In 2013, the Health Insurance Portability and Accountability Act changed to ensure cloud service providers took some of the responsibility of compliance for their clients. The new rules specifically called out cloud providers as business associates, stating these companies serve to store records on the behalf of covered entities, so they should take steps to protect that data.
The HIPAA omnibus rule suggests that if these business associates were to make an investment in securing their infrastructures, they could expand their clientele to include the healthcare industry.
The problem is not all cloud services are the same, and not all clouds are private. Many companies offer a public cloud that hosts several clients at once while still offering a HIPAA compliant offering. It’s the difference between owning a house and renting a unit in an apartment building. The question is: can a health organization really be HIPAA compliant if they use a public cloud?
What Does it Mean to Be HIPAA Compliant?
The Health Insurance Portability and Accountability Act regulates how electronically protected health information, or ePHI, is transmitted, stored and maintained. The goal is to protect individual privacy without interfering with health care.
When deciding to migrate healthcare-related services into the cloud, organizations have a choice to make:
-
Private cloud
-
Public cloud
A private cloud is a single-tenant infrastructure that gives the end-user, the client, dedicated access to all computing and storage resources. An analogy: if you own a house, you have the whole house to yourself; you don’t share the yard, parking, or utilities with anyone else. Similarly with a private cloud, the infrastructure is 100% dedicated to the client, and eliminates the performance and security issues associated with public cloud.
A public cloud, on the other hand, is a multi-tenant infrastructure, so everything is shared. There are some perks to this set-up. A public cloud tends to be more elastic, allowing you to add and subtract resources without committing to long-term infrastructure. For example, you can allocate 2x your computing footprint to handle a seasonal traffic spike, then immediately deallocate it when the season is over. The downsides, however, tend to be lower performance and increased attack surfaces, making security hard to control. Public clouds also tend to be more expensive at scale, requiring the user to pay rent forever (and at a premium).
Since HIPAA compliance is all about securing ePHI, is it possible to meet compliance standards with a public cloud architecture?
HIPAA Compliance and the Public Cloud
Top public cloud vendors do their best to ensure compliance, but it comes at a cost. The resources necessary to secure your specific slice of public cloud are expensive compared to the alternatives. Auditing a public cloud is tricky, too, so you start at a disadvantage from the outset since public cloud gives you less control and more complexity.
Compliance Benefits of a Private Cloud
The U.S. Department of Health and Human Services explains that covered entities should understand the basics of cloud computing before entering into an agreement with a service provider. You need to consider all the risks that come with the choices you make. For this reason, it’s critical to know the difference between a public and private cloud.
-
It offers better security — Do you feel safer living in a house or an apartment building with nothing but a thin wall between you and the next guy? What happens if your neighbor’s apartment catches fire? In a public cloud, there are underlying hypervisors that work like walls, but if another virtual machine is compromised, you are immediately at risk.
-
It offers more consistent performance — You have access to all the resources on your private cloud. This means all CPU cycles, network throughput and I/O operations are dedicated to your company’s needs and performance is consistently higher.
-
Information Assurance — In other words, you always know where your data is at any given time. Public clouds are more abstract. The data floats around the various regions of the cloud, leaving a trail that’s difficult to follow. There are multiple physical infrastructures to assess, whereas with a private cloud, it is easy to establish an audit trail, right down to the last time an engineer accessed your physical hardware.
-
Lower costs — It sounds like a public cloud would be more cost-effective, but that’s not true. Cost analysis shows a private cloud is up to 60 percent less expensive. For example, a company might spend an considerably more for a public cloud like Amazon each month, and that doesn’t include the cost of compliance adherence and associated operations work.
Don’t assume a private cloud is automatically HIPAA compliant, though. Some service providers offer compliance as an add-on feature, but no vendor can ensure HIPAA compliance for you. It’s better to look at companies like Lightcrest because they take a different approach to HIPAA compliance — one designed to create a foundation that maximizes your chances of a successful audit. The Lightcrest Kahu private cloud comes with rock-solid security designed with HIPAA mandates in mind right from the beginning. The single-tenant physical architecture offers an analytics dashboard to increase agility and ensure elasticity, so you get the on-demand provisioning you would expect from a public cloud, albeit on single-tenant infrastructure.