In recent months, cloud computing is a topic that receives a lot of attention, especially when applying technology to healthcare. Cloud computing is becoming increasingly attractive for healthcare organizations, mainly due to the benefits offered by the technology, including lowering the company's IT infrastructure and energy costs, scalability, flexibility and availability.
At the same time, cloud computing poses significant potential risks to healthcare organizations, which must protect their patients from protected medical information or PHI, while respecting the HIPAA privacy and security rules. The increase in the number of registered PHI violations that have occurred over the past two years, along with the constant observance of HIPAA and the problems of confidentiality of PHI data, has slowed down the introduction of cloud technologies in healthcare.
To help healthcare organizations and providers reduce the PHI data security risks associated with cloud technologies, consider the following five best practices when choosing the right cloud computing provider:
1. Understand the importance of SSL. Secure Socket Layer (SSL) is a security protocol used by web browsers and servers to help users protect data during transmission. SSL is the standard for establishing reliable export of information over the Internet. SSL provides two services that help solve some cloud security issues, which include SSL encryption and the creation of a secure server and domain. Understanding how SSL and cloud relationships work means knowing the importance of public-private key pairs, as well as verified identification information. SSL is a critical component for ensuring a secure session in a cloud environment that protects the confidentiality and integrity of data
2. Not all SSL are created equal. The trust established between the healthcare organization and the cloud computing provider should also extend to the cloud security provider. The security of the cloud provider is as good as the reliability of the security technology they use. In addition, healthcare organizations must ensure that their cloud provider uses an SSL certificate that cannot be compromised. In addition to enabling SSL from an authorized third party, an organization must require security requirements from a cloud computing provider, such as a certification authority that protects its global roots, a certification authority that backs up disaster recovery, a chained hierarchy that supports their SSL certified, global roots with using new encryption standards and secure hashing using the SHA-1 standard. These measures will ensure that the content of the certified cannot be forged.
3. Recognize additional security concerns with cloud technologies. There are five specific areas of security risk associated with corporate cloud computing, and medical organizations should consider a few of them when choosing the right cloud computing provider. Five cloud computing security risks include HIPAA privacy and security compliance, user access privileges, data location, user and data monitoring, and user / session reporting. In order for healthcare organizations and providers to take advantage of cloud computing without increasing the security of PHI data and HIPAA compliance risks, they need to choose a reliable service provider who can solve these and other cloud computing security problems.
4. Ensure data segregation and secure access. The risks of data segregation are persistent in the cloud storage. In a traditional IT client environment, internal IT administrators of the organization control where data is located and access provided to clinicians and support staff. In a cloud computing environment, the cloud computing provider controls where the servers and data are located. Although some controls are lost in the cloud, a proper implementation of SSL can provide data privacy and access. Medical organizations will know that they are on the right path to choosing the right cloud service provider if they provide the organization with three key elements as part of their cloud hosting solution: encryption, authentication, and certificate validity. It is highly recommended that organizations require the cloud provider to use a combination of SSL and servers that support 128-bit session encryption, as well as require that the ownership of the shares is genuine before one bit of data transfer between servers.
5. Ensure that the cloud provider understands HIPAA compliance. When a healthcare organization transfers its IT infrastructure to a cloud computing provider, the organization is still responsible for maintaining HIPAA compliance with all privacy and security rules. Since healthcare organizations cannot strictly adhere to their cloud provider to meet HIPAA requirements, it is strongly recommended that you select a cloud provider with experience in HIPAA compliance and have compliance control procedures and procedures. Cloud computing providers who refuse to participate in external audits and security certificates signal a significant red flag and should be dismissed from further consideration.
SSL is a proven technology and the cornerstone of cloud computing security. When a healthcare organization assesses a cloud computing provider, the organization should consider the security options selected by this cloud provider. Knowing that the cloud provider uses SSL can go a long way toward establishing confidence. The right cloud provider should use SSL from an established, trusted, and secure independent certificate authority. In addition, when choosing a cloud computing provider, healthcare organizations should be very clear about their cloud provider in terms of handling and mitigating risk factors outside of SSL.
Healthcare organizations that effectively implement PHI security and proper HIPAA compliance checks as part of the cloud computing provider selection process will be best positioned to consolidate IT infrastructure, reduce IT costs, reduce the risk of PHI data breaches, and improve business resilience as a result technologies. This advocacy will allow health workers to focus more energy and resources for patients to improve care and results.
