In my conversations with Healthcare CIOs and CISOs, the need to move to the cloud and the barriers to doing so are top of mind. In cost-sensitive healthcare organizations, public cloud promises to allow them to provide better, more reliable services to their customers at a lower cost. However, since HIPAA requires Business Associate (BA) agreements with entities that handle healthcare data and many cloud providers won't sign them due to legal risk, healthcare public cloud initiatives have been stalled. With the relatively new HITECH Act data breach disclosure requirements and protected data definitions it contains, there may be an argument that in certain circumstances BA agreements are not required.
Let me start on the next section by saying I'm not an attorney (I don't even play one on TV) and am not giving legal advice. I just like logic, understand the regs, and think a good argument applies here. If your public cloud efforts are stalled by business associate agreements and you meet the criteria below this is an argument you should have your attorney's evaluate. I'd love to hear some feedback on what they think, so please let me know.
First, cloud is a nebulous term that means lots of different things - so let's define exactly what we're talking about.
In Software-as-a-Service (SaaS) public clouds, the vendor controls your data and need access to it in either plaintext or tokenized format so it can be processed by their application. In this model, the only security controls you have are the ones they provide and manage plus your configuration of access controls for internal users within their application. New cloud tokenization methods can also be helpful here, because sensitive data elements can be turned into process-ready non-sensitive data bits. Luckily in healthcare there are many SaaS providers focused on the industry and its not as hard to get a business associate agreement signed with an EMR cloud provider.
Where the problem really comes in is Infrastructure-as-a-Service (IaaS) and some Platform-as-a-Service (PaaS) architectures. These cloud providers are not healthcare specific and have large legal teams telling them to limit liability and not sign business associate agreements. For these cloud services, there is a shared responsibility between the user and the provider to provide security. The user owns the operating environment or storage format and the provider owns everything else.
So here's where the argument gets interesting. Enter the HITECH Act. The HITECH Act says that if information is encrypted (there is detail underneath this, but easy to comply with), it is considered protected and not a breach. So, if the user were to put a cryptographic boundary - essentially encrypt the sensitive data - around the data before it went up into the cloud, is a Business Associate Agreement really required? If a bad guy stole the data in that format it wouldn't even be considered a breach. Let's take a look at a couple of scenarios:
Cloud Storage: The Healthcare provider encrypts data and sends it up into the cloud in HITECH Act "protected" encrypted format. The data remains encrypted until it is restored to production systems. The data has been protected by the letter of the HITECH Act the entire time and even if stolen would not constitute a breach. So is a Business Associate Agreement actually required if they do not have access to the plaintext data?
Operating Environments in the Cloud: Your developers want to test an application or you want to move production systems into the cloud for better scalability and high availability at a lower cost. In this case, you control the security of the operating environment and most of the data security. You construct a strong HIPAA compliant image - with a hardened operating system, system security components such as anti-virus and HIPS, and encrypt your data files before you send them to the cloud. Your data is encrypted in storage, even as the storage is replicated. The only time your data is in the clear is while it is being processed by your HIPAA compliant operating environment as long as the cloud architecture doesn't write memory to a file. There may be a slightly weaker argument for foregoing a BA agreement here - but still a strong one that may hold - especially if you can detect intrusions in relation to the operating environment.
Hopefully in the near future, stronger guidance will be developed to formally address this issue and support healthcare in lowering costs and providing better services through the public cloud. In the meantime, there are interesting conversations to be had!
No comments:
Post a Comment