Digital Healthcare: Author. A HIPAA compliant cloud strategy. Choosing a Cloud Service Provider. Alex Ginzburg



Similar documents
Cloud Security and Managing Use Risks

HIPAA in the Cloud How to Effectively Collaborate with Cloud Providers

Overview of Topics Covered

Compliance, Incentives and Penalties: Hot Topics in US Health IT

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

Cloud Computing & Health Care Organizations: Critical Privacy & Security Issues - December 16, 2015

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

Contracting with a Cloud Service Provider DATA PROTECTION WORKSHOP NJERI OLWENY, MICROSOFT

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

THE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations

HIPAA Changes Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Cloud models and compliance requirements which is right for you?

Secure HIPAA Compliant Cloud Computing

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

The CIO s Guide to HIPAA Compliant Text Messaging

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Secure Cloud Computing Concepts Supporting Big Data in Healthcare. Ryan D. Pehrson Director, Solutions & Architecture Integrated Data Storage, LLC

Joe Dylewski President, ATMP Solutions

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

The Must Have Tools To Address Your Compliance Challenge

Bridging the HIPAA/HITECH Compliance Gap

Wednesday, January 16, 2013

Security Considerations

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

COMPLIANCE ALERT 10-12

SecurityMetrics Business Associate HIPAA compliance program

Leveraging Technology New Horizons Computer Learning Center of Memphis

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

FTP-Stream Data Sheet

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD

ALERT LOGIC FOR HIPAA COMPLIANCE

FAQ: HIPAA AND CLOUD COMPUTING (v1.0)

BECOME A SMARTER CLOUD CONSUMER

EGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY

Meaningful Use, ICD-10 and HIPAA 5010 Overview, talking points and FAQs

Business Associate Liability Under HIPAA/HITECH

Data Breach, Electronic Health Records and Healthcare Reform

The benefits you need... from the name you know and trust

Adding Cloud Solutions to Customer Contracts Robert J. Scott


Security & Privacy Strategies for Expanded Communities. Deven McGraw Partner Manatt, Phelps & Phillips LLP

penelope athena software SOFTWARE AS A SERVICE INFORMATION PACKAGE case management software

Pharma CloudAdoption. and Qualification Trends

Karuna P Joshi, PhD. Research Asst. Professor. karuna.joshi@umbc.edu

Cloud Services Overview

Am I a Business Associate?

With Eversync s cloud data tiering, the customer can tier data protection as follows:

ARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Privacy for Healthcare Data in the Cloud - Challenges and Best Practices

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Hans Bos Microsoft Nederland.

HIPAA BUSINESS ASSOCIATE AGREEMENT

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

2014 HIMSS Analytics Cloud Survey

Datto Compliance 101 1

The Impact of HIPAA and HITECH

HIPAA/HITECH Compliance Using VMware vcloud Air

Managing Cloud Computing Risk

Best Practices in Healthcare IT Disaster Recovery Planning

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.

Dissecting New HIPAA Rules and What Compliance Means For You

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

AT&T Healthcare Community Online - Enabling Greater Access with Stronger Security

COMMUNICATIONS ALLIANCE LTD

7th Annual Ambulatory PM & EHR Study

Obtaining CSF Certification Lessons Learned and Why Do It

HIPAA Compliance Guide

Cloud Computing An Auditor s Perspective

What is Cloud Computing? Tackling the Challenges of Big Data. Tackling The Challenges of Big Data. Matei Zaharia. Matei Zaharia. Big Data Collection

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

Customer Success Story. Mu Medical. Mu Medical achieves infrastructure reliability by moving to the Cloud

Presentation to the ACC Information Technology & Ecommerce Committee June 5, 2008

THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS

How Single Sign-On Is Changing Healthcare: SSO Vendor Comparison

HIPAA Compliance Guide

Privacy and Security Policies for Healthcare Solutions on the Cloud

Healthcare Data Interoperability: What s Required to Establish Meaningful Use

Meaningful Use: ARRA (American Recovery and Reinvestment Act) Incentives

Chapter 15 The Electronic Medical Record

Cloud IT, Privacy, and Security. June 13, 2013

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

The Brave. New World of Healthcare Correspondence. Harnessing the Power of SaaS to Safeguard Patient Data. White paper

University Healthcare Physicians Compliance and Privacy Policy

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

High Performance Health Systems: The Benefits of Centralization

While cloud computing may have many benefits, it comes with a financial and a business cost in terms of:

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Cloud Security Trust Cisco to Protect Your Data

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

Agenda. Government s Role in Promoting EMR Technology. EMR Trends in Health Care. What We Hear as Reasons to Not Implement and EMR

Big Data, Big Risk, Big Rewards. Hussein Syed

Transcription:

: A HIPAA compliant cloud strategy. Choosing a Cloud Service Provider Author Alex Ginzburg VP of Technology, Intervention Insights, Inc. Kanda Software 200 Wells Ave, Newton, MA 02459 617-340-3850

