Over the past decade, HIPAA compliance in the cloud and the mere mention of moving Protected Health Information (PHI) to the cloud would cause IT directors at healthcare organizations to break into a cold sweat. Even after reputable cloud IaaS providers like Google announced their HIPAA compliance in 2014, the initial attitude shift was marginal at most. Keeping data on-premise, much like keeping cash stashed in the wall instead of a bank account, still appeared more secure because entities knew where their data was at all times and created the policies that guarded it. As the cloud era enters maturity, however, so do the attitudes towards storing PHI off premise. It’s now more secure, efficient and convenient than ever to create a HIPAA compliant system in the cloud.
As many health data execs are quick to point out, the fear is warranted. Major HIPAA breaches can warrant fines upwards of a million dollars, and they often occur through seemingly minor events. The history of HIPAA breaches is laden with nightmare stories that are worth an organization’s investment on the front end to avoid. Even small businesses, which often tend to bypass HIPAA best practices due to a lean budget, can now be caught in the crosshairs of an OCR investigation.
Fear not – the time of nail biting over the security and reliability of the cloud is over. Here are a few key reasons why now is the time for organizations to migrate PHI to the cloud.
There Are Plenty of Experts to Help You with HIPAA Compliance in the Cloud
Back when Google announced the HIPAA compliance of their core cloud platform services in 2014, the big news was soon followed by a “now what?” moment. How do we, as healthcare organizations and business associates of healthcare organizations, create a secure platform on top of Google’s secure infrastructure? HIPAA compliance, after all, is a two-way street where both parties (Google and their cloud customers) must follow the Security Rule, Privacy Rule, and Breach Notification Rule in order to be up to snuff with HIPAA, and these can get pretty dense. Put simply, without a guide, a cloud customer was very likely to use an IaaS provider’s HIPAA compliant infrastructure in a non-HIPAA compliant fashion.
In 2017, Google published its regularly updated HIPAA Compliance Guide to serve as a playbook for cloud customers to responsibly architect a HIPAA compliant system. SADA Systems has helped many organizations make the switch. Customer like Lahey Health and Hunterdon Healthcare are among the prominent healthcare names that have partnered with SADA Systems to make the cloud switch.
Google Cloud Has a Secure Track Record, Regular Third-Party Audits, and More
There is one point to make abundantly clear: no official government certification exists for HIPAA compliance. As such, it’s often difficult to determine which IaaS providers are truly HIPAA compliant. Google, however, can convince a boardroom to rest easy. The GCP Platform was built by a team of over 700 engineers (bigger than your average on-premises IT department). They regularly undergo a slew of third-party audits that serve as the international standards for system security (see here for a complete list). Not only that, but Google also encrypts its data at rest by default in the cloud.
Google’s willingness to enter into a BAA for HIPAA compliance with its cloud customers is basically a statement that “we are more than confident in our infrastructure to take on the financial risk of HIPAA breaches for our cloud customers.” Given how many clients GCP has, this is a resounding message.
The Business Case for Moving Healthcare Data to the Cloud is Stronger than Ever
Google’s HIPAA BAA covers all of its public cloud services. This allows healthcare customers to take advantage of clinical-oriented services such as the Google Genomics API, such as how the Colorado Center for Personalized Medicine aims to do on Google Cloud. Customers can also explore the wide array of machine learning APIs and use the processing power of BigQuery to fly through petabytes of data with ease. By following Google’s recommend HIPAA best practices, customers can also create a HIPAA-conscious fail-safe such as audit logs in BigQuery, object versioning for data-deletion accidents, and more.
It’s worth mentioning that healthcare organizations moving to Google Cloud also benefit in the same way as other organizations moving to the cloud. By paying only for the resources used, large organizations avoid the wasted costs of underused hardware provisioned on premise. There is less time spent on guaranteeing uptime and performance, leaving more time for managing user roles and properly implementing IAM. This helps your organization be prepared to show that it had proper HIPAA governance in place in the unlikely event of a breach, which would help avoid inordinate financial consequences.
IT decision makers can use these reasons to convince skeptics in their organizations that a Google Cloud environment will not only be more secure than the on-premise environment but also more efficient, insightful and cost-saving.
For more information on Google Cloud Platform, click here for a free consultation today!
Director | Cloud Platform