This tip is a part of SearchCloudSecurity.com’s mini learning guide, HIPAA cloud computing advice: Ensuring cloud computing compliance.
Compared to other industries, health care providers have a much bigger source of technology complexity to contend with: the clinical environment. The clinical side of the house represents a hodgepodge of specialized systems where everything from infusion pumps to imaging modalities share data using specialized protocols (HL7) via a “spider Web” of complicated interfaces.
Given this complexity, health care cloud computing is both appealing and challenging.. Off-premise cloud computing solutions -- in particular the IaaS model that allows a virtualized but still flexible substrate -- promise to reduce IT footprint. Reducing the size of the on-campus data center would remove a notorious IT pain point for institutional providers. But there’s also a challenge because stability of the clinical environment is so closely tied to patient safety.
A move to the cloud in the clinical space can be extremely compelling, but obviously needs to be done in a way that doesn’t compromise patient safety or the organization’s HIPAA compliance status.
Health care cloud computing: Start small
First, it’s important to understand and analyze both what systems will move -- and when -- well in advance of a move. It doesn’t make sense to move each and every system.
For example, while it may be possible to virtualize and move off-premises a traffic-hungry, processor-intensive system like an image processing system, it may not be the smartest move. Bandwidth is already the bane of diagnostic imaging departments industry-wide, so increasing latency by routing traffic off site isn’t a good idea. And it’s not just traffic: Moving an EMR system without a plan for how to access patient charts in the event of a communications outage isn’t the best idea either.
Also, when to virtualize is an important consideration. Many organizations, eager to realize the financial benefits associated with moving to the cloud, sometimes lock in to “hard cutover” dates. They may for example (anticipating the reclamation of space in the data center) back out of lease agreements and schedule the cutover around uncompromising dates.
This kind of aggressive schedule, however, is dangerous in the clinical contest. Instead, a slow, controlled migration -- with well-defined iterative phases and plenty of testing in between -- minimizes the potential for patient impact. Useful candidates to migrate first are scheduling or financial systems that intersect the patient experience but do not directly impact safety or quality of care.
A useful tool to leverage for this planning is the “application and data criticality analysis” required under HIPAA Security §164.308(a)(7)(ii)(E) [i.e., “Assess the relative criticality of specific applications and data …”] Since you’re required to rank applications by criticality as part of HIPAA compliance, leveraging that list as a roadmap for cloud maximizes dollars already spent. Start here by scheduling your migration in reverse-criticality order (i.e., least critical to most critical), using the ranking as the input.
Health care cloud computing: Provider negotiations
It’s not a given that your cloud vendor knows what the HIPAA Security Rule is, let alone has a compelling story around it. This may change as HITECH extends enforcement to include business associates, but that change is down the road; short term, health care providers need these business associates to address it today or risk being out of compliance.
Obviously, validating compliance with the security rule prior to entering a cloud provider relationship is the optimal scenario. If pressed (particularly during the sales process), many service providers will open the kimono to demonstrate compliance, even in some cases creating per-customer matrices outlining how they comply with HIPAA’s security requirements on a implementation specification basis. So if you’re entering into a relationship with a vendor, asking the vendor to demonstrate compliance in advance can give you leverage.
However, since security isn’t always consulted well in advance, it’s not always possible to vet service providers for their security rule compliance in advance. If that’s the case, the onus is on the health care provider to understand and work around the security controls in place at the vendor and document how they address the security rule. Oftentimes, resources at the service provider can be enlisted to help do this; for example, most service providers maintain staff to respond specifically to this type of request. While not every vendor is able to (or willing) to assist, many are, so asking for help is always a good idea.
About the author:
Ed Moyle is a senior security strategist with Savvis as well as a founding partner of Security Curve.