Evaluating and Choosing Healthcare Cloud Service Providers

As healthcare moves from on-premise to cloud services, the evaluation and selection of “HIPAA compliant” cloud service providers becomes an import task. I don’t like the description “HIPAA compliant” because it’s imprecise and not meaningful. However, it’s something that many non-technical people look for when evaluating providers so I’m using it here. My friend Alex Ginzburg, VP of Technology at Intervention Insights, and I have done this kind of healthcare cloud services providers evaluation and selection many times so it was natural for me to reach out and ask him to provide some guidance for the community. I asked Alex to give us insight on his process for choosing vendors. Here’s what Alex said:

Many Digital Health startups are facing the challenge of striking the right balance between achieving required regulatory compliance with healthcare data privacy and security laws (HIPAA, State) and running a lean environment. We all know that cloud technology enables healthcare organizations to focus their efforts on relevant services and improved patient outcomes, significantly reduces the burden of infrastructure management, simplifies technology adoption and drives operational costs down. Commercial elastic clouds, such as Amazon EC2, are some of the most commonly used options by the companies seeking to provide high level of security and optimize operational costs.

Lack of compliance with the HIPAA and other applicable security regulations can be a real showstopper for a Digital Health organization. The dynamics of an early stage often results in decision to either defer or even forego the security and privacy specific legal reviews of the business and operating plans, which may translate into costly remediation efforts. An important contributing factor to that is the lack of legal and implementation consultancy available directly from the government offices. As of today there is no official government-sponsored certification program for HIPAA consultants or organizations. Several private companies offer their own proprietary HIPAA assessment and certification programs, but the services may be costly for early-stage startups. For a Digital Health business there is no clearly defined pathway into achieving compulsory compliance status with HIPAA and other certification authorities (which is why “HIPAA Compliance” is a difficult concept to grasp). The Digital Health vendors, who choose to deploy their solutions in the commercial cloud, often have little or no control where or how this data is moved, handled, or stored by the Cloud Service Provider (CSP). The vendor must require the CSP to sign a Business Associate Agreement (BAA), hence contractually agreeing to maintain all PHI as stipulated by HIPAA and other applicable standards.

READ

The Future Of Technology Advances In Medicine

Considerations before moving into Digital Healthcare:

Does the nature of the business require the company to acquire, store and/or exchange identifiable patient information? Can the added complexity be avoided? In some cases the use of de-identified health data may be sufficient to provide the added value to the service consumers.
Does the team have a full awareness of the scope of company’s compliance standards: all applicable Federal, State, and international (if applicable) patient data privacy and security laws, legislation and regulations? It is important to note that some of the State laws may strengthen the federal requirements. For example, the State of Texas (H.B.300), among other amendments, changes the definition of a HIPAA Covered Entity.
It is important to remember that there are additional requirements for the providers of EMRs and other software solutions used by U.S. Federal Government, for example U.S. Department of Veterans Affairs (VA) or Department of Defense. Digital Healthcare companies working with the government entities should additionally adhere to standards developed by National Institute of Standards and Technology (NIST)
Does the company plan to use offshore resources and what are the potential implications of that in the context of privacy and security?
Will a private or a commercial cloud service provider (CSP) be more suitable and cost-efficient for SaaS/PaaS hosting and internal operations?

Cloud Service Provider Evaluation Criteria:

A typical software vendor startup needs a hosting platform for its SaaS offering, which could be easily scaled up or down depending on the operational needs.

Today a number of companies provide virtual hosting environments with different service level agreements (SLAs). Among the leading vendors offering commercial clouds are RackSpace, Amazon, and Microsoft Azure. A company needs to establish a Business Associate Agreement (BAA) with the Cloud Service Provider to fully understand CSP’s liabilities and risks as well as being able to absorb those risks in the event of HIPAA non-compliance.

READ

Here's How Technological Innovation Is Transforming Healthcare

A Digital Healthcare company should screen potential cloud partners for their physical, procedural, operational and technical readiness to house the PHI (Protected Health Information) and to ensure safety of the transactions containing PHI data. A well-established commercial hosting facility has a variety of industry certificates: ISO 27001, PCI DSS Level 1, SSAE 16 and others. When it comes to claiming HIPAA compliance, cloud vendors may use terminology, such as “HIPAA enablement”, which best represents their security-related technical capabilities, while refraining from claiming legal compliance. For example, among other features, Digital Ocean (www.digitalocean.com), a popular provider of the hosted services, may indicate availability of data encryption and VPC setup (virtual private clouds), but is not claiming to be a “HIPAA compliant” provider.

When evaluating a potential CSP it is important to consider several points:

Does a potential CSP have existing customers with the similar business model? Would the provider be willing to offer a reference contact?
One of the most important assessing factors is the readiness of a CSP to execute a BAA with the client. It is important to carefully review the agreement and understand the delegation of the obligations and responsibilities of both parties.
Perform comprehensive due diligence of technical, physical, procedural safeguards and controls of a potential CSP.
Does a CSP comply with any other data security standards, such as PCI DSS?
Does a potential cloud service partner have a mandatory staff HIPAA awareness training program?
Review the records of a recent HIPAA audit report.
As a part of the technical due diligence, discuss company’s platform and architectural requirements and make sure that a CSP has technical provisions to support your compliance with HIPAA technology safeguards.

