"Situational awareness" is a term we hear often enough (particularly in security) but one that isn't always fully appreciated; put simply, it's the art and science of paying attention to the world around you and responding appropriately to situations as they change.
Believe it or not, this is a critical skill - one that can quite literally mean the difference between success and failure in a business context. When something changes about the business environment, not noticing the change creates risk - noticing the change creates opportunity. And both risk and opportunity abound in looking at the current environment within the healthcare sector.
Risk and opportunity: HITECH and business associates
In healthcare, HIPAA is obviously a very big deal. For the past decade and a half since the law went into effect, organizations in the healthcare community have been struggling to come to grips with a set of federally imposed mandates governing the security and privacy of the electronic health data within their organizations. Historically though, the situation has been quite different for "business associates" - those firms that provide IT or other support to hospitals, insurance companies, or clinics but not covered entities directly.
In most cases, business associates have access to the same data, the same systems, the same documents and artifacts of patient care as covered entities. But yet, they were not required to implement the same physical, technical and administrative security controls as covered entities were. They were required to sign agreements with covered entities stating their intent to protect data, but they were not on the hook to implement any specific security technology or controls to actively defend the data in question. At least not until recently.
As of the Health Information Technology for Economic and Clinical Health (HITECH) Act, business associates are in a different boat. Now, they are required to adhere to the same security standards as covered entities. What's more, they're on the hook from an enforcement standpoint as well. For business associates not paying attention, this introduces risk and opportunity: risk that they will not get into compliance with the law and that they will be subject to enforcement action and opportunity to differentiate themselves to their customer base based on their understanding of the requirements and ability to implement secure practices that safeguard patient data.
Meeting the requirements: Cloud strategies
For business associates going through this, it's important to realize that getting to where they need to be from a HIPAA security standpoint could potentially be facilitated through a (seemingly) unlikely source: their cloud migration efforts. In other words, a migration to cloud already in progress may (under certain circumstances) be one potential avenue to meet some of the required security HIPAA security controls head on. Why, you ask? There are two reasons for this:
1.) Many firms that provide cloud services have already implemented the specific controls required by HIPAA security in the course of servicing covered entities; and
2.) Overlapping controls (such as those required to support other requirements such as payment or banking regulatory requirements) may potentially be used in support of HIPAA.
In other words, the promise of cloud is leveraging economies of scale for security as well as other desirable technical outcomes; so rather than each firm having to implement security and other controls themselves, they "consolidate" that effort and implement it once in an environment that can be shared among consumers.
So for business associates looking to rapidly meet the specific controls required by HIPAA security, looking at environments that are already servicing covered entities could be a good bet. Since these environments are on the hook as business associates (just like you are), they are required to meet the equivalent bar as you; so by leveraging their service you ostensibly leverage the effort they've put into implementing the technical, physical and administrative security controls as well.
Of course, this is by no means a substitute for an internal compliance effort. You'll still need to make sure that you're doing the right thing throughout every place that you interact with, handle or access patient health information, but it can certainly be a head start for areas that you're looking to migrate to the cloud anyway. By selecting an environment that will implement the same controls you are required to, and by getting in writing that your service provider will implement the appropriate controls, you just might put yourself farther down the road than you'd otherwise be.
Ed Moyle is senior security strategist at Savvis.