Three Reasons Why Healthcare Organizations Won’t Head to the Cloud

By now, you’ve probably heard that the healthcare industry’s reluctance to embrace cloud computing is diminishing. In fact, the heightened interest in cloud computing solutions has prompted the Healthcare Information Systems Society (HIMSS) to release an inaugural HIMSS Analytics Cloud Survey.  Of the healthcare IT professionals they surveyed, 83% indicated that their organizations used cloud services. Only 6% have no plans to use the cloud at all. Let’s take a closer look at why some healthcare organizations aren’t leveraging cloud computing solutions.  HIPAA Compliance

1. Security Concerns with Cloud Computing  

Cloud security and privacy was identified as a key reason why healthcare organizations are reticent to engage with a cloud solutions provider (CSP). The Office of Civil Rights (OCR) for the U.S. Department of Health and Human Services has levied severe fines against healthcare organizations who have failed to meet HIPAA compliance requirements. Earlier this year, Concentra agreed to pay $1,775,200 to settle potential HIPAA compliance violations associated with the loss of protected health information (PHI) on a single stolen laptop – sending shock waves through the industry.

Organizations that are on the fence about moving their PHI to the cloud should narrow their list of potential cloud solutions providers to those who have proven experience in compliant cloud hosting. They should have a dedicated compliance team led by a Chief Information Security Officer who can guide and advise them in regulatory compliance measures as they pertain to cloud hosting environments and offer specific solutions for them such as virtual cloud desktops.

Read our blog, The 40-year-old Solution to Concentra’s Problems to learn more.

2. Cloud Providers Who Are Unwilling to Sign a BAA

Thirty-three percent of healthcare organizations surveyed who aren’t leveraging the cloud cited a CSP’s unwillingness to sign a Business Associate Agreement (BAA). Unfortunately, many CSPs who claim to be familiar with HIPAA compliance regulations won’t sign a BAA, citing that they may not know if they are storing PHI. Many CSPs are likely not even aware of the legal obligation under certain circumstances to sign a BAA.

The institution of the HIPAA omnibus final rule means that organizations that handle patient data can now be held directly liable for its security. With the final omnibus rule, that liability is being shared between healthcare organizations and their outside service providers, including their cloud hosting partners.

In our first Healthcare Community Webinar, HIPAA Compliance: Steps to the Healthcare Cloud, Sean Bruton, VP of Product Management at HOSTING, emphasizes that CSPs “should absolutely sign a Business Associate Agreement (BAA) which specifically outlines who is responsible for managing patient data and how it maps back to HIPAA.”

3. A Cloud Provider’s Unwillingness to Comply with HIPAA Laws and Regulations

The demand for compliant cloud hosting providers is huge, resulting in many CSPs offering false claims regarding their experience in HIPAA compliance. Before you commit to a cloud solution, understand what it means to be HIPAA compliant and how a prospective cloud hosting provider plans to protect your PHI in the cloud. Not sure where to start? Our own Chief Information Security Officer, Johan Hybinette, provided three key questions that organizations should ask any cloud provider prior to engaging with them.

  • “Where is my data being stored?” – CSPs should have local sites to host your data. For example, if your company is based in North America, your data should reside there.
  • “How long does it take you to report an incident when it happens?”
  • “How long does it take you to mitigate an incident when it happens?”

Check out our recent blog, HIPAA Compliance and PHI in the Healthcare Cloud, to learn more about what to expect from a reputable compliant cloud hosting partner.

 

Categories

Leave a Reply

Your email address will not be published. Required fields are marked *