What problems have you seen when doing evaluations and making selections? Share your questions and we’ll get them answered in future posts.

cloud services / shutterstock

What To Know About Nutritional Supplement Packaging Safety

5 Strategies For Improving Healthcare Efficiency

How Local Hospitals Are Under Mounting Pressure?

Understanding The Impact Of Google’s Medic Update On Health Sites

Why Meal Planning Is Good for Your Budget & Your Health

How Do I Become A Clinical Documentation Specialist?

How To Get Capital For New Equipment For Your Healthcare Business

Financial Benefits For People Suffering From Dementia

5 Strategies For Improving Healthcare Efficiency

How Local Hospitals Are Under Mounting Pressure?

How Health Facilities Can Prepare For Natural Disasters

10 Major IT Challenges Healthcare Organizations Are Facing Today

3 Secrets Triggering Enormous Interest In Healthcare Analytics

The Roles Of AI, IoT, And Cybersecurity In Transforming Healthcare

Telemedicine Is An Efficient Tool To Transform The Healthcare Industry

How Startups Are Bringing Healthcare To Rural Areas

7 Important Benefits Of Electronic Health Records (EHRs)

Three Practical Uses For Wearables In EHR

Patient Misidentification: Just How Damaging Is It?

Dealing With A Health Crisis? Avoid Medical Identity Theft With These Tips

The Roles Of AI, IoT, And Cybersecurity In Transforming Healthcare

Top 5 Ways Mobile Apps Are Impacting Health And Fitness Industries

How To Use SMS To Increase Customer Satisfaction In Healthcare

Top 5 Advantages Of A Heart Rate Monitor – For Workouts And Daily Life

Why You Need To Know The Risks Of Self-Diagnosis

Technological Advancements in The Medical Field That You Should Keep An Eye On

mHealth Apps And Digital Doctors: The Future Of The Healthcare Sector?

EHR For Rural Hospitals: Criteria And Access

7 Tips To Make Sure Your Medical Practice Is Found Online

4 Top Reasons Why App Developers Love Apple Health Records API

Should Healthcare Care About Branding?

How can Healthcare Professionals Manage their Reputation Online

How To Protect Patient Health Data With Security Testing

Why Massage Chairs Are Beneficial For Your Health

How Has Technology Changed the Medical Sector In 2019?

3 Secrets Triggering Enormous Interest In Healthcare Analytics

How Has Technology Changed the Medical Sector In 2019?

What Goes Into The Cost Of A CT Scanner?

Here Is Everything You Need To Know To Purchase A New MRI Machine

How Anesthesia Can Be Delivered With Anesthesia Machines

How Has Technology Changed the Medical Sector In 2019?

Making Sense Of The Surge Of Voice Recognition Software In Healthcare

Important Things To Know About Advances In Healthcare Robotics

Here’s How Technological Innovation Is Transforming Healthcare

What To Know About Nutritional Supplement Packaging Safety

What to Expect as a First Time User of CBD Gummies

Four Signs That Show You Need Rehabilitation

How To Choose The Right Dentist: Try These 6 Simple Steps

Dealing With A Health Crisis? Avoid Medical Identity Theft With These Tips

Body Pain And Chiropractic Care: How Are They Related?

Who Can Receive Free HPV Vaccines to Combat Cervical Cancer?

9 Signs You Need An Emergency Dentist

5 Common Misconceptions About Naturopathic Medicine

Top AED Models To Minimize Risks Of Cardiac Arrest 2019

3 Things To Consider When Looking For A Heart Doctor

The Value And Criticism Of Robot-Assisted Heart Surgery

Here’s What To Know About Sleep And Heart Health

9 Signs You Need An Emergency Dentist

Crooked Teeth vs. Perfect Teeth: Clip-On Veneers

Pros And Cons Of Flossing: Why Is This Dental Tip Overlooked?

Dental Anxiety: Why It’s Common And How To Deal With It

Take These 4 Important Steps For Healthy And Happy Aging

Living Alone When You’ve Been Diagnosed With Alzheimer’s

A Guide To Healthy Aging And Happier Golden Years

10 Early Dementia Signs You Need To Be Aware Of

How In-Home Visits Might Help Reduce Childhood Obesity

How Does Fat Leave Your System When You Lose Weight?

The Positive Impact Of Outdoor Activities And Events On Kids’ Health

How Can Parents Prevent Obesity In Children

Body Pain And Chiropractic Care: How Are They Related?

Four Ways to Banish Back Pain For Good

The Most Important Things To Know When Choosing A Chiropractor

A Guide to Caring for Bunions

Prenatal Care: 5 Great Reasons to Get a Prenatal Massage

Are You Healthy Enough to be a Surrogate?

5 Tips for a Healthy Pregnancy

3 Nutritious Foods To Eat During Your Second Trimester Of Pregnancy

Radiology as an Enterprise Model for Collaboration

Relationship Between Clinical Decision Support Systems (CDSS) & Radiology Must Evolve

Diagnostic Reading #33: Five Must-Read Articles from the Past Week