What Are My Options for HIPAA-Compliant Cloud Storage?

HIPAA compliance in the cloudWhen a cybercriminal breaches healthcare records, for them, it’s like hitting the motherlode. That’s because healthcare organizations possess more personal data than almost any other industry, save perhaps some government agencies. Healthcare data often includes names, birth dates, social security numbers, credit card numbers, and electronic private health information (ePHI). It’s not surprising then, that healthcare organizations remain a prime target for cybercriminals. In 2018, hundreds of healthcare data breaches occurred, exposing the records of millions of people. This means that the Health Insurance Portability and Accountability Act (HIPAA) compliance has never been more important.

While HIPAA regulations have been in place since 1996, they changed considerably with the rise of the internet in 2002. In 2013, due to the prevalence of cloud computing, regulations evolved again to acknowledge cloud storage providers. To protect individual privacy without interfering with health care, HIPAA regulates how ePHI, is transmitted, stored, and maintained in the cloud.

To meet HIPAA compliance regulations, healthcare organizations have a number of options to consider when using a cloud-based, or partially cloud-based infrastructure:

  • On-Premise Infrastructure

  • Public Cloud (with a potential MSP)

  • Virtual Private Cloud (VPC)

  • Hybrid Cloud

On-Premise Versus Cloud-Based Infrastructure

Parameters for maintaining HIPAA compliance through on-premise hardware (or at an offsite company-owned facility, or third-party facility) are more well-defined than in the cloud, making it a bit more straightforward. However, it can be time-consuming and expensive to do so, requiring a healthcare organization to house an IT staff that’s familiar with HIPAA regulations, and also has the ability to continuously monitor systems and logins, develop clear security incident procedures, and employ data encryption to ensure compliance is met. While some very large healthcare organizations may have the ability and the means to afford it, many don’t want the responsibility; and for small- and medium-sized organizations, the expense and risk of maintaining and relying upon a skilled staff is too great.

For these reasons, healthcare organizations of all sizes are turning to the cloud. But it’s not as simple as just lifting and shifting data to a cloud: healthcare organizations must choose between a virtual private, public, hybrid, or multi-cloud, and must do their due diligence when choosing a strategy. The U.S. Department of Health and Human Services states that healthcare organizations migrating to the cloud, whether diving in or testing the waters, need to understand the basics of cloud computing before entering into a service level agreement (SLA) with any provider. Simply signing an SLA with a provider that promises HIPAA compliance is not enough.


Public Clouds & MSPs Versus Virtual Private Clouds

A public cloud is a large, physical and virtual infrastructure shared with thousands, or perhaps millions, of users. Tech giants such as Amazon Web Services and Microsoft Azure are prime examples, and have some organizations gravitating toward them strictly due to brand recognition. Of course, this shared, multi-tenant infrastructure can be cause for security concerns—and with an abundance clients, the customer service levels and performance may be lacking. Auditing a public cloud (for compliance and other issues) can also complicated. The provider may not always be forthcoming, and many healthcare organizations do not have enough staff or expertise to ensure that their public cloud provider is HIPAA compliant and continues to maintain HIPAA compliance over time. That’s why some use a managed service provider (MSP) to complement their public cloud; the MSP is a third-party data center that monitors the compliance and security of the public cloud. Think of the MSP as a “cloud service broker.”

Of course, there is another option: the virtual private cloud (VPC). A VPC is just as virtual as a public cloud, yet unlike these providers, VPCs offer a level of isolation between customers through a private IP subnet, or Virtual Local-Area Network (VLAN), on a per customer basis. The VPC gives healthcare organizations dedicated access to all computing and storage resources, eliminating many of the issues that keep healthcare leaders awake at night. A VPC can offer:

  • Increased security. Information passed through a VPC stays within a customer’s control without crossing the internet. In addition, with all customers operating on the same back-end infrastructure, VPC providers have a highly-vested interest in keeping things running smoothly and securely, while maintaining high levels of uptime. To keep clients satisfied, reputable VPC providers typically spend much more time than any individual would to obtain this level of reliability and security.

  • Savings. Because VPCs are within a public cloud, customers still benefit from economies of scale, sharing costs with other organizations without compromising security.

  • Seamless upgrades. With all customers operating on the same hardware, the VPC provider can upgrade everyone incrementally, with no downtime; most providers will refresh the underlying hardware while also acquiring faster and better hardware. Over time, customers’ workloads will also become faster and more secure!

  • Information assurance. You know where your data is at any given time. Public clouds are more abstract, with data moving throughout various regions of the cloud. That means there are multiple physical infrastructures to assess, which can also be a compliance concern.

HIPAA in a Hybrid Cloud

Healthcare organizations uncertain about going all-in with the cloud may choose to take a hybrid approach to cloud migration, often called “the best of everything.” With a hybrid cloud, a portion of data remains on-premise, less sensitive data is moved into a compatible public cloud, and sensitive or mission-critical data is housed in a virtual private cloud (VPC). Part of the appeal of the hybrid approach lies in cost savings due to economies of scale. The portion of the workload an organization chooses to run in a public cloud or VPC benefits from sharing the cost of electric, HVAC, maintenance, software updates, backups, and more, with thousands or millions of other users. In addition, many large healthcare organizations already possess a number of on-premise servers, and don’t want to throw away that investment until it becomes obsolete; these organizations may choose to take advantage of certain services, such as Disaster Recovery as a Service.


Migrating to a HIPAA-Compliant Cloud

So which type of cloud is right for you? If you’re a healthcare organization of any size, DSM can help by:

  • Supporting on-premise infrastructure with services such as Disaster Recovery or Data Protection.

  • Migrating your data into our H-Cloud, a HIPAA-compliant VPC designed specifically for healthcare organizations.

  • Providing MSP services for your workloads in a public cloud.

  • Seamlessly integrating some of your workloads into our H-Cloud while you maintain some infrastructure on-premise.

Want to learn more about DSM’s services? Contact our IT experts today.

New Call-to-action

Related posts