In this episode of the HIPAA Insider Show, host Adam and HIPAA expert Gil dive into the critical balancing act of managing risk versus control in HIPAA-compliant cloud environments. They explore the unique challenges healthcare organizations face when leveraging cloud computing while adhering to strict data protection requirements.
Key topics include:
- The main risks associated with cloud computing in healthcare
- Essential controls for maintaining HIPAA compliance in the cloud
- Practical approaches to risk assessment and management Real-world examples of balancing security controls with operational efficiency
- The impact of emerging technologies like edge computing, AI, and IoT on HIPAA compliance
- Strategies for fostering a culture of security and compliance
Whether you’re a healthcare IT professional, compliance officer, or executive, this episode offers valuable insights into navigating the complex landscape of HIPAA compliance in the cloud era. Tune in to learn how to walk the tightrope between leveraging cloud benefits and maintaining robust data protection.
Transcript:
Adam
Hello, and welcome back to another episode of the HIPAA Insider Show. I’m your host, Adam Zeineddine, and today we’re joined again by our resident HIPAA expert, Gil Vidals. Today’s topic is one that many healthcare IT professionals stay up at night thinking about balancing risk and control in HIPAA compliant cloud environments. Gil, are you ready to walk this tightrope with us?
Gil
Adam, I’m ready to go. And this is a critical topic that affects pretty much every healthcare organization using cloud services. So it’s a good topic to cover today.
Adam
Yeah. Well, that’s fantastic. Let’s get started. Okay. With the basics, Gil, Why is the balance between risk on the one hand and control in the organization so crucial in HIPAA compliant cloud environments?
Gil
Yeah, that’s a great question, Adam. So in the world of healthcare it, we’re constantly trying to leverage the benefits of cloud computing, like scalability, cost effectiveness, and improved collaboration, while we’re ensuring that we meet the strict guidelines that HIPAA imposes. And it’s like trying to run a marathon while you’re juggling some balls. So it’s not that easy.
Adam
Yeah, that’s a vivid image. So what are some of the key risks we’re dealing with when it comes to cloud computing in healthcare?
Gil
Yeah, well, as you can imagine, just even if you’re not paying attention to the news, there’s a constant barrage of data breaches, unauthorized access, patient information being stolen, compliance violations, et cetera. So the cloud environments, they do introduce an attack surface and can make it harder to maintain visibility and control over your data. So that’s the challenge.
Adam
So, challenge on the risk side, what kind of controls are we talking about?
Gil
There’s a range of controls, Adam. The technical controls would include things like encryption of the data and access management, that is, who has access to the data. Then there’s administrative controls. Those are things like policies and procedures, training logs to make sure you keep track of who’s being trained. And then finally, the physical controls, those are the ones that probably most people think about because they’re easy to visualize, like a camera pointing to the server, biometric scanner, and access cars to access the data center floor. And the challenge is to make sure all of these are implemented and that they stay in force, that there’s no lapse in these controls. And so I would summarize by saying it’s the physical controls, administrative controls, and the technical controls.
Adam
It sounds like a very delicate balance between those controls and the risks that you mentioned. How can healthcare organizations begin to approach this?
Gil
Yeah, because it could be daunting. Right. If you’re just poking around, trying a few things here and there, then you lose track of what you’ve implemented. So a good place to start, I would say, is a risk assessment. You need to understand how the data is flowing, especially the patient or the protected health information, find out where it flows to and through your platform and evaluate the specific risks in your environment. From there you can implement controls that are proportionate to the risks.
Adam
Can you give us an example of how this might play out in practice?
Gil
Sure, I can think of a good example. Let’s say a hospital has decided to move their ehr, their electronic health records to a cloud based solution. So first thing they want to do is a complete assessment of the risk of what may be introduced as new risks in the cloud. And they’re going to want to evaluate potential. How could hackers get in potential data breaches or service interruptions, because service interruptions would be a different scenario in the cloud and on prem.
Gil
And then they might implement controls like end to end encryption in the cloud, strict access controls to make sure only the staff that should be accessing the patient data is, and then a robust business continuity plan, meaning that if a server goes offline or a service goes offline in the cloud, they can have a failover plan to make sure they have business continuity there. And then also ensuring only the appropriate staff has access to the patient information. That’s always vital to do that as well.
Adam
That makes sense. Are there any particular challenges you see organizations struggling with in this area?
Gil
Yeah, the concept in the cloud is to maintain compliance and you have third party services that may enter the picture when you’re in the cloud. So your security perimeter that you may be used to be much smaller when you’re on prem. For example, when you’re in the cloud, your security perimeter might be larger or just different. So you need to ensure that your cloud providers are also HIPAA compliant. And this could involve a vendor, you know, careful vendor selection, detailed service level agreements and then monitoring as well. Yeah.
Adam
At this point I’d like to encourage our viewers to click, subscribe and like on the video. It really helps us with the algorithm. Okay, Gil, how does the balance shift as technology evolves? Obviously we know that HIPAA compliance isn’t the one and done. It requires maintenance. So as technology evolves, are there any emerging trends that healthcare organizations should be aware of?
Gil
Yes, definitely. What’s happening out there is the attack surface is growing. So what that means is where the Bad actors can inject themselves or try to attempt something nefarious is growing. So for example, IoT devices, the Internet of things devices all over the place. So those devices can be an entry point. So you have to keep those in mind. AI and machine learning, that’s new. So we have all sorts of tools that can be used within healthcare organizations that depend on AI. And there hasn’t been a lot of abuse of AI from the hackers, but you know, that has started and that will be coming as well. So the attack surface is something you have to keep an eye on and organizations need to stay informed and continuously reassess the risk control balance.
Adam
Thanks Gil, that’s been really insightful. Before we wrap up, what’s one piece of advice if you could give to our listeners and viewers who are, or maybe grappling with these issues?
Gil
Yes, I would say if I gave one piece of advice is you do want a culture of security within the organization. Ultimately it’s the human beings behind the technology that really can thwart the security, break it down. So we need to have employees, staff that are all behind the security. They’re all security conscious and security minded. It’s part of everyone’s job.
Adam
Well, thank you Gil for sharing your expertise with us today. And thank you listeners and viewers. And remember, when it comes to HIPAA compliance in the cloud, it’s not about eliminating all risks, it’s about understanding them and implementing smart, balanced controls. Until next time, this is Adam for the HIPAA Insider show. Stay compliant out there.