Is Cloud Fit for Compliance?
January 11, 2018
Healthcare security and communications platform ShareSafe Solutions recently integrated cloud servers into its infrastructure. The company started initially with a hosting deployment of four dedicated servers, protected by a managed firewall. In addition, they were using colocation (data center where equipment is available to rent) for several additional machines. With the increase in the prevalence of cloud computing and the maturation of those services, ShareSafe opted to add cloud machines to its lineup – paying close attention to problem resolution with their provider so that they could properly control the ecosystem. The benefits of cloud were compelling, especially since the compliance concerns of that setting are now easily manageable. Cloud technology “gives ShareSafe a unique opportunity to have scalable deployments for new clients configured and released in as little as four hours.”
That note on scalability is key as it relates to growth potential. The company is launching cloud clusters for multiple redundancies, with that system spread across numerous cities and regions throughout the United States. This use of the cloud to build in redundancies nationwide is an effort to more aggressively move to defend against the possibility of downtime due to a breach or other disaster.
Are Certifications Enough?
Regulated companies must be extremely concerned with the location of their data and the protections used to keep it out of the wrong hands. You must have access to all that data immediately in the case of an audit. Healthcare companies are just one example, with their need to adhere to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Even when these marks of strong security and stability are in place, CyberTrend recommends treating the cloud on a case-by-case basis – evaluating systems individually to determine whether cloud or another method is more appropriate.
While that perspective may seem wise, its skepticism toward the cloud’s ability to secure the most vital, critically sensitive data (such as Protected Health Information, PHI, in the case of HIPAA) does not agree with the perspectives of many who argue that cloud is a preferable environment to your own data center.
IDC: Cloud Stronger at Security Than Many Think
The question of whether cloud can outdo the security of on-premise systems is a competitive one between internal and external parties. According to Cloud Technology Partners senior VP John Treadway, “It becomes a religious debate.” Regardless of the lack of consensus on this topic, the cloud is “at least as secure as most enterprise environments,” Treadway said.
In July, IDC senior research analyst Angela Gelnaw noted that companies have become more comfortable storing data in the cloud because they are aware that CSPs have strong and robust security mechanisms in place (agreeing with cloud thought leader David Linthicum, Clutch analyst Sarah Patrick, and Sonian CTO Greg Arnette on this point).
In other words, in moving to cloud with its highly sensitive data, ShareSafe is taking a route that is recognized as legitimate by many leading voices in IT.
Cloud Computing Recognized by Regulators as Safe
It is not just industry professionals or “cloud enthusiasts” who have learned that cloud can be a secure way to store data and meet compliance guidelines. The regulators themselves now understand it as a viable option. As an example, official cloud guidelines from the US Department of Health and Human Services (HHS) note that it is an acceptable technology provided that a Business Associate Agreement (a HIPAA compliance document detailing the responsibilities of both parties) is in place.
The HHS guidelines also indicate that any model of cloud (public, private, or hybrid) can be used for healthcare data protection. Furthermore, it is permissible to work with a cloud service provider that stores ePHI (electronic PHI) on a server outside the United States.
Not Your Grandfather’s Cloud… nor 2010’s
Even back five years ago, people were starting to recognize that cloud should be viewed differently in terms of compliance and data safety. Writing in Data Center Knowledge in 2013, Bill Kleyman noted, “Because cloud has continued to progress, the security models that support cloud computing are allowing for more granular controls over key security components.”
You can only imagine the amount of effort, the investment in time and resources, that has further bolstered this technology’s security and compliance footing since that statement. After all, businesses now spend $90 billion annually on information security.
As ShareSafe has demonstrated, cloud services will often make sense to comply with laws and standards. The only concern is that proper safeguards are implemented so that your cloud services are delivered efficiently and securely.
Sign up for Our Blog
April 15, 2019
Jason Karn, Total HIPAA’s Chief Compliance Officer, recently spoke with David Smith, a nationally recognized healthcare benefits consultant and regulatory expert, to discuss how fully-insured, self-funded, and hybrid employee benefits… Read More ›Read More
March 18, 2019
What is Protected Health Information? The Health Insurance Portability and Accountability Act (HIPAA) is a 1996 law that regulates privacy standards in the healthcare sector. In the early 1990s, it… Read More ›Read More
March 5, 2019
Jason Karn, Total HIPAA’s Chief Compliance Officer, recently talked with David Smith, a nationally recognized healthcare benefits consultant and regulatory expert, to discuss HIPAA enforcement projections for agents and brokers… Read More ›Read More