What is a HIPAA-compliant cloud?

The shift to cloud computing began over a decade ago and has transformed nearly every industry. In the medical device sector too, there has been a steady increase in companies leveraging cloud connectivity for their devices. 

Potentially dealing with sensitive patient data and other Protected Health Information (PHI) means the existence of additional requirements when considering a cloud setup. HIPAA privacy and security laws are in place to hold healthcare providers — and by extension their partners — accountable to safely transfer and store sensitive data. 

Before we can understand what is a HIPAA-compliant cloud, let us start with the basics. 

What is HIPAA?

The “Health Insurance Portability and Accountability” law, most commonly referred to as HIPAA, turns 25 years-old in 2021. The law (and its subsequent acts and amendments) remains the bedrock of patient privacy regulation in the United States. 

HIPAA defines particular rights that individuals have over their data. It also outlines the responsibilities of the entities generating, holding, or using this information. Some of those responsibilities include: protecting data from loss or abuse, controlling access to sensitive data, and methods of collection, use and disclosure of PHI. It also describes the increasingly severe penalties these entities risk for failures to comply with these responsibilities.

Originally envisioned to apply to entities involved with health insurance, healthcare and the payment covering it, a careful examination of this law reveals that many other business types are now subject to HIPAA rules and its amendments. Aside from health insurance companies and healthcare providers of all kinds, the law is now known to apply to a host of other types of businesses and organizations (called “Business Associates”). 

The common aspect these entities share is that they all are involved, directly or indirectly, with patient data — specifically PHI.

What is PHI (Protected Health Information)?

Put simply, PHI is a combination of demographic information that identifies a specific person, and health information (e.g. details of illnesses, treatments, various biological metrics and similar data) associated with that person. 

Under HIPAA, PHI includes any data that can be reasonably used to identify a person or a small group of people. The word “reasonably” is key. Data such as average age, weight, or height are not protected because you cannot reasonably use them to identify a specific person. However, data such as social security numbers are protected because they can be associated with a person or a small group of people.

Similarly, if multiple data points can be used in conjunction to identify a person this data can be considered protected. For example, a record containing information about a patient’s age, height, weight, the name of the individual’s doctors, and appointment schedules, could lead someone to reasonably guess who the information belongs to. (Keep in mind some laws are more stringent than others concerning what data is considered protected.) 

Connected medical devices can generate reams of data, some of which may be considered PHI. Although not specifically named in the the HIPAA act (or in the subsequent HITECH amendment on Omnibus rules), medical device manufacturers need to consider their HIPAA-compliance — especially if they are considering a cloud component to their device.

Cloud Storage for Medical Devices and Healthtech

Cloud storage is a computing model that allows one to store data on servers from a cloud service provider and access them remotely via the internet. These cloud providers offer storage as a service and can offer flexible storage capabilities as well as offering bespoke data storage infrastructure.

Cloud solutions like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud (to name a few), have transformed the ways in which businesses can collect and store vast amounts of data with ease. The flexibility that these cloud services provide and the myriad benefits of cloud computing in healthcare have made cloud storage an attractive proposition for many — including medical device makers.

But to ensure that you can utilize cloud storage for your data needs requires a thorough understanding of HIPAA regulations and the concerns associated with the data privacy and cloud security of PHI.

Medical devices and HIPAA

One thing that HIPAA makes plain is that any business activity or process that involves PHI in any form is almost certainly covered by its requirements. So when it comes to utilizing the cloud, any process that involves file storage, hosting or file backup is subject to HIPAA regulations.

At first glance, these big-name cloud providers appear to be viable options for a medical device cloud deployment as these providers claim that their services function under HIPAA compliance. 

In practice, though, building a HIPAA-compliant cloud configuration requires much more than what these services offer on their own; and the onus of developing and maintaining that compliant setup falls on the medical device maker.

HIPAA Compliant Cloud Services

When a cloud provider like AWS certifies a service as “HIPAA-compliant,” there are two primary parts to that certification. 

The first relates to what data encryption their core services support. The rules are explicit that data must be encrypted in resting-state and while in transit — applying both externally, as data extends to various endpoints, and internally, as it flows between the various components and infrastructure of your application. 

The second piece of the certification relates to the configuration of these core services. A cloud service provider’s “HIPAA Compliance” claim is certifying that while it is possible to configure their core services to be compliant, the burden of understanding and creating that configuration is on your organization.

For example, if you wanted to leverage AWS’s managed database service (RDS), simply launching a new instance of MySQL, PostgreSQL, or Aurora will not result in a HIPAA-compliant database. 

