The shift to cloud computing began over a decade ago and has transformed nearly every industry. In the medical device sector too, there has been a steady increase in companies leveraging cloud connectivity for their devices. Dealing with sensitive patient data and other Protected Health Information (PHI) means the existence of additional requirements when considering a cloud setup. HIPAA privacy and security laws are in place to hold medical device companies accountable to safely transfer and store sensitive data.
At first glance, big-name cloud solutions like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud, appear to be viable options for a medical device cloud deployment as these providers claim that their services function under HIPAA compliance. In practice, though, building a HIPAA-compliant cloud configuration requires much more than what these services offer on their own; and the onus of developing and maintaining that compliant setup falls on the medical device maker.
What does claiming “HIPAA Compliance” really mean?
When a cloud provider like AWS certifies a service as “HIPAA-compliant,” there are two primary parts to that certification. The first relates to what data encryption their core services support. The rules are explicit that data must be encrypted in resting-state and while in transit — applying both externally, as data extends to various endpoints, and internally, as it flows between the various components and infrastructure of your application. The second piece of the certification relates to the configuration of these core services. A cloud service provider’s “HIPAA Compliance” claim is certifying that while it is possible to configure their core services to be compliant, the burden of understanding and creating that configuration is on your organization.
For example, if you wanted to leverage AWS’s managed database service (RDS), simply launching a new instance of MySQL, PostgreSQL, or Aurora will not result in a HIPAA-compliant database. Ensuring the data is properly encrypted at rest, disabling non-secure communication protocols, and locking down the database itself are just a few of the necessary steps to configuring this single core service. Other configurations that warrant attention to bring such services into HIPAA compliance include: a virtual private cloud, allowed traffic protocols, load balancers, security groups, and audit trail, to name a few. In short, a cloud service provider may give you the toolbox, but it’s up to you to use those tools correctly.
The most important piece of the puzzle: your application
There is a common misconception that deploying your application on a “HIPAA-compliant” infrastructure automatically confers compliance; however, the infrastructure is only the foundation. The application itself must also be as strong as that foundation to guarantee the safety of critical data. Your application needs to be designed from the ground up, with security as a top priority. Enforcing coding best practices, rigorous code reviews, and detailed, traceable requirements are just as critical to achieving (and maintaining) compliance with any privacy standard that you are being held to.
Unlike the applications of 20 years ago — which would often be launched and then run with a few monolithic updates over a year or two — the trend in software has shifted towards continuous development, integration, and deployment. This is challenging to sustain in a medical device paradigm due to the validation and verification requirements, but remains a valid method of maintaining software by identifying and fixing bugs quickly before they can be exploited. This application lifecycle, coupled with periodic, documented reviews of your infrastructure become the linchpins in the overall plan to maintain your privacy compliance.
Tying it all together
While it is easy to be swayed by the notion that because a cloud provider bills themselves as compliant to HIPAA standards, your application automatically becomes compliant as well. Unfortunately, that is not the case. Careful work configuring the infrastructure is necessary to make it truly compliant and applications must be designed with privacy and security in mind. Your software should also be flexible enough to continually develop and verify your infrastructure under HIPAA Compliance. Alternatively, choosing a cloud provider that specializes in medical device cloud connectivity can ease much of that burden by providing off-the-shelf cloud capabilities that are designed with compliance in mind.