Taking your medical practice to the cloud: What you need to know

March 11, 2019

The cloud offers exciting new opportunities for medical practices that leverage it strategically and safely.

Cloud computing is transforming the way medical practices serve their patients. Offering lower operational expense, increased scalability and flexibility, and remote access to applications and data anytime from anywhere, cloud technologies allow a practice to implement better ways of working and offer new services to patients. However, adopting cloud technology raises significant and often-overlooked cybersecurity and data privacy risks.

What is cloud computing?

Cloud computing gives practices a cost-effective way to leverage shared, on-demand computing resources that might otherwise prove cost-prohibitive to deploy and maintain. These resources can include networks, servers, storage, applications, and other services. Users pay a subscription fee to access and use a cloud provider’s resources, ranging from fully-developed software solutions (Software-as-a-Service, or SaaS) to a framework to deploy custom applications (Platform-as-a-Service, or PaaS) to full control of servers and storage (Infrastructure-as-a-Service, or IaaS). These options can significantly reduce the cost and time required to build out such a system and eliminate the need for physical server storage and maintenance. Some subscriptions will also include technical support in the event a problem arises. 

Three deployment models-private cloud, public cloud, and hybrid cloud- describe how resources are distributed and accessed. A private cloud has a single user. A public cloud has multiple users, each paying according to the services purchased and their usage. A hybrid cloud is a combination of the public and private models, generally with non-critical functions hosted in a public cloud, and sensitive information held in a private cloud. Most healthcare providers use a hybrid cloud to balance security and costs. 

Each service type and deployment model requires the user to transfer control of information and system components to the cloud provider. The provider handles application upgrades and maintenance, and data and applications are hosted on servers owned or leased by the cloud provider. This leaves the user with little or no control of where or how their data is moved, processed, or stored, raising concerns about the integrity of the provider’s systems, unauthorized access to data and systems, and availability of service. Cloud providers are themselves subject to data breaches, denial of service attacks, malware, and insider attacks. 

Securing your cloud

The HIPAA and HITECH laws require patient data to be properly protected, no matter where it is stored. Ultimate responsibility for protecting and securing the data remains with the healthcare cloud user (i.e., the medical practice). All practices using cloud technologies should use a HIPAA-compliant cloud provider willing to enter into a business service agreement detailing the use, disclosure, and safeguarding of patient data. But relying on HIPAA compliance is not enough. HIPAA is concerned with protecting the confidentiality, integrity, and availability of patient data, not with deterring cyberattacks. 

Medical practices need to proactively protect their data, applications, and systems-they cannot rely solely on the cloud provider. The cloud provider may provide a secure service, but it is up to the user to ensure that services are configured correctly and that they are being accessed appropriately through secure connections with careful limitations on who can access the data. Practices also need to maintain their in-house network security and install antivirus and anti-malware software, install firewalls, regularly update and patch programs and software, encrypt data, restrict access to network and cloud services, manage use of mobile devices, and properly train staff to ensure the integrity of their cloud services. 

Additionally, practices should conduct a thorough investigation of the cloud provider’s security policies and procedures. The provider’s security policies should be as strong as, or stronger than, those of the practice. Determine whether the provider has suffered any data breaches in the past, and if so, how they responded to the breach. 

Practices should negotiate a cloud service agreement specifying the scope of services provided and the specific responsibilities of the parties. The agreement should contain detailed provisions regarding security and privacy, such as moving, handling, and storage of data (Will data be stored on a dedicated server or a server shared with other practices?); data access and use (What forms of user authentication and authorization will be used?); data retention and disclosure limitations; insurance and indemnification; system availability and reliability; back-up and data recovery; return of data after termination of service use; threat and risk analysis; and disclosure and breach reporting requirements. The agreement should also provide procedures for periodically auditing and verifying compliance. 

The cloud offers exciting new opportunities for medical practices that leverage it strategically and safely. Cloud computing creates new security risks, but when practices understand those risks and work proactively to mitigate them, the cloud can provide a world of benefit while still reducing costs. 

Joseph E. Guimera is an attorney and founder of Guimeralaw Cybersecurity Advisory where he helps organizations plan, build, and execute cybersecurity programs. He can be reached at jguimera@guimeralaw.com.