Healthcare providers looking for HIPAA-compliant applications, storage, and networking options are increasingly turning to the cloud, which has quickly become a low-cost way to develop the complex infrastructure required to support a variety of critical organizational activities.
HIPAA-compliant cloud tools offer the healthcare industry many benefits including cost savings, remote file sharing, custom applications, and expanded storage, giving organizations the ability to create a dynamic, future-proof infrastructure.
Cloud computing is expected to become the healthcare IT infrastructure standard in the coming years, underpinning the continued development of electronic health records and big data analytics activities.
Cloud can be used in some capacity throughout an entire health IT infrastructure, from back-end development and data sharing to consumer-facing patient portals and mobile applications.
As this technology takes control over business and consumer technologies alike, and it’s important for IT decision-makers to understand and trust in the cloud solutions they implement throughout their IT infrastructure.
So what is the cloud, what makes it essential to the future of health IT, and how can healthcare organizations ensure their solutions are HIPAA compliant?
What is the cloud?
“Cloud” is an umbrella term referring to internet-based computing that shares computing resources and provides data to connected devices on demand. Users have shared access to applications, servers, and services, which can make collaboration and data sharing easier.
Cloud technology is complementary to the fast-paced environments characteristic of most healthcare settings. Sharing data across organizations becomes more manageable and less inconvenient, which may result in improved patient services and collaboration between healthcare organizations and professionals.
While cloud-based tools afford healthcare organizations many benefits, they function differently than legacy storage or information sharing solutions, and they can produce their own unique privacy and security concerns.
Because users access data through an internet connection, HIPAA compliance becomes a serious consideration for healthcare organizations looking into cloud solutions for various aspects of their infrastructure.
A survey conducted last year by Bitglass found that healthcare cloud adoption grew from 8 percent to 37 percent from 2014 to 2015, but it lagged behind other industries due to HIPAA regulations. The poll indicated that organizations are still hesitant to fully embrace the technology and yield control of their healthcare data to a vendor who may not understand and adhere to HIPAA regulations.
“Security has been a major barrier to cloud adoption in many verticals, but it’s especially critical in heavily regulated industries," Bitglass says.
Healthcare organizations are wary of HIPAA violations that could potentially stem from cloud technology. One of the biggest drawbacks is the various degrees of control IT departments give up depending on which kind of service model is deployed. This lack of control, along with HIPAA compliance issues, is a significant reason why some healthcare organizations are hesitant to embrace cloud.
Cloud benefits healthcare organizations because it is built to scale along with business and data growth. Because organizations won’t have as many hardware limitations, less money is spent on infrastructure requirements compared to on-premise server maintenance.
Understanding available cloud service models
The “as-a-service” tag is the main identifier for cloud technology. Cloud is implemented using vendor resources whether those resources are for storage, app development, or management.
Organizations pay subscription fees for the vendor’s resources over an established payment period, similar to a common utility such as water or electricity. Vendors provide organizations with a service, based on their need. The more an organization uses the solution, the more they will pay.
Cloud includes solutions like managed software-as-a-service (MSaaS), mobile backend-as-a-service (MBaaS), and identity and access management-as-a-service (IDaaS), but the three most common cloud service models are software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS).
SaaS is the most basic form of cloud computing, with centrally stored data accessed by users through a web browser. An example of SaaS is web-based email or an interface reached via a web browser. SaaS solutions work well for organizations with smaller IT departments because most of the maintenance and upkeep of the solution is performed by the vendor.
SaaS solutions are commonly used for several health IT functions, including electronic health records (EHRs), medical practice management systems, and health information exchange (HIE).
PaaS offers more control over cloud environments by providing an application hosting environment allowing organizations to build and deploy custom applications without having to build or maintain the infrastructure.
Users access healthcare data through a custom app instead of through a web browser, and the operating system and network are maintained by the vendor. Mid-sized to large organizations with dedicated developers would benefit from PaaS.Specialist practices that would benefit from having a customized app may also wish to investigate PaaS offerings.
IaaS provides organizations with storage, networks, and other fundamental computing resources to deploy and run arbitrary software, such as operating systems and applications. The organization does not manage or control the underlying cloud infrastructure but has control over operating systems, storage and deployed applications.
Large institutions such as health systems, hospitals, and medical groups would benefit from having more control over with environment are likely to engage in IaaS, but doing so requires a skilled IT staff.
How is cloud technology being used in the healthcare industry?
The HIPAA-compliant cloud has proven its worth to the healthcare industry over the past several years by allowing organizations to collect and utilize more patient data while giving users quick access to large stores of data for faster and better patient care. The technology is now used in many aspects of health IT infrastructure including IoT devices, disaster recovery, storage, analytics and more.
Organization and system growth are significant incentives for institutions to adopt cloud solutions. The adoption rate of inward facing medical technology, like virtualization and custom mobile application development, are easier to integrate into a cloud-based infrastructure already braced to accept them.
According to HealthITAnalytics.com, healthcare providers are no longer satisfied with simply having terabytes of virtual storage for their clinical and administrative information available to them.
