- Infrastructure-as-a-service (IaaS) is becoming a more appealing healthcare cloud option as organizations migrate parts of their health IT infrastructure to the cloud. As entities select cloud vendors for their infrastructure, HIPAA compliance can become a challenge.
IaaS is different from software-as-a-service (SaaS) and platform-as-a-service (PaaS) because it includes hardware and software components, giving administrators more control over their cloud environment. IaaS gives organizations self-service options, broad network access, resource pooling, and elasticity. Many IaaS solutions may include PaaS and SaaS solutions as part of their deployment.
While it seems like an IaaS solution implies that an entire infrastructure is moved to the cloud, there is no single IaaS solution that will bring an organization’s entire IT infrastructure to the cloud. IaaS solutions give IT administrators a deeper control over their infrastructure with more cloud components. This means IaaS providers have a broad set of solutions collectively working together to form the IaaS deployment.
For healthcare organizations concerned about HIPAA compliance, this often means dealing with several different cloud solutions and vendors with various degrees of HIPAA compliant features. Not all of these features are going to be truly HIPAA compliant or work together in a compliant manner.
“HIPAA compliance is always a dangerous and very vast term and healthcare organizations should always be leery of anyone selling a HIPAA compliant solution. Even if a solution enables you to use it in a compliant manner, it doesn't necessarily mean it solves the compliance problem for you,” Forward Health Group CTO Jeff Thomas told HITInfrastructure.com.
“When looking at a cloud vendor, some of their tools might be vetted to ensure HIPAA compliance, but not every tool may be from that vendor, so you really need to look at it,” Thomas continued. “‘Solution A’ may enable your HIPAA compliance, but ‘technology B’ is part of that solution and it’s not HIPAA compliant.”
According to Gartner, IaaS providers will most likely be specific about which parts of their solution have been assessed by a third-party organization and are FedRAMP approved. The FedRAMP program is a government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud solutions and deployments.
Gartner also says that these solutions are often HIPAA compliant, but that does not mean the organization does not need to speak with the vendor at length about compliance.
HIPAA compliance conversations can become complicated when vendors work together. It’s common for vendors to be compliant with aspects of another cloud solution if they do not have a comparable feature available in-house. For example, many cloud service providers are compatible with VMware features to supplement their solutions, making them more complete.
Vendor collaborations are common among IaaS solutions but if one piece of the solution is not HIPAA compliant, organizations may have the opportunity to choose to exempt that part of the solution if they still wish to use a certain vendor.
As healthcare cloud technology becomes more advanced, vendors are leaning toward virtualization to build more secure cloud environments. Virtualization may be the key to easing healthcare organizations’ concerns about HIPAA compliance.
Using software-defined solutions abstract and compartmentalize data, allowing an organization to separate nodes from others on the network. Containing data this way protects it in case another segment of the cloud storage is compromised. Hackers cannot cross penetrate containers, minimizing the risk of compromised data.
Virtualization is built differently from traditional cloud solutions, is more secure by design, and often operates via a secure private cloud or data center. IaaS solutions can function off virtualized infrastructure, securing data in a HIPAA compliant manner.
Healthcare organizations considering IaaS solutions need to pay close attention to all the components that make up the solution to ensure that the entire deployment is HIPAA compliant. As healthcare cloud becomes an IT infrastructure standard, vendors are becoming more open about their compliance.