By Adrian Gerber
We recently explored the growing data storage options for organizations in the healthcare industry, such as cloud migration or a hybrid of cloud and on-premises. Regardless of which option an organization chooses, there are many factors to consider when moving data to the cloud to ensure the entity is HIPAA compliant and HITRUST certified.
Understanding the compliance-related pros and cons of both cloud and on-premises storage will help healthcare organizations create the infrastructure that fits their particular needs, addresses compliance and certification, and reduces the risk of a breach that can be costly from a financial and reputation standpoint.
PROS VS. CONS
While advancements are being made to make the cloud more secure, on-premises storage has some inherent advantages for protecting data. For example, servers can be configured to be inaccessible to those outside the network, as data is not being stored online. This goes a long way in reducing the risk of a cybercriminal gaining access.
Another advantage on-premises storage has over the cloud is that data can be completely restricted from anyone other than authorized personnel. While we are most familiar with intentional hacks, there are many examples of accidental “insider” breaches from someone, who should not have had access rights, mishandling patient data.
While there is no real difference in the difficulty related to deploying security tools on-premises or in the cloud, managing those tools is a different story. An on-premises server offers organizations more control, assuming the personnel tasked to manage the server is qualified — and always available — to do so.
So with all these checks in the “on-premises security column,” why would a healthcare organization, which has so much responsibility to protect data, move to the cloud? First, consider that data stored on-premises is the sole responsibility of the healthcare organization, which extends to any staff that has access to and handles data. This responsibility requires extensive training, retraining and updating of policies as laws/industry regulations evolve. Keeping staff updated with the latest best practices that ensure compliance and help attain or maintain security certifications can be time consuming and expensive.
In a cloud environment, the cloud provider may be responsible for a certain level of security control adherence, ensuring compliance and conducting breach remediation, depending on the cloud provider and services purchased. This would eliminate the need for the extensive training mentioned above, and the saved financial resources could then be invested in security tools to best protect cloud-based data — not to mention the wide range of other savings cloud storage can bring.
Another thing to consider is that a malfunction or compromise in an on-premises server resulting in data being held for ransom can result in permanent data loss. Avoiding such an issue would require additional data storage at an off-site location, which is costly. Cloud storage can offer that backup at a fraction of the cost.
MAKING THE RIGHT CHOICE
As with any solution, no two cloud providers are the same, and each will offer varying levels of security controls. One thing that’s important to understand is that no cloud solution is HIPAA compliant “out of the box.” For example, the popular Amazon Web Services (AWS) is, in general, responsible for about 15% of controls in its cloud offering, while the other 85% of data responsibility belongs to the customer. To varying degrees, other popular cloud providers like Microsoft Azure and Digital Ocean also place the onus to manage security controls and regulatory requirements on their customers, which would be the healthcare organization.
Another important aspect to consider is that cloud solutions offer many services, each with varying levels of complexity. We’ve found that most organizations are using at least 5-8 services in their cloud environment. That said, Azure and AWS do offer additional security control services for a fee. A growing number of cloud healthcare solution providers unaffiliated with Azure, AWS and Digital Ocean provide cloud appliances that connect to the healthcare organization’s technology, but the responsibility and liability is placed with the vendor.
With that understanding in mind, it is paramount for an organization to assess its current cloud security management capabilities — including staff it may add to enhance those capabilities — before choosing a cloud provider. Doing so will ensure that the level of talent complements the offerings of the data storage environment.
Finally, it is important to determine a potential partner’s ability to meet the specific needs of healthcare regulations. They should have a proven track record for security controls that assist healthcare organizations to more easily maintain compliance. Are their customers HITRUST certified? If the answer is yes, that’s a good sign.
Maintaining compliance, regardless of data storage method, is paramount to ongoing success for healthcare organizations. As more patient data is migrated away from on-premises servers, it is necessary to address potential security issues related to the cloud. Understanding the level of security a cloud provider covers and implementing the policies and protocols necessary to make the security posture complete will put an organization on the right path to having solid risk management and compliance infrastructure.