Cloud computing takes on many forms, ranging from a simple online information storage, to software with more complete solutions; and HIPAA would not fail to suggest safety, administration and privacy standards for cloud services providers (CSP) who are focused on the health area.
Within the software categories, we can find the Softwares as a Service - SaaS, which gives the customer the option of using a service, application or software through an internet browser, can also be called on-demand software, or hosted software. It is worth mentioning that there are also other models like Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).
Within the models that can be used in cloud software, they can be based on:
- Private cloud - where the cloud structure is provided exclusively for an organization or company with multiple users. It can be developed, managed and operated by the company, a third party or a combination of the two, existing inside or outside the company's facilities.
- Community cloud - the cloud structure is for the use of a specific community, where users from different organizations have common interests. It can be developed, managed and operated by one of the community companies, or a third party, and there may also be development inside or outside the companies.
- Public cloud - the cloud structure is open for general use by the public, can be developed, managed or operated by companies, educational institutions, government organizations, or a combination of these. Existing within the provider's facilities.
- Hybrid cloud - the cloud structure is composed of two or more distinct cloud structures (private, community or public) that are joined by technologies that allow data portability and transmission.
HIPAA and Cloud Softwares
HIPAA allows clinics, healthcare professionals and larger entities, such as hospitals, to use cloud software to create, store, receive, maintain or electronically transmit protected health information (PHI) as long as there is a contract between the parties according to HIPAA rules.
The contract must delimit and establish the required permissions and uses of the data, based on the relationships between users and activities and services developed by the members. The contract needs also to contain minimum security requirements that must be met to guarantee the integrity of protected health information, integrating here the HIPAA security rules. Contract members must also regularly carry out risk assessment, risk management, and create policies within their system that control possible damage.
In addition, HIPAA also considers relevant aspects of a Service Level Agreement - SLA, which standardizes the services between the contracting and contracted parties, and gives instructions on the construction of the same, on the blog about HIPAA and Ninsaúde Apolo we spoke in more detail on the subject, but it is worth mentioning that the following aspects are key points of any health SLA:
- Availability and reliability of the chosen system;
- Back-up and data restoration (in cases where action is needed to respond to a ransomware attack or other emergency situations);
- The way in which the data and information will be returned to the contractor in case of termination of the contract;
- Responsibilities regarding the security of information and data;
- Limits and restrictions on the use, retention and disclosure of data.
Another important issue is the access of cloud software on mobile devices, such as smartphones, tablets, among others. HIPAA allows access to health information on these devices, but recalls that they must be done securely in compliance with physical, administrative and technical security standards, to protect the integrity, reliability and viability of the information.
For this, HIPAA also provides tips on how to prevent yourself when using mobile devices, such as:
- Access identification on the device as well as in the system to access it;
- Use encrypting applications and install or enable data cleaners on the device;
- Use or enable an anti-virus, and disable automatic file sharing;
- Keep the device software up to date and read about any new applications before installing them;
- Keep the physical control of the device, ensuring the best way so that it is not lost or stolen;
- Use secure methods to transmit health information over open Wi-Fi networks;
- And when discarding the device make sure that all information has been permanently deleted.