Best practices for building and maintaining HIPAA-compliant cloud applications

July 24, 2012
How to successfully implement a HIPPA-compliant cloud solution that meets business goals.

Many healthcare organizations are interested in improving security, availability and performance of their data and applications. While other industries are increasingly leveraging cloud-based computing to meet these goals and reduce costs, concerns about HIPAA compliance are inhibiting the healthcare sector from following suit. In order for this to happen, the focus needs to shift from whether the cloud is HIPAA compliant to architecting the best solution.

Understanding threats to HIPAA systems

It is a mistake to assume that cloud computing, by its very nature, is a threat to HIPAA compliance. To understand where the actual threats are to protected health information (PHI), we need only to look into the data that is collected by the government on HIPAA breaches.

Since late 2009, 435 HIPAA breaches have affected over 20-million individuals. Sixty-seven percent of incidents involved theft or loss. While this suggests that the majority of threats involve physical PHI, the figure increases dramatically when we consider instead the number of individuals affected by these incidents: 84 percent of the breaches to individuals have involved the theft or loss of physical computers or electronic media.

That’s a stark picture, and the vast majority of data breached to date involves physical digital equipment or media. If we add breaches due to IT/intrusion incidents on physical network servers, that number increases to 92 percent. It is clear that a compliant cloud-based solution can have significant security advantages.

Business associates and AWS

In addition to privacy and security requirements, HIPAA requires a business associate agreement (BAA) with third-party vendors who access PHI. A question heard frequently is: “Will Amazon Web Services (AWS) sign a BAA?” The answer is that AWS employees do not have access to the applications or data of properly architected solutions for covered entities. Using AWS is akin to using the U.S. Postal Service or Federal Express.

However, partnering with a HIPPA solutions provider that will sign a BAA for the duration of the project, spanning design of the solution, implementation and any ongoing support or other work, does add an extra layer of protection.

A success story: Pronia

Pronia Medical Systems (www.proniamed.com), whose GlucoCare application manages glucose delivery in hospitals, implemented a successful cloud-based HIPAA-compliant solution. The main objective for using AWS was to execute faster, easier, more cost-effective hospital trials. Continued HIPAA compliance of administrative processes, patient data storage and data transmission were also paramount.

To optimize customer onboarding, Control Group designed an AWS-based architecture that supports Pronia’s technical, regulatory and business requirements via Rapid Initial Deployment. The solution is comprised of a suite of services and AWS technologies that cover the spectrum from analysis and architecture to design and implementation.

Technical review of Pronia's operations and the GlucoCare application revealed which facets would need modification for delivering a compliant cloud-hosted solution, and documentation was created to support future HIPAA and FDA technical reviews.

The AWS Relational Database Service (RDS) rapidly deploys a database for each new customer, creating a consistent environment where backups and replication are handled automatically. GlucoCare servers are provisioned in Amazon’s Elastic Compute Cloud (EC2), and this solution uses on-demand instances to create servers that run the application instantly.

In addition, AWS auto scaling and configuration automation deliver a self-healing solution that responds to outages instantly, without manual intervention. Because monitoring and alerting are essential for GlucoCare’s clinical uptime requirements, Cloudwatch was selected to highlight usage trends, automate problem resolution and send instantaneous issue notifications.

Pronia now has in place a highly data-driven, automated solution that deploys and manages machine lifecycles, code versioning and testing. It is a highly scalable, stable, HIPAA-compliant, AWS-based footprint from which to launch trial hospital implementations. New customer systems are deployed with a high degree of control over security, role and user management in full compliance with HIPAA. With AWS pricing, scalability and reliability, the platform has proven to be ideal for Pronia's rapidly growing business.

About the author

Lisa O’Neil is vice president of enterprise consulting at Control Group, a technology innovation firm that enables companies to work smarter, create new sources of revenue and enhance their customer experiences by delivering on the full potential of technology and user-centered design. Learn more at www.controlgroup.com.

Sponsored Recommendations

The Race to Replace POTS Lines: Keeping Your People and Facilities Safe

Don't wait until it's too late—join our webinar to learn how healthcare organizations are racing to replace obsolete POTS lines, ensuring compliance, reducing liability, and maintaining...

Transform Care Team Operations & Enhance Patient Care

Discover how to overcome key challenges and enhance patient care in our upcoming webinar on September 26. Learn how innovative technologies and strategies can transform care team...

Prior Authorization in Healthcare: Why Now?

Prepare your organization for the CMS 2027 mandate on prior authorization via API. Join our webinar to explore investment insights, real-time data exchange, and the benefits of...

Securing Remote Radiology with the Zero Trust Exchange

Discover how the Zero Trust Exchange is transforming remote radiology security. This video delves into innovative solutions that protect sensitive patient data, ensuring robust...