When it comes to health, privacy is of utmost importance. It’s necessary to ensure that, even while using a secure Internet service to store data, patient data is on lockdown. It’s also the law.
HIPAA, the Health Insurance Portability and Accountability Act (also known as the Standards for Privacy of Individually Identifiable Health Information), was passed in 1996 by the U.S. Congress and effective as of July 1, 1997. The purpose of the Act is to prevent fraud and abuse in the delivery of sensitive healthcare information.
The privacy rules give patients control over how their health information is used–including information put in your medical record, conversations you have with your provider about your treatment, clinical billing information, etc. Under the act, patients are also allowed to request copies of their medical records, have corrections added, and decide if they want to give permission for health information to be shared. It also requires “covered entities” to put in place appropriate controls to secure patient information.
According to the U.S. Department of Health and Human Services, covered entities are: a healthcare provider that conducts certain transactions in electronic form, a healthcare clearinghouse, or a health plan.
Covered entities are responsible for the secure transmission of public health information (PHI). The penalties for neglecting the necessary implementation of secure controls can be monetary, or they can result in imprisonment. Among other things, HIPAA prevents these entities from downloading PHI to computers without encryption or transmitting it over open networks.
How Cloud Computing Changes The Game
In a normal HIPAA-related storage security situation, “covered entities”– meaning a healthcare provider–implement the data security control as detailed by the HIPAA law (and document it, too.) But, as Tech News World explains, the cloud changes things. In a cloud computing situation, “most security activities occur in partnership between the vendor and client.”That means the business associate cloud provider is responsible for implementing the HIPAA-compliant controls for storage. Under the 2009 HITECH (Health Information Technology for Economic and Clinical Health Act, cloud service vendors have the same security responsibilities as covered entities.
Cloud & HIPAA: Puts Your Data More at Risk?
In 2009, Amazon Web Services released a whitepaper called “Creating HIPAA-compliant medical data applications with AWS.” However, some security experts like Craig Balding and Danny Lieberman have raised a few questions about the total security implications of the server. For example, each Amazon Web Services account has a corresponding security key, but just one; if that key is disclosed, then security completely breaks down. (Moreover, you can’t restrict the IP address from which the key can be used.) Additionally, customers can’t view a log of “security calls” or authentication attempts by outside parties.
These security experts emphasize that, for total HIPAA compliance, then the whole chain of data processing needs to be analyzed.
How Safe is the Cloud for Health?
Despite some popular misgivings, it appears that the cloud is actually pretty safe for health data. A recent Software Advice report, based on findings from the U.S. Department of Health and Human Services, showed that hacking of cloud-based electronic health systems constituted about 22% of HIPAA violations. And only 12% of breached locations were computer networks. 30% of the healthcare industry utilizes the cloud in total.
How Can You Ensure Patient Data Is Safe?
Logicalis security analyst Von Williams says that if you’re a healthcare provider, you should look for the following necessary controls in your cloud business associate’s security program: encrypted data in transit and at rest, breach notifications, localized storage (in the U.S., where it is subject to U.S. laws and regulations) and a plan for disaster recovery. (For more detailed analysis, check the link above.)