In part 1 of our Health Care Providers and the Cloud, we discussed what the cloud is and how it’s transforming healthcare by providing on-demand access to IT resources that are accessible from anywhere. In part 2 we discovered some of the most common advantages of cloud computing. Here in part 3 of our series, we will highlight considerations for selecting a Cloud Service Provider (CSP).
Selecting a Cloud Service Provider (CSP)
Privacy and Security
Healthcare data is highly regulated and according to recent studies, is 200% more likely to encounter data theft. You need to establish a strong agreement with the cloud service providers with special provisions for privacy and security of data. The risks and liabilities in storing patient health information (PHI) must be fully understood and as a healthcare provider, you should always stay informed about the manner in which PHI is stored and managed. Multi-factor Authentication (MFA), Secure login and Data Loss Prevention are all technologies that should be deployed when moving PHI to a Cloud Service Provider.
Regulations and Compliance
PHI collection and storage is subject to a number of governmental regulations such as HIPAA and GDPR. Compliance with these regulations is mandatory when storing data on the cloud platform. When selecting a cloud service provider, you must ensure that the data regulations by the government agencies are adhered to. The cloud service providers may have certifications from regulatory authorities but the responsibility of ensuring compliance remains with the healthcare provider. The signing of a Business Associate Agreement (BAA) should be done with the cloud service providers before finalizing the cloud platform. Health and Human Services details when a BAA is required: “When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA. Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate. This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data. Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA Rules. As a result, the covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.”
Service Reliability and Management
Scaling is another critical factor while selecting the service provider. The platform chosen should be able to process sizable loads of data at any given time. The cloud service providers need to able to upgrade the system when the need arises. The key performance indicators (KPI’s) of performance and reliability need to be easily accessible and continually monitored. Regularly scheduled backups and a disaster recovery plan that is comprehensive, detailed and tested frequently are also important considerations. With the rise of ransomware and crypto-lockers, a good disaster recovery plan including offsite backups could be the difference between losing all of your data and going out of business and being able to continue providing quality care to your patients.
For assistance in selecting a Cloud Service Provider or to discuss how you can leverage the cloud in your practice, feel free to contact us at info@nexa1.com.
