Cloud computing takes on many forms, ranging from simple online information storage to software with more complete solutions; and HIPAA would not fail to suggest safety, administration, and privacy standards for cloud services providers (CSP) who are focused on the health area.
Within the software categories, we can find Software as a Service - SaaS, which gives the customer the option of using a service, application, or software through an internet browser, which can also be called on-demand software, or hosted software. It is worth mentioning that there are also other models like Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).
Within the models that can be used in cloud software, they can be based on:
- Private cloud - where the cloud structure is provided exclusively for an organization or company with multiple users. It can be developed, managed, and operated by the company, a third party, or a combination of the two, existing inside or outside the company's facilities.
- Community cloud - the cloud structure is for the use of a specific community, where users from different organizations have common interests. It can be developed, managed, and operated by one of the community companies, or a third party, and there may also be developed inside or outside the companies.
- Public cloud - the cloud structure is open for general use by the public, and can be developed, managed, or operated by companies, educational institutions, government organizations, or a combination of these. Existing within the provider's facilities.
- Hybrid cloud - the cloud structure is composed of two or more distinct cloud structures (private, community, or public) that are joined by technologies that allow data portability and transmission.
HIPAA and Cloud Software
HIPAA allows clinics, healthcare professionals, and larger entities, such as hospitals, to use cloud software to create, store, receive, maintain or electronically transmit protected health information (PHI) as long as there is a contract between the parties according to HIPAA rules.
The contract must delimit and establish the required permissions and uses of the data, based on the relationships between users and activities and services developed by the members. The contract needs also to contain minimum security requirements that must be met to guarantee the integrity of protected health information, integrating here the HIPAA security rules. Contract members must also regularly carry out a risk assessment, and risk management, and create policies within their system that control possible damage.
In addition, HIPAA also considers relevant aspects of a Service Level Agreement - SLA, which standardizes the services between the contracting and contracted parties, and gives instructions on the construction of the same, on the blog about HIPAA and Ninsaúde Apolo we spoke in more detail on the subject, but it is worth mentioning that the following aspects are key points of any health SLA:
- Availability and reliability of the chosen system;
- Back-up and data restoration (in cases where the action is needed to respond to a ransomware attack or other emergency situations);
- The way in which the data and information will be returned to the contractor in case of termination of the contract;
- Responsibilities regarding the security of information and data;
- Limits and restrictions on the use, retention, and disclosure of data.
Another important issue is the access to cloud software on mobile devices, such as smartphones, and tablets, among others. HIPAA allows access to the health information on these devices but recalls that they must be done securely in compliance with physical, administrative, and technical security standards, to protect the integrity, reliability, and viability of the information.
For this, HIPAA also provides tips on how to prevent yourself when using mobile devices, such as:
- Access identification on the device as well as in the system to access it;
- Use encrypting applications and install or enable data cleaners on the device;
- Use or enable an anti-virus, and disable automatic file sharing;
- Keep the device software up to date and read about any new applications before installing them;
- Keep the physical control of the device, ensuring the best way so that it is not lost or stolen;
- Use secure methods to transmit health information over open Wi-Fi networks;
- And when discarding the device make sure that all information has been permanently deleted.