Considering putting PHI in the Cloud?

by Rick Kam June 1, 2012

Many entities are thinking about migrating their applications and PHI to the cloud. While there are many benefits to doing this, there are also risks.

Some of the benefits of cloud computing are:

Lower operating cost
Faster implementation
Quickly adjust capacity
Ability to handle "spikes" in resource requirements
Ability to have temporary computing capacity for a special project

With all of these benefits, entities must also be aware of the risks and how to mitigate them.

In cloud computing, where shared resources — hardware infrastructure, software, and data storage — are constantly changing hands among different users, securing PHI is like shooting at a moving target. With the exception of a private cloud environment, covered entities have little or no control where or how their data is moved, processed, and stored.

This lack of control presents compliance issues for the covered entity. As noted in The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security, a seminal report by the American National Standards Institute (ANSI), The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA), the covered entity is as responsible for the security of its PHI on the cloud as it is for PHI in its own environment. What's more, the report says, both the covered entity and the cloud provider could be subject to penalties under HIPAA and/or state regulations for a breach of PHI.

So what can you do to protect PHI in the cloud?

While covered entities have little control over the security of their PHI in a cloud environment, they can control their response to a data breach. An inventory of Personal Identification Information and PHI as well as privacy and security risk assessments can help demonstrate compliance and mitigate the impact of a data breach. Likewise, health entities should enact an incident response plan that includes roles and responsibilities for team members during a privacy event and provides instructions on determining notification requirements, including to regulatory authorities. And, of course, nothing can replace an organization's commitment to their patients, be it through caring, appropriate notification, consumer education, medical identity monitoring and recovery, and other remediation services.

About the Author

Rick Kam

Rick Kam, CIPP, is founder and president of ID Experts. He is an expert in privacy and information security. His experience includes leading organizations in policy and solutions to address protecting PHI/PII and resolving privacy incidents and identity theft. He is the chair of the ANSI PHI Project, Identity Management Standards Panel and the Santa Fe Group Vendor Council ID Management working group. He is also an active member of the International Association of Privacy Professionals and is a member of the Research Planning Committee for the Center Identity which is part of the University of Texas Austin.

Tags: data breach notification laws data breach risk assessment healthcare healthcare data breach healthcare data breach response healthcare privacy hipaa hipaa compliance hipaa privacy hitech act patient privacy phi protected health information