the various options, it’s easy to miss something.
Finally, once your site goes live, you need to remain vigilant with tools like log monitoring, access controls and regular security assessments to address any risks introduced by changes to your infrastructure such as the introduction of a new mobile app or the rollout of a patient portal. And, of course, you need someone who is consistently on top of all the new and proposed changes to the HIPAA/HITECH regulations, including any new interpretations of the rules.
That may seem like a tall order, but a qualified cloud provider can help; You just need to be sure you choose the right one.
About Connectria: Whether you’re a healthcare provider looking for a HIPAA compliant cloud or an ISV serving the healthcare market, Connectria has the knowledge and the experience to help you reach your goals. Once a year, Connectria is audited by an independent, third-party assessor to ensure compliance with HIPAA/HITECH regulations. This attention to detail also extends to our employees: each member of Connectria’s dedicated staff is required to take and pass HIPAA compliance certification. Reach out to us firstname.lastname@example.org to learn more.