HIPAA and HITECH Compliant Cloud Infrastructure

With HIMSS and RSA taking place at the end of February, now is a prime time to discuss healthcare and security. Let’s combine the two and look at crucial security features for healthcare organizations transitioning to the cloud.

The potential cost of breaches for the healthcare industry could be as much as $5.6 billion annually. (“Fourth Annual Benchmark Study on Patient Privacy & Data Security,” Ponemon Institute, March 2014.)

According to the Breach Level Index by Gemalto, a digital security company, in 2015 the healthcare industry had the most record breaches of any industry with over 84 million records.

The increase of electronic patient records, IoT, wearable health technology and BYOD in the workplace makes more information primed for compromise. Many healthcare companies, particularly those considered electronic healthcare companies, consistently evaluate cloud options for “outsourcing,” allowing industry experts or software to manage some IT components and improve security. But even selecting an off-premise business associate for hosting, data centers, collaboration tools or content sharing can be difficult, especially with the recent highly-publicized breaches of Protected Health Information (PHI) in the last two years.

How do healthcare companies get compliant infrastructure to support cloud initiatives? First, what does it mean to have compliant infrastructure? If you are handling patient health records or provide services for companies that work with sensitive patient health information, there are physical measures, network procedures and policies in place to ensure compliance with privacy and security regulations.

There are plenty of items on a healthcare payer or provider organization’s checklist when assessing resources’ security capabilities: availability, integrity and confidentiality requirements to protect electronic patient health information (ePHI).

Technology in Healthcare

The following are considerations when going to the cloud:

  • Network: Understand the design of colocation environment and data center solutions along with integration, restrictions, redundant routers, switches and threat management devices that meet compliancy requirements for sensitive data computing.
  • Managed Services: Support availability, expertise and certifications, firewall assessment - virtual or dedicated solution, detection services and notification of breaches and response times, ability to support business continuity plans and provide proactive governance.
  • Storage: Regulation compliancy, audit frequency, flexibility, migration, encryption, backup and recovery.

With any cloud solution, take the time to assess and understand all options as they relate to process and protocol requirements of HIPAA. What about disaster recovery solutions? What do backup systems look like? Where are they located? Learn about production, test environments and servers, whether the cloud solution provider works with other healthcare entities and employs data encryption services. Does each solution have proper SSL certificates and HTTPS for all web-based access to patient information?

The Opportunity.

According to Skyhigh Networks Cloud Adoption & Risk in Healthcare Report, "the average healthcare organization uses 928 cloud services. This includes cloud services brought to an organization through employees’ own applications. Only 15.4% of these cloud services support multi-factor authentication, 2.8% have ISO 27001 certification, and 9.4% encrypt data stored at rest. The average healthcare organization uploads 6.8 TB to the cloud each month and without proper controls this data could be at risk."

There are many advantages for healthcare companies to migrate systems into the cloud. But a secure and reliable network is the difference between making or breaking the organization. With network virtualization, data can be viewed, stored and accessed from machine-to-machine and on mobile devices, remotely and across various devices.

We covered what to look for in solutions that “comply” with healthcare regulations in terms of security features but TBI partners have the ability and resources to go beyond the ask of a healthcare dedicated broadband network. Assess your customer’s complete business needs. 

  • Multiple office locations and remote employees need a solution that accounts for multiple web browsers, tablets and mobile devices across counties and in multiple regions
  • Rural communities need alternatives to expensive commercial broadband or spotty coverage
  • Bandwidth needs for data transferring
  • Speed improvements for specific application delivery
  • Improved employee and patient interactions
  • Needs for better and improved websites
  • The need to free up IT staff
  • Eliminate network bottlenecks
  • Enable collaboration for voice, video and chat
  • Improve storage needs for medical records

Identify current challenges and select the right cloud technologies from TBI’s highly-vetted ProvidersNew Call-to-action


About the Author
As Director of Marketing at TBI, Cohen is responsible for managing TBI’s marketing communications and implementing multi-channel branding and press strategies. In addition to driving TBI’s overall marketing strategy, Cohen directs both internal and external communications to ensure the delivery of valued products and programs to providers and partners alike. You can contact Corey at ccohen@tbicom.com or connect with her on LinkedIn.