healthcare_in_the_cloud

The Questions You Need to Ask

in the CloudHealthcare

2 Healthcare in the Cloud: The Questions You Need to Ask

Cloud services exist for the same reason that primary care physicians send their patients to a lab for blood work.

Rather than each physician acquiring the equipment and expertise to test blood in their own office, they enlist the services of specialized laboratories. Dozens of physicians are able to send their patients to the same lab, where a small team of specialists can perform each blood test more efficiently than could a primary care physician alone.

Just as some healthcare providers specialize in blood, cloud service providers specialize in electronic data.

There is no one-cloud-fits-all approach, but there are clouds that will fit you better than others. Before you place confidential healthcare data in the cloud, it’s important to understand the basics of cloud computing and how to assess a cloud service provider’s ability tohandle your data with care. In this guide, you will learn best practices to ensure a cloud service will fit your needs. We’ve also created a few scenarios to illustrate common concerns.

WHY DO HEALTH CARE PROVIDERS PLACE THEIR DATA IN THE CLOUD?

If you have any questions about the content of this guide,contact [email protected]


Today, many organizations use computers that are connected to each other via a local area network (LAN) infrastructure. Depending on the number of computers and the amount of data, they often coordinate through the use of an on-site server.Servers allow authorized users to share a central database, which places less demand on individual computers, resulting in greater overall computing power. On-site network infrastructure and servers are capital expenditures and often require dedicated IT staff to maintain.

A network becomes a cloud when servers and databases are no longer located on-site but are instead located in data centers, sometimes called server farms. Rather than a capital expenditure in quickly-outdated hardware, cloud services are usually an ongoing operational expense — a pay-as-you-go billing model. For a lower cost, healthcare providers can access the increased computing capabilities of the cloud.

Different types of clouds (page 4)balance data loads differently, but properly architected clouds are more efficient, and it’s usually a question of what type of cloud most closely aligns with your data needs. Likewise, different cloud service models (page 6) are appropriate for different levels of

WHAT IS THIS CLOUD? AND HOW DOES IT WORK?


technical demand and in-house expertise. A transnational health insurance provider with thousands of employees will require a different combination of clouds than a local optometrist with a just few patients and even fewer computers.

Cloud computing is neither inherently more nor less secure than a local area network. Either way, a network is as secure as it is built and used. Particularly for smaller organizations, cloud security is more affordably advanced than an in-house IT team. But the best networks still need to be reinforced with operational best practices—like periodic password changes.

There are many forms of clouds that go above and beyond what is required by health privacy legislation like HIPAA and PIPEDA. Most of them do so by utilizing the following cloud security best practices:

Geographic Redundancy is when your cloud provider stores your data in multiple data centers in differentlocations. If a natural disaster decommissions one set of servers, your service can continue.

Encryption is a process that makes protected health information viewable to only authorized users. A best practice is to encrypt healthcare data in use, in transit and in storage.

Failure to encrypt protected health information was a contributing factor in the 2014 Anthem HIPAA breach that affected up to 80 million Americans.

Data Destruction is more complicated than dragging a file into your computer’s recycling bin. Ensure that your cloud provider understands the difference between clearing, purging and destroying data—because HIPAA does.

Public – Common for personal storage apps like iCloud and sharing services like Dropbox, public clouds are the most widely used by individuals. Public doesn’t mean that just anyone has access to your data, but it does mean that all the data is hosted in the same servers—the same “attack surface”—so both security and performance can be hard to predict. Because of their relative vulnerability and lack ofconfigurability, they are not appropriate for most healthcare data.

IS THE CLOUD SAFE? AND HIPAA COMPLIANT?

WHAT KINDS OF CLOUDS ARE THERE?FOR HEALTHCARE PROVIDERS?

4 Healthcare in the Cloud: The Questions You Need to Ask 5 Healthcare in the Cloud: The Questions You Need to Ask

Purely Private – Best for organizations with fluctuating data usage or particularly high demand periods, private clouds are dedicated to just one organization or even a single department within an organization. Taking full advantage of the increased *scalability of private clouds requires dedicated IT staff. Because purely private clouds share many similarities with on-site servers, it can often be difficult to justify the transition.

Hybrid – A cloud is considered a public-private hybrid when your data is hosted on the same servers as the data of other organizations, also called tenants. This is called “multi-tenancy” or a multi-tenant cloud. While most clouds are multi-tenant, difference in their architecture can have significant effects on the performance of your cloud and the security of your data.

*Scalability is the ability of a network to grow, or shrink, to handle different volumes of data. For an on-site server, this usually requires a capital investmentin new server equipment, or for existing equipment to go unused. In most clouds, scaling is far faster and less expensive.

Multi-tenant Cloud with a Shared Database – It is possible for this kind of cloud to comply with HIPAA regulations through a computing process called dedicated instances. But a majordrawback of sharing your databases with other tenants is that the data loads can slow down your cloud’s performance. Updating or restoring information for one tenant will often require service outages for other tenants too. If someone has unauthorized access to another tenant’s database, they might have access to yours as well.

Multi-tenant Cloud with a Unique Database – With unique databases, healthcare providers are isolated from the effects of other tenant’s data loads, service outages, or security breaches. It is also possible to more closely audit the activities of your authorized users.


HeartCare Hospital - HeartCare has a combination of cloud services in addition to their on-site servers. Their IT team maintains a purely private cloud for their ADT, billing and archival data, while their EMR software runs on a multi-tenant cloud with a unique database.

HeartCare has had difficulty retaining in-house IT personnel that can meet the rigorous data security standards necessary for their private cloud. They are impressed with the security provided by their cloud-based EMR software.

