PHI in the Cloud: Caveat Emptor

Anyone in healthcare IT knows that protected health information (PHI) and the cloud seem made for each other. Speed, scalability, reliability: no wonder so many organizations want to leverage the cloud. Many of them are especially lured in by provider claims of flawless data availability and perfect compliance. I can’t blame them; most of these providers make promises that are nothing short of miraculous, such as “guaranteed 100% HIPAA compliant.” These are magic words to organizations that are confused by what HIPAA compliance even means. Add in the promise of excellent performance and PHI accessibility, and it all sounds like a healthcare IT dream.

Unfortunately, this is a dream organizations need to wake up from. I know organizations want a quick fix for all their cloud needs, but there’s enough confusion floating around the industry on compliance, security and performance without outrageous vendor claims misleading customers. Now don’t misunderstand me – I’m not saying your organization can’t enjoy a great healthcare cloud. It can. Rather I’m saying that you need to be a smart cloud consumer.

Take HIPAA compliance for instance. Many organizations have no idea what it entails. So here’s what it takes to be HIPAA-compliant; it means you have assessed risks and threats as they pertain to the way you handle your PHI and that you’ve implemented a security program that mitigates those risks to an acceptable level. Is it achievable? Certainly. But it’s a highly nuanced process and not the defined checklist of criteria those “100% guarantees” imply.

You’ll see the same smoke and mirrors when it comes to performance. Yes, we all know that PHI accessibility can be a life or death matter in some situations, and that availability is a core requirement of HIPAA. And no doubt promises of ultimate performance sound great – it’s important to look beyond the provider hard sell to the technical details of what they really offer.

In other words, it’s not what providers say but what they really do. As a savvy cloud customer, you need to take the following actions to make an informed choice.

  • Listen closely to how your provider describes what they can do for you. Are they making flashy guarantees without asking about your specific needs? Or are they taking the time to understand your performance requirements and unique risks and vulnerabilities?
  • Get down to the brass tacks on performance. Is the provider just focusing on input/output per second (IOPS)? That isn’t the whole story – latency between the application and storage is a better measure. Remember, not all storage is created equal or highly available. Are resiliency and redundancy ensured? Are there multiple tiers? How do they ensure segmentation between customers?
  • Ask providers if they’re willing to let you “try before you buy” via a POC environment that lets you test your applications and judge the performance for yourself.
  • Look for vendors who are transparent about how their cloud directly impacts your PHI. They should provide detailed information about their security controls and meaningful documentation backing up their claims around HIPAA compliance. Finally, make sure their BAA clearly states what services they are providing.

Remember, you’re not alone if you need guidance on protecting and optimizing your PHI in the cloud. A lot of healthcare IT teams are in your shoes. But as long as you stay educated and ask the right questions, you’ll know how to select a skilled provider who goes empty promises and delivers the cloud expertise you need.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals