There is a lot of debate about whether cloud storage is a viable option for Healthcare organizations. With no up-front investment in hardware and low monthly fees, cloud storage offers direct cost savings for many organizations. In addition, cloud storage offers indirect cost savings by eliminating the heating and cooling costs associated with on-site storage and reducing IT hours since most of the maintenance work is outsourced. Yet, even with these cost savings, many healthcare organizations are justifiably concerned about the safety of cloud storage for sensitive data.
Cloud Storage Options
There are three main types of cloud storage options: public, private and hybrid. All three are scalable, reduce up-front costs compared to traditional on-site storage, and decrease the time spent managing archive storage. Since most archive data is run through a secure hashing algorithm encryption process and stored as object data, it is less risky to store archive data in the cloud than it is to store current, unencrypted data. However, considering the severity of the HIPPA fines that covered healthcare organizations can incur for security breaches, it is important to understand the types of cloud storage to determine which are appropriate for your archive data storage needs.
- Public. In public cloud storage, the organization stores information outside of the company's data center and the cloud storage provider fully manages the cloud storage, data and security. With most public cloud storage companies, you give the cloud storage company access to your data and the ability to move it as needed. So even though archive storage data is usually encrypted, this is the least secure of the options and is not recommended for Protected Health Information (PHI) data storage.
- Private. With private cloud storage, the company installs a cloud infrastructure behind the organization's firewall, but still manages the cloud storage for scalability, reliability and rapid deployment. This is the most expensive type of cloud storage, but it is generally the most secure. Organizations that have multiple locations benefit most from this type of cloud, especially if there is one centralized location for the IT group.
- Hybrid. A hybrid installation keeps the most critical data, usually PHI and financial information, in a private cloud, while storing less sensitive data in a public cloud. This solution balances cost and security.
Deciding Which Archive Storage is best for your Organization
When deciding what is safe and appropriate for your organization's storage, consider the types of data you will store and the security regulations for your industry. While public clouds require the least work and are the least expensive, they are also the least secure of the three options. Comparatively, private cloud storage offers less cost savings, as you still have data on-site while paying another company to help manage it. The hybrid model is a popular choice as it segments the data and provides high security for PHI and financial data, and uses lower cost public storage for less sensitive information.
What to Consider when Choosing your Archive Storage Vendor
Organizations in the healthcare industry should be particularly careful when choosing a cloud storage provider. The U.S. Department of Health and Human Services, the entity responsible for HIPPA, does not recognize any cloud HIPPA certification programs. But, if you look for a cloud service provider that undergoes annual data center and cloud infrastructure audits using the HIPPA Audit Protocols, this will ensure that the provider has the necessary procedures in place to be, and stay, compliant. Ask the vendor if they have an annual HIPPA compliance audit and ask to see the report. Another key factor is ensuring that the cloud service provider will sign a Business Association Agreement (BAA). HIPPA requires that third-party suppliers of covered entities must also comply with HIPPA standards if they have access to PHI. Any covered entity storing PHI in a cloud solution must have a BAA with the storage provider, and a non-covered entity should still ask for a BAA to ensure additional legal protection.
Migrating your Data
The next step is to migrate your archive data. In the healthcare industry, it is critical that you find a company that is HIPPA compliant, secure, ensures the proper chain-of-custody, and provides detailed reports to prove compliance. In addition, if your organization decides to migrate your archive data from a traditional object-based archive storage solution to the cloud, remember that the cloud uses a different file structure than traditional on-site archive storage. If your organization has on-site archive storage it is likely using (CIFS/NFS) as well as APIs for the current on-site storage solutions. Cloud storage requires support for new APIs such as Representational State Transfer (REST) and possibly Simple Object Access Protocol (SOAP), although SOAP is fading in popularity. You need to ensure that the company that migrates your data can support these file transfers.
If you are considering cloud storage, ensure that you investigate the pros and cons of the solutions and carefully vet the cloud service providers to ensure that your data is safe, scalable and accessible. By investigating these issues in advance you can ensure that you protect the security of PHI and your organization.
About the Author: Gary Lieberman is a co-founder and Chief Executive Officer of Interlock Technology Inc. Since Interlock’s inception, Lieberman has led the company through a period of rapid change in the storage industry while sustaining year over year, double-digit growth. He has transformed Interlock’s business model by virtualizing service delivery and expanding its market presence globally. Interlock is recognized by its extensive partner community for its ability to execute complex services with a high degree of competence and agility.
Edited by
Dominick Sorrentino