Clouds are normally divided into three categories, depending on what they provide “as a service” (aaS): software (SaaS), platform (PaaS) or infrastructure (IaaS). Choosing a cloud service model has a lot to do with your level of in-house IT expertise or the extent to which you plan to contract IT professionals to set up customized operating procedures.

SaaS (Software as a Service)Commonly used personal clouds like Google Apps and Office 365 are examples of SaaS, but there are also many cloud applications designed specifically for businesses and healthcare providers. SaaS clouds replace the need to install softwareon a computer, and instead you can

access the same features through a web browser. In many cases, care teams with no IT staff can still utilize SaaS clouds for tasks such as for appointment scheduling, payroll or operative reporting.

PaaS (Platform as a Service) Essentially a method of renting hardware and network capacity, the PaaS model is great when running several customized applications. It usually requires a higher level of IT skill for setup and maintenance.

IaaS (Infrastructure as a Service) The IaaS model offers the greatest customization and scalability, but also requires the highest level of IT skill. Much like managing a large construction project, IaaS is often necessary for a hospital, but can be an unreasonable burden for a small clinic.

WHICH CLOUD SERVICES ARE THERE? AND WHICH ARE RIGHT FOR MY DATA?


Sunny Day Clinic - Sunny Day is a small clinic that employs a handful of physicians and has no dedicated IT personnel, though it occasionally contracts out for maintenance services. Up until recently, Sunny Day Clinic did everything on a small on-site server that was set up by a local IT services firm.

Now the clinic is using a cloud-based medical reporting software hosted on a multi-tenant cloud with a unique data-base. There has been only one service outage—for a unique feature extension that Sunny Day requested from their software developer.

Encryption refers to several similar methods of scrambling data so that it appears unreadable, or cryptic, to unauthorized viewers. With the proper authorization—the encryption key—you are able to view and use the data normally. A best practice is to then encrypt even the encryption key using a different encryption method. Be sure to ask any cloud service provider how they help you protect your encryption keys.

HIPAA does not strictly require protected health information to be encrypted. Rather, HIPAA considers encryption to be an “addressable implementation specification”. This means that if your organization determines encryption to be unnecessary, you are required to document your justification for this and continually re-asses this choice as your data needs evolve.

Because encryption is a healthcare IT best practice, HIPAA considers encrypted health information to be in a “safe harbor” in cases that could otherwise be considered breaches. To date, the most common forms of HIPAA breaches involve the loss or theft of devices storing unencrypted health information. When devices are are properly encrypted, a loss or theft is not a HIPAA breach because confidential data remains unreadable to unauthorized users.

WHAT IS ENCRYPTION?AND DOES HIPAA REQUIRE IT?


In addition to cloud security best practices such as encryption and geographic redundancy, legislation like HIPAA requires healthcare providers and their business associates to develop contingency plans for emergency situations. Before choosing a cloud service provider, it’s important to ask what procedures they have in place to ensure that both your healthcare applications and your patients’ protected health information are still accessible in the event of an emergency:

• Is my database separate from those of other tenants?

• If I need to use my backup data, how quickly can it be brought online?

• How geographically dispersed are your data centers?

• If one of your data centers goes offline, will it affect the performance of my cloud?

• Why do you use the kinds of encryption that you do?

• How do you protect encryption keys?

• What tech support services do you offer?

HeartCare Hospital - HeartCare manages their ADT, billing, backup, and archives on an IaaS cloud that was custom architected and is maintained by their in-house IT team. At the same time, their reporting and scheduling software are hosted on an SaaS cloud with minimal involvement from in-house IT. Despite the differences in service type, data is able to smoothly inter-operate between clouds and security exceeds HIPAA compliance.

Meanwhile, the hospital’s in-house IT team also works to digitize decades’ worth of tape records. They used a PaaS cloud environment to build a custom application for the digitization process, and transfer the data to their IaaS cloud archive.

WHAT IF SOMETHING GOES WRONG? WILL MY PATIENTS BE AFFECTED?

• Do you offer support during urgent situations?

• When was the last time you tested your emergency preparedness?

• What crisis situations have you handled in the past?

• Did cloud tenants experience any service outages, and if so, for how long?

• How have your emergency preparedness procedures improved over time?


(cont. from page 8:)HeartCare Hospital - During the 2014 California wildfires, an evacuation order temporarily decommissioned the data center that hosted HeartCare’s PaaS cloud. There were several weeks of intermittent service outages, and HeartCare was shocked to discover that their cloud service provider had not implemented geographic redundancy. If the wildfire had have reached the data center, HeartCare’s custom software would have gone up in flames.


Sunny Day Clinic- One morning, the staff at Sunny Day turned on their computers to discover that significant portions of the data on their in-house server had become infected by a type of virus called “ransomware”, which holds data hostage. Ransomware seizes your unencrypted data, encrypts it, and then demands bitcoin payment in exchange for the key to unencrypt your data. If you don’t pay, your data is destroyed.

Thankfully, Sunny Day’s in-house server had a properly encrypted backup, and they were able to put in an emergency call to their local IT services firm. Encryption helped them dodge disaster, but there was a two-day period when they were unable to use the appointment scheduling software installed on

their computers. Since this incident, Sunny Day has decided it’s time to improve their IT practices to avoid further inconvenience.

Sunny Day’s cloud-based synoptic reporting software was not affected, and clinicians were still able to securely complete reports from their tablets.

If you have any questions about the content of this guide, pleasecontact [email protected]

healthcare_in_the_cloud

Documents