Healthcare IT Blog

Did You Do the Homework? - Considerations for the Cloud

Published on 01/17/2013 by Ashini Surati
Category: Healthcare IT, Cloud Computing

There are many covered entities out there including many large and small hospitals that may still be struggling with the decision to move to the cloud.  If you are, your mind is probably going at 100 miles per hour.  I know this because I have been there in your shoes.  Am I losing control of my data?  Where will my data reside?  How secure is my data?  What is the risk of my data being compromised?    What’s the risk that the services will be unavailable when I need them?  There are many questions that you, as a covered entity, will have to answer for yourself through a risk assessment as you look at cloud services.  Should I go to the cloud, or not?  What is the most appropriate use of the cloud for my organization? Most of these questions are around the security and availability of data in the cloud.

Everyone that’s familiar with HIPAA and HITECH understands that compliance in the cloud has its risks and challenges.  A typical cloud services provider, who is also a business associate, will help ease your fears.  Your business associate agreements help you manage your risks.  However, the security of your data does not in any way, shape, or form rely solely on your cloud service provider.  Depending on whether you use an Infrastructure as a Service provider (IaaS), Platform as a service provider (PaaS),  Software as a Service Provider (SaaS), (or the many other acronyms that continue to grow as different types of service providers grow in the cloud), your share of responsibility for security varies.  No business associate will agree to carry all the risk of ensuring that your data is secure.  Obviously your increased flexibility and cost savings in the realm of Information Technology investments are typically some of the driving factors that will weigh in the risk assessment for the adoption of cloud services.

Ok, ok…since this is a blog I will digress a bit.  Park Place offer Infrastructure as a Service to hospitals that will be using MEDITECH software as their primary HCIS system.  I’ve seen hospitals using cloud services rather than on-site infrastructure take advantage of a number of benefits.  For example, they don’t need to spend huge amounts on capital investments and may reduce their implementation timelines.  Backup and monitoring are included.  The service provides access to the infrastructure wherever or whenever it’s needed.  With a virtual desktop environment that can be used to access MEDITECH from anywhere, physicians and other clinics and providers who rely on the MEDITECH HCIS solution get the remote access they need.  And what about security?  The cloud environment is as secure as your environment is, because users that have access to your domain use the same credentials to log in to the cloud.

Back to the risk assessment:  For hospitals considering cloud services, confirm that security concerns are shared, and that the provider will help address them.   Check policies regarding maintaining hardware, backups, disaster recovery, storage, patch management, event monitoring, virtual desktop access and other infrastructure maintenance items.  Be sure that the provider’s solution meets your organization’s specific needs. Cloud services can provide much needed relief to overloaded IT staff who can focus on other technology needs of your organization while allowing them to maintain control over systems.  Do the homework.  Taking time to review and minimize the risks will result in better rewards.

Ashini Surati is the Security and Compliance Manager at Park Place International. She has been working in the healthcare security and compliance realm for the past decade. Her passion is to ensure customers understand and comply with regulations and maintain a secure, compliant environment.