Understanding Healthcare Data Security and Privacy Obligations
Simplicity and affordability of IT are two major selling points for end customers in moving to the cloud. But in highlighting the benefits, MSPs must take caution not to let customers think the cloud offers a cure-all for data privacy and security.
After moving data to the cloud, customers do not eschew responsibility for protecting private data. This fact is especially relevant for healthcare companies subject to Protected Health Information (PHI) rules under the Health Insurance Portability and Accountability Act (HIPAA). PHI pertains to health information linked to specific individuals transmitted and maintained in any medium, including electronic systems.
In their deals with healthcare customers, MSPs often act as intermediaries between end customers and cloud providers. This requires a delicate balance to ensure customers do their part to secure private data and cloud providers have the protocols and infrastructure in place to handle heavily regulated healthcare data. If you are an MSP specializing in this space, here are a few guidelines to consider:
When negotiating a deal, MSPs must explain that customers have a critical role in protecting end user data. Customers need to understand while the cloud typically provides added security, that data remains the customer’s responsibility when handled by their users in their facilities.
Users access the cloud from their company’s network. As part of your contract with the customer, you may take on the responsibility to keep the network—as well as the applications and systems within it—secure and reliable. Check that the network is already sufficiently robust to import and export the types and amounts of data used and stored by the company. If it isn’t, get the customer to commit to bring the infrastructure up to the required standards.
Address Control Issues
When PHI data is moved to the cloud, the Covered Entity (CE) loses some degree of control. As defined in HIPAA, CEs include health plans, healthcare clearinghouses and healthcare providers that transmit health information electronically.
The loss of control results from sending data to servers outside the customer’s firewall. Unless the customer pays for dedicated resources in a virtual private cloud, the data goes to a server shared by other customers of the cloud provider in a multi-tenancy arrangement. That’s how the public cloud works.
In addition to sharing a server, your customer’s data and workloads may travel from one server to another as the cloud provider sees fit. Such data transfers may cross geographic locations more than once, unbeknownst to the customer. Be sure to go over this with customers to set the right expectations.
Implement Access Safeguards
CEs rely on their cloud provider’s expertise to secure their data and manage user access to it.
But keep in mind cloud providers have to deal with the same security issues that affect any other computer system or network. They can make an even more attractive target for hackers because of the concentration of data they handle.
So they take precautions to control access to CE data such as imposing uniform, enterprise-wide management, privacy and security protocols. To further strengthen the privacy and security of those protocols, cloud providers may offer customers additional configurable security tools. That way, a customer has the ability to require stronger identifiers for users to access data that go beyond the cloud provider’s authentication requirements. This adds an extra layer of protection that is entirely up to the customer to impose.
Check the Provider’s Record
Getting healthcare customers to understand their role in data security is key, but don’t forget to check the cloud provider’s track record. It is important to gain assurance that the cloud provider is following proper privacy and security safeguards in compliance with HIPAA before entering a partnership.
And whenever you sign a contract, be it with the cloud provider or the end customer, make the time to ensure all parties understand their responsibilities and that the contract clearly spells them out.
The cloud opens up a lot of opportunity and promise, but it comes with a lot of risk and responsibility when deployed without measure. Take the proper steps to protecting you and your customers so that you both succeed.
Dan Liutikas is the Managing Attorney of ITLA | InfoTech Law Advocates, and also serves the greater IT industry as Chief Legal Officer of CompTIA, the premier IT trade association.