Healthcare organizations can benefit from third-party assistance.
There is significant evidence to suggest that health information technology (HIT) cloud computing is a rapidly growing industry. There are many reasons why healthcare organizations choose to transition into the cloud, including compelling cost-savings initiatives, greater business flexibility and a secure platform to manage patient data.
>> READ: 5 Data Breaches That Show How Cybersecurity Must Evolve
According to MarketsandMarkets, the healthcare cloud will hit $9.48 billion by 2020, rising from $3.73 billion in 2015 at a compound annual growth rate (CAGR) of 20.5 percent. Similarly, Esticast projected that the healthcare cloud market would grow at a 23.4 percent CAGR, achieving $25.7 billion by 2024. Finally, Mordor Intelligence forecast that the healthcare cloud computing market would expand by 18 percent from 2018 to 2023.
This all suggests that the uptake of cloud services is thriving — and the cloud model is an increasingly appealing IT strategy to healthcare decision makers. But it is important to understand what is incentivizing healthcare businesses to implement IT services in the cloud.
Here are nine key reasons why partnering with cloud service providers (CSPs) is becoming increasingly prevalent among healthcare organizations as they set up partnerships with HIPAA-compliant business associates, as defined within business associate agreements (BAAs):
Cloud technology and cloud services are embraced and championed by the federal regulators in HHS. In its “Guidance on HIPAA & Cloud Computing,” HHS notes, “While a covered entity or business associate may use cloud-based services of any configuration (public, hybrid, private, etc.), provided it enters into a BAA with the CSP, the type of cloud configuration to be used may affect the risk analysis and risk management plans of all parties and the resultant provisions of the BAA.”
This brings up an extremely important point: Although there are many questions to ask a potential CSP, it’s most critical thing to ascertain the complaint status of the chosen provider. That enables healthcare leaders to understand their responsibilities — and the CSP's responsibilities. This will at all times help secure electronic protected health information (ePHI).
Cloud security is commonly cited as one of the main concerns organizations have regarding transitioning live services to the cloud. However, it can be argued, especially in recent years, that cloud providers have embraced the security foundations of their cloud offerings by creating strong policy-driven, hardened services. This has helped to diminish the view that security can be a problem with cloud computing, but various observers have noted over time that the security of cloud is actually better than it has seemed previously, with some notable journalists reporting that “data may actually be safer in the cloud” and that public cloud “is more secure than your data center.”
Cloud services are usually provided on a pay-as-you-go model; therefore, customers only pay for the services rendered by their cloud provider. This empowers healthcare organizations, giving them the opportunity to select HIPAA-compliant computing and storage and network infrastructure services that can grow and expand as needed. This immediately provides the benefit of operational expenditure (OPEX), which is budgeted and agreed upon in advance with the CSP. That means it will not require large amounts of capital outlay (CAPEX) to purchase hardware and software or build or lease data centers. It also cuts the associated cost of managing an in-house IT department.
According to an analysis by McKinsey researchers Nagendra Bommadevara, Andrea Del Miglio and Steve Jansen, the cloud makes IT more flexible in being able to support business, with capabilities ranging from storage and computing power to machine learning and big data environments. The cloud provider will be responsible for security patching and updates, operating system and software upgrades and ensuring everything in the background is running at peak performance.
It can be argued that many healthcare organizations want to get away from managing their IT infrastructure in house. In a story cited by Emily Johnson of InformationWeek, PwC healthcare technology consultant Carl Shimbo worked with a regional healthcare organization that had a 300-bed hospital and about 10 remote locations. The provider opted to transition to cloud hosting because it did not feel operating a data center was a core area of knowledge and did not want to have to pay for the construction and maintenance of a data center. Outsourcing the physical and technical safeguards needed for a HIPAA-compliant data center, including 24/7 security, audited access controls and built-in server protection, becomes an attractive proposition.
Typical assets of a business, such as equipment and inventory, are becoming increasingly intangible in the modern world. Small business has had difficulty safeguarding untouchable but incredibly valuable digital assets. Using the cloud for data backup — whether in conjunction with infrastructure as a service (IaaS; also called cloud hosting) or as a standalone — is affordable, efficient, automated and secure.
Cloud service providers are experts at managing and supporting the cloud server and network infrastructure. Specialist teams build, install and provision new infrastructure behind the scenes while the end user can concentrate on using the IT services. As well as managing the server estate, networks and security, the cloud provider ensures there is 24/7 support available to assist cloud customers in need. Businesses have found that this arrangement improves service quality through the cloud because the technology is self-corrective. Cloud computing serves as a means to reconsider general IT system setup and processes, a situation that Bommadevara and colleagues said resulted in IT incident reductions of 70 percent at “some enterprises.”
The cloud is also expanding because the federal government has been a huge proponent of the technology beyond the special attention from the HHS, with a cloud-first policy issued by the White House in 2011. Cloud first mandated that federal agencies should assess all cloud-based options before considering other solutions. The primary reason the government promoted faster adoption of the cloud model is that it wanted to take advantage of shared services and lightweight computing, according to the U.S. Department of the Interior.
These guidelines clarified that even at that early point (seven years ago), the security of cloud was considered strong enough by the federal government to view it as the default choice for computing.
The Health Information Technology for Economic and Clinical Health Act (HITECH), which went into effect through its inclusion in the American Recovery and Reinvestment Act of 2009 included the Omnibus Final Rule, which contained provisions stating that business associates would be directly responsible for HIPAA compliance moving forward. This law incorporated cloud providers and others as organizations that must maintain federal healthcare compliance. In that sense, healthcare-compliant cloud and other third-party systems that handle ePHI should be prepared to be held accountable for meeting compliance standards.
There are many reasons to want to benefit from the cloud by working with CSPs. Choosing your business associates wisely and grounding those relationships in strong BAAs is key to meeting HIPAA compliance. When you look for a healthcare-compliant hosting service, check that the data center goes beyond HIPAA certification to meet other key security measures, such as through a Statement on Standards for Attestation Engagements 18 (SSAE 18; formerly SSAE 16) audit from the American Institute of Certified Public Accountants.
Get the best insights in healthcare analytics directly to your inbox.
WannaCry, NotPetya, and Cyberwarfare’s Threat to Healthcare
Judge Upholds $4.3M Data Breach Fine Against MD Anderson