Over the past few years the number of innovative startups and established technology organizations focusing their attention on the various aspects of Digital Health has been steadily growing. In 2013, Digital Health funding exceeded $1.9B with 195 venture deals. Funding was up 39% from 2012 and 119% compared to 2011. Domestic growth has been further strengthened by the American Recovery and Reinvestment Act (ARRA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), also known and commonly referred as the Meaningful Use Legislation. In 2014, the Digital Health industry is set to surpass total medical device venture funding. 1 The fastest growing segments of the are: Electronic health record (EHR) solutions Clinical workflow optimization and support Patient and physician portals Data aggregation and analytics Medication management Wearables and biosensing Digital medical devices Patient engagement Wellness care, mobile access and delivery of the health-related The majority of the Digital Health organizations, particularly startups, are facing the challenge of striking the right balance between the HIPAA compliance and running a lean business. Cloud technology enables healthcare organizations to focus their efforts on relevant services and improved patient outcomes, significantly reduces the burden of infrastructure management, simplifies technology adoption and drives operational costs down. Commercial elastic clouds, such as Amazon EC2, are some of the most commonly used options by the companies seeking to provide high level of security and optimize operational costs. Lack of compliance with the HIPAA and other applicable security regulations can be a real showstopper for a Digital Health organization. The dynamics of an early stage often results in decision to either defer or even forego the security and privacy specific legal reviews of the business and operating plans, which may translate into costly remediation efforts. An important contributing factor to that is the lack of legal and implementation 01

consultancy available directly from the government offices.as of today there is no official government-sponsored certification program for HIPAA consultants ororganizations. Several private companies offer their own proprietary HIPAA assessment and certification programs, but the services may be costly for early-stage startups. For a Digital Health business there is no clearly defined pathway into achieving compulsory compliance status with HIPAA and other certification authorities. The Digital Health vendors who choose to deploy their solutions in the commercial cloud, often have little or no control where or how this data is moved, handled, or stored by the Cloud Service Provider (CSP). The vendor must require the CSP tosign a Business Associate Agreement (BAA), hence contractually agreeing to maintain all PHIas stipulated by HIPAA and other applicable standards. There re several things that the management team needs to consider before moving into : Does the nature of the business require the company to acquire, store and/or exchange identifiable patient information? Can the added complexity be avoided? In some cases the use of de-identified health data may be sufficient to provide the added value to the service consumers. Does the team have a full awareness of the scope of company s compliance standards: all applicable Federal, State, and international (if applicable) patient data privacy and security laws, legislations and regulations? It is important to note that some of the State laws may strengthen the federal requirements. For example, the State of Texas (H.B.300), among other amendments, changes the definition of a HIPAA Covered Entity. It is important to remember that there are additional requirements for the providers of EMRs and other software solutions used by U.S. Federal Government, for example U.S. Department of Veterans Affairs (VA) or Department of Defense. companies working with the government entities should additionally adhere to standards developed by National Institute of Standards and Technology (NIST). 02

Does the company plan to use offshore resources and what are the potential implications of that in the context of privacy and security? 03 Will a private or a commercial cloud service provider (CSP) be more suitable and cost-efficient for SaaS/PaaS hosting and internal operations. Cloud Service Provider Evaluation Criteria A typical software vendor startup needs a hosting platform for its SaaS offering, which could be easily scaled up or down depending on the operational needs. Today a number of companies provide virtual hosting environments with different service level agreements (SLAs). Among the leading vendors offering commercial clouds are RackSpace, Amazon, and Microsoft Azure. A company needs to establish a Business Associate Agreement (BAA) 2 with the Cloud Service Provider to fully understand CSP s liabilities and risks as well as being able to absorb those risks in the event of HIPAA non-compliance. A company should screen potential cloud partners for their physical, procedural, operational and technical readiness to house the PHI (Protected Health Information) and to ensure safety of the transactions containing PHI data. A well-established commercial hosting facility has a variety of industry certificates: ISO 27001, PCI DSS Level 1, SSAE 16 and others. When it comes to claiming HIPAA compliance, cloud vendors may use terminology, such as HIPAA enablement, which best represents their security-related technical capabilities, while refraining from claiming legal compliance. For example, among other features, DigitalOcean (www.digitalocean.com), a popular provider of the hosted services, may indicate availability of data encryption and VPC setup (virtual private clouds), but is not claiming to be a HIPAA compliant provider.

When evaluating a potential CSP it is important to consider several points: Does a potential CSP hashave existing customers with the similar business model? Would the provider be willing to offer a reference contact? One of the most important assessing factors is the readiness of a CSP to execute a BAA with the client. It is important to carefully review the agreement and understand the delegation of the obligations and responsibilities of both parties. Perform comprehensive due diligence of technical, physical, procedural safeguards and controls of a potential CSP Does a CSP comply with any other data security standards, such as PCI DSS? Does a potential cloud service partner has a mandatory staff HIPAA awareness training program? Review the records of a recent HIPAA audit report. As a part of the technical due diligence, discuss company s platform and architectural requirements and make sure that a CSP has technical provisions to support your compliance with HIPAA technology safeguards. Bibliography: 1. http://rockhealth.com/2014/01/2013-digital-health-funding-report/ 2. http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/ contractprov.html 3. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html 3 04

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information