Chances are, you've heard about cloud computing but may not know much about it and how it relates to HIPAA. Here, we answer a few key questions about cloud services.
Cloud hosting — what is it?
Cloud hosting has many variants and goes by many names, but it generally refers to the IT model where a medical practice uses computer servers and data-storage systems located in a service provider's data center rather than onsite at the practice. Some people think that since the word "cloud" is used, there is somehow magically no more hardware issues to worry about. On the contrary, a typical cloud-hosting facility has massive amounts of hardware and software systems.
Cloud is so new, is it right for healthcare?
Cloud hosting is actually not a new concept. In fact, versions of cloud hosting under different names have been around for nearly 30 years. In the early days of massive mainframes, such companies as Boeing Computer Services and Computer Science Corporation offered these services under the terms "timeshare" and "service bureau." Over the years many other labels have been used, including application service provider (ASP), software-as-a-service (SaaS),infrastructure as a service (IaaS), utility computing, and hosting. Finally about five years ago, the label "cloud" finally took hold, and although some of the terms above are still relevant in specialized circumstances, cloud hosting covers the overall concept.
What has made it an attractive solution for healthcare?
Recent advances in several areas, including server and storage virtualization, and increased bandwidth of broadband services, have made cloud hosting much more attractive. In addition, server architecture — including both processing horsepower and processing (CPUs) — have become massively scalable. And improvements in management software have significantly added to both performance and reliability. These advances in technology have prompted significant changes in the way cloud services can be configured and delivered.
What about the cloud and HIPAA?
Cloud services are not automatically HPAA compliant. In fact,not only are many cloud providers not HIPAA compliant, they are wholly ignorant of HIPAA principles. The new HIPAA Omnibus rule released earlier in 2013 required all service providers to undergo a HIPAA compliance and remediation program by September 23, 2013.
(If you are using a cloud provider, you should contact them and request a copy of their HIPAA compliance program documents, and also request that they sign a Business Associate Agreement. If they cannot produce them, or they are reluctant to execute a BAA, you have a major problem.)
Cloud-hosting services can be made HIPAA compliant, provided proper HIPAA security is built into the platform, along with HIPAA-compliant processes and procedures for its operation.
What are the big advantages of cloud over onsite servers, storage, etc.?
Perhaps the biggest advantages are in the ability to grow as the practice’s needs grow, and to avoid the costly and disruptive effects of repeated computer upgrades every few years. Most people understand that new computer systems are obsolete within a few months after they are installed. So system designers have to anticipate future needs and buy more capacity than they really need, based on anticipated requirements of a few years down the road. Eventually the needs increase and even the "new" equipment becomes underpowered. So in a computer system "lifecycle," for the first few years there is too much capacity, and for the last few years there is too little capacity. Therefore for most of the time, the system is either too big or too small.
Cloud services allow the computing horsepower — CPU, memory and hard drive space — to be "dialed-up" as needs increase, so it can keep pace with the needs of the practice. And generally that upgrade can be done without the downtime typically associated with a computer system "forklift upgrade."
And a good cloud provider is generally able to offer access to hardware and software tools that would be unaffordable to a typical practice.
What about support?
This is critical, and it is important to make sure you understand what is being provided to the practice by a cloud provider. With onsite servers and other infrastructure, you have to have staff (or contract with an IT provider) to maintain your servers and take care of things like data backups, operating system patches, etc. With cloud hosting, those services are still necessary, and in most cases they can be provided more efficiently than with an onsite model. However not all cloud providers deliver those services automatically, so you need to check and make sure.
Are cloud services foolproof?
No, since there is still hardware, software — and people — involved, there is still the potential for outages and downtime, so you need to do your homework and make sure you understand the risks as well as the advantages.
My EHR is hosted —does that mean I’m good to go as far as HIPAA is concerned?
Not at all. There has never been a reported HIPAA breach from an EHR — either hosted or onsite. The main culprits have been e-mail, files stored locally, and the theft of portable devices like laptops and USB drives. So you need to consider your non-EHR applications, and make sure they are properly secured. This is true whether those applications are running locally or with a cloud provider. One advantage of properly designed cloud services is that they tend to not allow healthcare data to be stored on local devices.
Next month: Cloud myths and misnomers, along with a healthcare cloud checklist