Solving Healthcare Compliance in a Post-Cloud World
Posted: January 01, 2019
Know the complete compliance state of your cloud environment
Disruption brought on by the cloud is inevitable. However, for the highly-regulated healthcare industry, the burden of compliance often blocks the innovation necessary to compete.
Let’s explore some of the critical factors behind this. Developers building healthcare software are increasingly leveraging cloud managed services (compute resources including storage, orchestration, etc.) packaged as APIs or interactive products delivered via different software models. This has helped to substantially improve developer experience, but securing this infrastructure has also now become their responsibility. Many have a limited understanding of the privacy, security, and compliance implications of using these different services. As on-premise hardware is increasingly moved to the cloud, enterprises have handed off more responsibilities — completely changing how compliance is implemented, measured, monitored, and managed. Risk aversion for cloud-based technologies in healthcare is often rooted in the complexity of understanding where liabilities actually exist between the data center and cloud service provider, and who is responsible for ensuring the protection of PHI and when.
For example, HIPAA - the primary regulation in the U.S. healthcare industry – kicks in when a digital health vendor handles PHI. When a digital health product stores, processes, or transmits PHI, HIPAA asserts rules on how it should handle a multitude of security, privacy, and policy procedures, called rules. Demonstrating that a company and its digital health product meets all of those rules is how it can call itself compliant.
The problem explodes with the sheer number of cloud services and instances (usually in the thousands). Developers must often reinvent the wheel of mapping compliance controls in totality to a new managed service. As a result, enterprises are increasingly worried about the risk in moving sensitive data to the cloud; the lack of transparency, in particular with shared responsibility, is a major roadblock to cloud adoption.
Simplifying Cloud Compliance
These issues are driving the need for a more robust approach to compliance. One of the most difficult aspects of compliance is knowing that the proper configuration state is mapped to a specific control (or rule). Cloud compliance management technologies can help by providing a continuous understanding of the precise state of cloud environments. A cloud compliance management system can evaluate the implementation of managed services against critical compliance controls, check configuration states on a continual basis (for drift), and track those states in a historical data model across popular HIPAA-eligible cloud provider services, reshaping the way that organizations operate in the cloud and speeding adoption for healthcare. Furthermore, to be most effective, a cloud compliance management system should be uniquely designed to fit the specific requirements of the industry. For healthcare compliance, a tool should:
- Have built-in policies and procedures designed to meet the needs of HIPAA, GDPR, and GxP.
- Include a continuous monitoring tool to focus on checking specific compliance controls.
- Help developers with the most important part of compliance: proving it.
In short, the transformational shift of the cloud can only be successfully enabled if organizations rethink their fundamental approach to compliance.