Businesses and organizations in the healthcare industry need to comply with HIPAA data security and privacy regulations regarding the handling of patient data. This article will look at achieving and maintaining HIPAA compliance using two different cloud computing models. We will compare the traditional cloud model and a dedicated hosting solution. Based on a company’s resources and requirements, it may be difficult to decide which solution is the best fit.
We hope to clarify that issue and help you make this important decision. The right choice needs to consider multiple factors related to the capabilities of the organization and its cloud provider.
What’s Involved in Meeting HIPAA Guidelines
The objective of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is to safeguard protected health information (PHI) and electronic protected health information (ePHI). PHI and ePHI are defined as any data element in an individual’s medical record that can uniquely identify the patient.
Organizations that are required to comply with HIPAA regulations are subject to the guidelines defined in the HIPAA Privacy Rule and HIPAA Security Rule. Two types of organizations are responsible for complying with HIPAA regulations. A covered entity (CE) deals directly with patients as in the case of a doctor’s office, hospital, or healthcare plan. A covered entity’s business associate (BA) helps the CE process PHI or ePHI and must maintain HIPAA compliance.
The HIPAA Privacy Rule applies to all forms of PHI. Its primary function is to regulate access to PHI and define how it is used and shared. It stipulates 18 types of patient identifiers such as names, social security numbers, and medical record numbers that need to be protected.
The HIPAA Security Rule only applies to ePHI that is electronically transmitted, stored, and processed. The rule specifies general security guidelines that CEs and BAs must follow to maintain HIPAA compliance. Organizations must:
- Guarantee the availability, confidentiality, and security of all ePHI that they create, process, or transmit.
- Protect ePHI against security or data breaches.
- Identify and implement protection against threats to the integrity and security of ePHI.
- Ensure all employees comply with HIPAA guidelines.
Three classes of safeguards are defined in the HIPAA Security Rule outlining the measures that need to be taken to protect ePHI.
- Physical safeguards are designed to provide for the physical security of offices, systems, and devices that store ePHI.
- Technical safeguards consist of the security, access, data integrity, and audit controls implemented to protect ePHI when being transmitted, stored, or processed.
- Administrative safeguards cover how organizations assess risk and implement policies to ensure employee compliance with the HIPAA Security Rule.
As you can see, maintaining HIPAA-compliant information technology (IT) environments is a challenging task. Healthcare organizations and their business partners that do not maintain HIPAA compliance are subject to substantial fines and the negative publicity that surrounds a data breach of ePHI.
A Comparison Between a Cloud and Dedicated Hosting Solution
Most organizations in the healthcare field do not have the necessary in-house resources to maintain an on-premises HIPAA-compliant data center. Implementing the safeguards mandated by the Security Rule demands a highly secure and redundant infrastructure.
Rather than attempting to enact and maintain HIPAA compliance with an ad-hoc and in-house solution, many organizations are turning to the cloud. As with other types of computing environments, cloud providers offer an easier and more cost-effective method of implementing a HIPAA-compliant environment.
Cloud vendors offer covered entities multiple ways to address HIPAA compliance. Most commonly, covered entities can choose between an infrastructure built on public cloud hosts or one that relies on dedicated cloud hosts. Let’s look at how the two solutions compare to identify the best route for your company.
In a dedicated host environment, the cloud provider makes available the dedicated hardware components to a single customer. These dedicated hosts are used to provide compute and storage capabilities. Your databases or applications will not be sharing resources with another customer, enabling the infrastructure to be tailored completely to your needs.
Security is enhanced with a dedicated hosting solution by eliminating potential attacks emanating from other tenants on a cloud host.
A dedicated host environment provides customers with more control over how the hardware is used and managed. Scaling up or down can be slightly more challenging with a dedicated hosting solution since dedicated hosts can not be instantly scaled. Some providers, like Atlantic.Net, do allow live migrations so your cloud servers will not see downtime when required to move to a larger host system. Depending on how the environment is configured, there may be a slightly greater chance of experiencing availability issues with a dedicated host since there are both lower-end and higher-end hardware offerings available for a dedicated host.
With Dedicated Hosts, the customer is able to remove the potential of any noisy neighbor issues from occurring on their host. The customer also has the ability to shift workloads across different nodes if a cloud server starts to use more of a certain resource than originally planned.
Some software licensing, for example, those from Microsoft, can require you to only deploy on dedicated hardware that is defined as non-shared or not multi-tenant hardware. This is where Dedicated Hosts would be an excellent option while still utilizing the benefits of cloud platforms.
The first major difference between using cloud servers and dedicated hosting is that with cloud servers you are sharing physical hardware with other customers with specific resources allocated for your systems. A dedicated host restricts the use of the hardware and ensures you are not sharing it with other clients.
Cloud servers’ elasticity results in greater and on-demand scalability to address fluctuating enterprise requirements. Customers using dedicated servers need to have a better understanding of their future needs when provisioning resources.
Cloud servers offer a more economical path towards HIPAA compliance for smaller end deployments. Once a threshold of more than $500 of cloud services is required, a dedicated host is often a better choice from a cost perspective.
Choosing a HIPAA Compliant Cloud Solution
The choice between a HIPAA-compliant infrastructure hosted on cloud servers or a dedicated hosting solution must take the needs of the prospective client into account. In most cases, a dedicated hosting solution will provide a more secure environment for protecting ePHI by conforming to HIPAA guidelines and segregating the systems from other users.
When deciding on how to implement your HIPAA-compliant infrastructure, the following questions need to be addressed.
How large of an infrastructure is needed?
In cases where a single application, such as an email system, is subject to HIPAA guidelines, you may not need to employ dedicated hosting. A HIPAA-compliant virtual cloud server and fully managed services that encrypt data transmission may be all that you need.
If you have more extensive needs and are running databases or other applications that need to meet HIPAA requirements, a dedicated hosting solution will probably serve you better. You will have more control over the resources and not be impacted by other tenants.
Do you have extensive technical resources?
A dedicated hosting solution may require more technical input from the customer depending on the selected provider. If your organization lacks these resources, you may want to look at using cloud servers or a provider that offers support and management assistance for the dedicated hosts.
Is latency an issue?
Latency is reduced by having all system components on a dedicated host. This eliminates the need to traverse the network and may enable enhanced performance.
What is your cloud provider offering as far as support and management?
Search for a provider that offers support and management assistance for your environment. You want items such as encrypted onsite and offsite backups, firewalls, network intrusion protection, and HIPAA-compliant secure cloud services to be included with any solution you select.
What is your budget for this project?
Budgetary constraints may influence your decision. Cloud servers will usually be less expensive when small and starting out; however, once your resource requirements start to grow there are economic reasons to move your Cloud servers to dedicated hosts since the cost per resource is usually lower.
Can I use both or move from one to another?
Some providers allow for utilizing both offerings at the same time, and migrations will also vary depending on the provider,so it is critical to ask first. Atlantic.Net allows for the interconnection of both your Dedicated Hosts and Public Cloud and also allows for live migrations to and from Public Cloud and Dedicated Hosts.
In most cases, a dedicated hosting solution is more appropriate for creating a larger-scale HIPAA-compliant infrastructure. A dedicated host can offer customers the control and security required to maintain HIPAA compliance and meet the technical and physical safeguards outlined in the regulatory guidelines as long as the right provider is selected. Same with cloud servers, with the right vendor, cloud servers can also provide the necessary components to create an environment that meets HIPAA privacy and security standards.
In either case, taking advantage of cloud resources is a more efficient and cost-effective method of implementing a HIPAA-compliant infrastructure than attempting to build it from scratch using an in-house data center.