Why Using the Cloud to Maintain HIPAA-Compliant IT Makes Sense

by Chris Preimesberger

When using a hosting provider, there is no need to maintain your own data. A managed hosting provider that is truly HIPAA-compliant will sign a Business Associate’s Agreement, provide core security services and conduct other essential monitoring and reporting tasks to ensure compliance with HIPAA regulations. Fixed monthly fees would enable you to instantly extend your IT department at a fraction of the cost it would take to buy the hardware up-front and maintain the infrastructure and staff trained in HIPAA compliance.

The rapid pace of cloud computing adoption presents some obvious concerns around security and compliance. Companies should be able to view security and compliance as an added benefit, not a burden. This is achievable by engaging a reputable hosting provider that can actually improve your data security and compliance while providing a service-level guarantee on your security.

Encryption should be a best practice for any security-conscious organization. The increase in cyber-threats and data theft presents a strong case for building an infrastructure that delivers strong computing performance without sacrificing data security. In fact, to meet HIPAA standards, data must be maintained in a manner that is unreadable, undecipherable and inaccessible to outside parties. This clause is usually addressed via encryption of data both while in transit and at rest.

HIPAA-compliant providers include robust VPN capabilities and Secure Sockets Layer (SSL) encryption products for data in transit. Depending on your application architecture, knowledgeable providers will have experience in implementing products for encrypting application services, databases or file repositories on disk. Although encryption is not a 100 percent guarantee, it is a very essential piece of a multi-layered, compliant defense as it ensures that data is protected, even if accessed by unauthorized individuals.

Ensuring security around the office is extremely important. This includes using employee badges, monitoring guests coming in and out, and locking file cabinets, for starters. Moving sensitive data to a secure hosted facility increases the safety of data from internal threats as hosting providers employ many safeguards to protect their customers’ data.

Health-care providers can restrict users from saving data to external drives and can prohibit the printing of protected documents. In addition, data centers are protected by a number of layers of security, including multiple levels of electronic building and facility access secured by magnetic locks, 24/7 on-site personnel, monitored and recorded closed-circuit cameras, mantraps and mandatory identity logging of all outside visitors.

Highly available private cloud environments have redundancy built in, and compute resources are not shared with other customers’ environments, which eliminates potential security risks. This setup integrates multiple types of backups in the event of an emergency, such as a natural disaster. Local backups are placed on a secondary disk within the data center and are available for fast data recovery. The data is also spun off to tape and sent to a facility outside the data center, addressing the off-site storage clause within the HIPAA regulations. If a disaster occurs that renders the data center unusable, the backups can be sent to another data center location.

Any company handling PHI or working with electronic medical records (EMR) is required to go through an annual HIPAA assessment, which ensures all proper safeguards are in place and up to industry standards. The assessment preparation process is extensive and requires strong data center expertise and experience in the health care IT space. Outsourcing this task can help free up resources to focus on growing the business as opposed to worrying about compliance and data center operations. Ideally, a chosen provider would have a dedicated compliance team to assist customers (and their customers) with completing compliance-related documentation.