Ensuring the data is properly encrypted at rest, disabling non-secure communication protocols, and locking down the database itself are just a few of the necessary steps to configuring this single core service. Other configurations that warrant attention to bring such services into HIPAA compliance include: a virtual private cloud, allowed traffic protocols, load balancers, security groups, and audit trail, to name a few. 

In short, a cloud service provider may give you the toolbox, but it’s up to you to use those tools correctly.

HIPAA Compliant Cloud Storage

There is a common misconception that deploying your application on a “HIPAA-compliant” infrastructure automatically confers compliance; however, the infrastructure is only the foundation. The application itself must also be as strong as that foundation to guarantee the safety of critical data. 

Your application needs to be designed from the ground up, with security as a top priority. Enforcing coding best practices, rigorous code reviews, and detailed, traceable requirements are just as critical to achieving (and maintaining) compliance with any privacy standard that you are being held to.

Unlike the applications of 20 years ago — which would often be launched and then run with a few monolithic updates over a year or two — the trend in software has shifted towards continuous development, integration, and deployment. This is challenging to sustain in a medical device paradigm due to the validation and verification requirements, but remains a valid method of maintaining software by identifying and fixing bugs quickly before they can be exploited. This application lifecycle, coupled with periodic, documented reviews of your infrastructure become the linchpins in the overall plan to maintain your privacy compliance.

Among other responsibilities, a HIPAA-compliant cloud setup must include: 

1. End-to-end security of transmitted data from medical devices to the cloud, and vice versa
2. Store the data in the cloud securely
3. Provide a system that allows for controlled access to relevant parties
4. Provide a log of all records of data storage, transmission and access

The importance of HIPAA-compliance

Non-compliance of HIPAA regulations can result in penalties, either in the form of fines, jail time or both.

The seriousness of the penalty is typically broken into different levels, with the severity of the infringement matched by the severity of the non-compliance.

Civil Violations

Civil penalties are the term used to describe monetary fines for non-compliance. As stipulated by § 160.404 Amount of a civil money penalty, in HIPAA Administrative Simplification, there are several levels of violations with differing penalties for each.

Fines can start from $100 per violation, increasing up to a maximum or $1.5 million per year for the most serious violations or for repeat offenders.

Criminal Violations

In the most severe cases, the penalties to individuals and responsible parties may include jail time (in addition to the fines listed above). Usually criminal penalties are due to active involvement in non-compliance.

Similar to the levels associated with civil penalties, there are three different levels of punishment based on the seriousness of the violation:

1. Imprisonment for up to 1 years, for knowingly sharing protected information
2. Imprisonment for up to 5 years for committing offenses under false pretences
3. Imprisonment for up to 10 years for offenses committed for financial gain

Whilst the most serious punishments are aimed at those that actively seek to abuse the rules of compliance, ignorance or lack of awareness does not protect one from the consequences of non-compliance.

Mitigating the Risk of HIPAA Non-Compliance

HIPAA rules were set out to, among other things, protect the privacy of patient data. The law applies not just to healthcare providers but to any business associate that interacts with or is responsible for PHI. Non-compliance with the law carries significant civil and potentially criminal penalties

For medical device makers it is crucial to ensure a HIPAA-compliant cloud solution for any device data that may be considered PHI. 

While it is easy to be swayed by the notion that because a cloud provider bills themselves as compliant to HIPAA standards, your application automatically becomes compliant as well. 

Unfortunately, that is not the case. 

Careful work configuring the infrastructure is necessary to make it truly compliant and applications must be designed with privacy and security in mind. Your software should also be flexible enough to continually develop and verify your infrastructure under HIPAA Compliance. 

Although this sounds fairly straightforward, putting this into practice is more complex.

Alternatively, choosing a cloud provider that specializes in medical device cloud connectivity can ease much of that burden by providing off-the-shelf cloud capabilities that are designed with compliance in mind. 

The Galen Cloud

Building, operating, and maintaining a compliant medical device connectivity infrastructure can be very costly and time consuming. It is often more cost-effective to leverage a pre-existing platform (like the Galen Cloud™), than trying to address these ever-evolving regulatory requirements on your own.

The Galen Cloud™ has accelerated the time-to-market for dozens of medical device companies by providing the compliant solution needed for FDA approval. The Galen Data team is equipped with decades of experience in software and regulatory compliance.

Galen Data’s platform allows companies to wirelessly collect, store, share, and quickly analyze patient data. Dashboards and alerts for the manufacturer, medical team, and patients, are also provided within the platform. The software platform is compliant to FDA, HIPAA, and CE Mark standards, and is ISO 13485:2016 certified.

Galen Data has developed the premier HIPAA-compliant cloud solution for medical devices, and the team of experts to help you with your connectivity needs.