A study published in the the Journal of Medical Internet Research identifies analytics-as-a-service (AaaS) as one of the latest service models benefiting the healthcare industry, calling the limitations on analytics, “data-rich and knowledge poor,” as healthcare data collection and storage methods improved, but analytics solutions did not improve accordingly.
Researchers found that cloud-based analytics have significantly improved the way organizations use their data.
“Recently, enabled by cloud computing web services, advanced analytics methods have been applied and utilized across a wide spectrum of health care settings for many purposes," the article stated.
"Cloud computing has special features for clients (eg, radiologists, physicians, researchers, and patients), aiming to reduce the burden of heavy investments and to utilize resource outsourcing, software, hardware, automated resource management, parallel computing, virtualization, and utility computing."
"AaaS is more than just simplifying access to technology. AaaS combines the on-demand aspects of cloud computing with the democratization of information enabled by big data analytics.”
Healthcare organizations are becoming more and more comfortable with adopting cloud solutions for various parts of their IT infrastructures, leading to accelerated adoption of cloud-based big data analytics in healthcare.
Brent Richter, Associate Director of IS Operations and Director of Enterprise Research IS at Massachusetts General Hospital suggests that the future of analytics depends on storing the data in a scalable, future-proof environment commonly found with cloud-based solutions.
“Cloud storage allows flexibility for cloud-native applications, which is important for all our users, including radiology groups, pathology groups – there’s clinical sequencing and research sequencing data in there, too – all these use cases can take advantage of the storage services.”
Using cloud to store analytics data also protects organizations against losing data in the event of a data breach or natural disaster. Backup and disaster recovery-as-a-service (DRaaS) ensures the resilience of data by automating the recovery of data in the cloud.
"AaaS combines the on-demand aspects of cloud computing with the democratization of information enabled by big data analytics.”
Many cloud-based storage solutions offer DRaaS or are compatible with many separate DRaaS solutions. Data stored off-site offer protection in the event of a natural disaster, especially for organizations located where hurricanes or earthquakes are common and can damage physical servers.
Cloud has also played a pivotal role for healthcare organizations looking to take advantage of connected medical devices and the Internet of Things (IoT).
Connected medical devices communicate with the cloud and constantly collect valuable health data from in-vitro diagnostic (IVD) devices, physiological monitors, mobile medical apps, wearables, and MRI CT/ultrasound scanners.
The cloud collects this data for analytics purposes, giving analysts a more in-depth look at population health trends to better assess and treat patients.
How can organizations be sure they are using HIPAA-compliant cloud solutions?
Not all cloud solutions and vendors are created equal. Cloud-council.org advises organizations to manage the logistical and physical security of their infrastructure carefully and implement security protocols that take the full lifecycle of protected health information (PHI) into consideration.
Each cloud-based solution, no matter its purpose, needs to be HIPAA compliant.
Most cloud vendors that are HIPAA compliant make it known and are willing to discuss how their solution complies with HIPAA regulations, Jeff Thomas, CTO of Forward Health Group told HITInfrastructure.com.
However, not all vendors claiming HIPAA compliance are truly compliant or the best solution for a healthcare organization.
“Organizations should always be leary of any vendor selling a HIPAA-compliant solution,” said Thomas.
“Even if a cloud solution enables you to use it in a compliant manner doesn’t mean it solves the compliance problem for you. There’s a few different key points when you’re ensuring that the technology will work to enable HIPAA compliance."
"Is the vendor you choose willing to sign a business associate agreement? If they hesitate or don’t know what that is, they aren’t the right vendor to choose because they don’t understand your healthcare compliance needs when it comes to HIPAA.”
Cloud solutions often come with many features or tools that may be produced by another vendor and offered in collaboration or because the primary vendor does not have their own comparable solution for a certain feature.
"Even if a cloud solution enables you to use it in a compliant manner doesn’t mean it solves the compliance problem for you."
It’s not uncommon for cloud providers to offer tools in collaboration with other vendors, but the primary vendor’s HIPAA compliance does not necessarily extend to the other vendor.
“When looking at a cloud vendor, some of their tools might be vetted to ensure HIPAA compliance, but not every tool may be from that vendor, so you really need to look at it,” Thomas continued. “‘Solution A’ may enable your HIPAA compliance, but ‘technology B’ is part of that solution and it’s not HIPAA compliant.”
The HIPAA security rule requires all covered entities to conduct a risk assessment of their organization which includes cloud deployments. The HIPAA risk assessment ensures that an organization is compliant with HIPAA’s administrative, physical, and technical safeguards.
The Office of the National Coordinator for Health Information Technology (ONC) has developed a free security risk assessment tool to help guide organizations through the risk assessment process by taking organizations through each HIPAA requirement.
Cloud offers organizations a cost effective, lightweight way to collect, analyze, and present data, along with accelerating day-to-day operations and providing patients with efficient, personalized care. While HIPAA compliance is still a valid concern for providers, vendors are stepping up to accommodate healthcare-specific needs as healthcare providers step into the future of cloud computing.