In recent years, healthcare companies have been moving their services into the cloud at a rapid rate. By 2020, the healthcare cloud computing market is expected to grow at a 20.5% compound annual growth rate to reach about $9.48 billion. However, this expedited growth does not come without security concerns. Recent studies have shown that of the hundreds of applications used within hospitals, 93% of the cloud services are a security threat to hospitals.
At Keystone IT, we recommend taking into account several factors including the following:
Is the cloud HIPAA complaint?
When trusting a company or data center with your patients’ ePHI, it is imperative that you ensure that the cloud computing service you are using is HIPAA compliant. There are several factors to consider for compliance, but most importantly, your cloud provider should be conducting Security & Risk Assessments annually as well as be willing to sign a Business Associates Agreement. Any cloud provider serving the healthcare community will be able and ready to show you how their practices are aligned with the requirements laid out by HIPAA.
At Keystone IT, we had one of the first independent HIPAA compliant clouds. Our local engineers designed and installed the cloud to function within the rules laid out by HIPAA. Not only did we design our cloud within a local data center, we also have complete access to it and are able to swiftly and easily make changes to the infrastructure when necessary. Furthermore, because we own our cloud, as opposed to renting cloud space from a large cloud resource, we are better able to customize your cloud to your needs while still fulfilling your HIPAA requirements.
Is HIPAA compliance enough? What other security measures are taken?
While it is comforting to know that your data is held in a HIPAA-Compliant cloud, that is not enough to ensure the security of the ePHI. The most recent HIPAA rulemaking went into effect in March 2013. It is nearly three years old, which is a lifetime in the cyber-security world. Furthermore, when the HIPAA rules governing cloud services were established, there was nothing that said the data held had to be encrypted. Ultimately, HIPAA puts the onus of security on the provider, not the cloud service.
At Keystone IT, we have a security and compliance team that keeps up with the latest trends and works daily to keep your data protected. We monitor any changes and risks and adjust our policies to ensure that we protect your data and business. Having been ahead of the changes made to HIPAA since the founding of our company, we continue to anticipate and adjust based not on what HIPAA has already said about cloud services, but also what we project it will require in the future. By planning ahead, we are protecting your data and your budget.
What about encryption?
One of the most important safeguards healthcare companies can take to protect their ePHI is client-side encryption of data. By using the latest advancements in cyptography, data and apps can be encrypted in a way that even if a breach does somehow occur, the ePHI will be protected, because it will be unreadable to the attacker. Furthermore, by encrypting the data at rest and in motion, healthcare companies can claim “Safe Harbor” if a breach does occur.
We work with each of our clients to design and specify a data encryption method that works best for their needs. Our security and compliance team works directly with each client to encrypt their data and to separate the encryption key from the data so that a breach will not give away the data and the key to understanding the data. When working with Keystone IT, even if there was a security breach, the ePHI in our cloud will still be protected.
Is the architecture secure? How will we know?
A big benefit of migrating to the cloud is that it frees up the healthcare company’s internal IT department from establishing and maintaining the physical infrastructure. However, in order to do so, a healthcare company needs to select a cloud provider who can assure a secure architecture. In the healthcare environment, cloud ready solutions will allow a healthcare organization to control its data while using a cloud provider for computation and storage. Internal IT can also request certifications and audits and perform penetration tests periodically.
The Keystone Kloud has a secure architecture that is regularly tested and currently utilized by large health systems and small practices alike. In our cloud, you will control your data and are able to access and move it as you wish. Your team has a right to review our certifications, audits and Security Risk Assessments. We will help perform penetration tests and have a team available to complete for them for you if you wish to have that done.