This article is a part of SearchCloudSecurity.com’s mini learning guide, HIPAA cloud computing advice: Ensuring cloud computing compliance.
With aging hardware and a growing business, GWR Medical Inc. faced the prospect of costly infrastructure upgrades. Instead, the company, which provides topical oxygen therapy to heal wounds, decided to shift its IT operations to Verizon’s cloud-based computing service.
But before signing the deal, Sean Geary, vice president and chief operating officer at GWR Medical and president and CEO at affiliate WoundMatrix Inc., made sure Verizon Business met its HIPAA compliance requirements by inking a HIPAA business associate agreement with the vendor. Verizon Business is a unit of Verizon Communications Inc.
“It’s required by law but it’s also important to us. …We have images of wounds and personal medical data. It’s very important that we take the proper precautions to protect that data.”
Many companies are eager to shift applications and IT operations over to cloud computing services in order to cut costs and improve efficiencies, but for a highly regulated industry like health care, the cloud raises major compliance concerns. HIPAA requires health care companies protect the privacy and security of patient data. HITECH expanded HIPAA requirements, including an extension to health care business associates last year.
Concerns about HIPAA compliance are holding back many health care organizations, particularly hospitals, from jumping completely into cloud computing, said Chris Witt, CEO of WAKE TSI, a West Chester, Pa.-based IT services provider specializing in architecture and engineering services that works with health care organizations.
“We’re seeing a lot of health care organizations testing the water with non-PHI (personal health information) related applications,” he said.
HIPAA compliance in the cloud can be a challenge for health care organizations, Witt said. Health care companies are required to track user access to systems and applications, but visibility into that can be complicated in a cloud environment, he added.
When moving from an in-house to a cloud-based system, security goes from being an activity-based process to being an audit process to “verify your cloud provider has met your standards,” said Dennis Hurst, a founding member of the Cloud Security Alliance and security specialist at Palto Alto, Calif.-based Hewlett-Packard Co.
“The challenge with HIPAA is that the standard isn’t terribly specific about what you need to do,” Hurst said. “The problem is that the cloud provider is not just subject to your interpretation of HIPAA, but everyone else’s. It has the potential to create a situation where it’s hard for a cloud provider to meet your criteria because they’re custom to you.”
But for Chadds Ford, Pa.-based GWR Medical, Verizon quickly agreed to its HIPAA business associate agreement. “It wasn’t a stumbling block,” Geary said. “I told them, ‘We can’t move forward without this.’”
GWR Medical’s devices and protocols are used to treat non-healing wounds in hospitals and homes; many patients are diabetics. Its affiliate, WoundMatrix, provides Web-based digital imaging software that measures the surface area of wounds to provide documentation of the therapy’s effectiveness for doctors, insurance companies and patients.
GWR, with WoundMatrix, moved its IT operations to Verizon Computing as a Service (CaaS) about 18 months ago. Geary reviewed other cloud service providers before choosing Verizon but the others were smaller and he wasn’t comfortable with them handling sensitive medical data.
The company kept its original servers, but now uses them only for development. “With CaaS, you build your own virtual servers, which means you don’t have to invest in new hardware every couple years,” Geary said. The on-demand service makes it easy for his team to quickly provision and customize virtual servers, he added.
GWR uses WoundMatrix internally but also provides a hosted version for health care providers. The HIPAA business associate agreement with Verizon helps assure the company’s customers, who want guarantees of data security, Geary said. “I tell them, ‘We don’t have any data sitting in our offices. We have development machines, but everything is sitting with Verizon and we have a HIPAA agreement I can share with you,’” he said. “There are no questions after that.”