October 17, 2019

Solving Healthcare Compliance in a Post-Cloud World

Ryan Rich
Ryan Rich

Datica Alumni — Former Chief Product Officer and Chief Security Officer

Know the complete compliance state of your cloud environment

Disruption brought on by the cloud is inevitable. However, for the highly-regulated healthcare industry, the burden of compliance often blocks the innovation necessary to compete.

Let’s explore some of the critical factors behind this. Developers building healthcare software are increasingly leveraging cloud managed services (computer resources including storage, compute power, container orchestration, big data tools, etc.) packaged as APIs or interactive products delivered via software. This has helped to substantially improve developer experience, but securing this infrastructure has also now become their responsibility. Many have limited understanding of the privacy, security, and compliance implications of using the different services that cloud providers offer. As on-premise hardware is increasingly moved to the cloud, enterprises have handed off more responsibilities—completely changing how compliance should be implemented, measured, monitored, and managed. Risk aversion for cloud-based technologies in healthcare is often rooted in the complexity of understanding where liabilities actually exist between the data center and cloud service provider customer, and who is responsible for ensuring the protection of PHI and when.

For example, HIPAA–the primary regulatory framework in the U.S. healthcare industry–kicks in when a digital health product handles PHI. When that digital health product stores, processes, or transmits PHI, HIPAA asserts rules on how it should handle a multitude of security, privacy, and policy procedures, called “controls.” Demonstrating that a company and its digital health product meets all of those controls is how it can call itself compliant.

The problem explodes with the sheer number of cloud services and instances (usually in the thousands). Developers must often reinvent the wheel of mapping compliance controls in totality to a new managed service. As a result, enterprises are increasingly worried about the risk in moving sensitive data to the cloud; the lack of transparency, in particular with shared responsibility, is a major roadblock to cloud adoption.

Simplifying Cloud Compliance

These issues are driving the need for a more robust approach to compliance. One of the most difficult aspects of compliance is knowing that the proper configuration state is mapped to a specific control. Cloud compliance management technologies can help by providing a constant understanding of the precise state of cloud environments. A cloud compliance management system can evaluate the implementation of managed services against critical compliance controls, check configuration states on a continual basis, and track those states in a historical data model across popular HIPAA-eligible cloud provider services, reshaping the way that organizations operate in the cloud and speeding adoption for healthcare. Furthermore, to be most effective, a cloud compliance management system should be uniquely designed to fit the specific requirements of the industry. For healthcare compliance, a tool should:

  • Have built-in policies and procedures designed to meet the needs of HIPAA, GDPR, and GxP.
  • Include a continuous monitoring tool to focus on checking specific compliance controls.
  • Help developers with the most important part of compliance: proving it.

In short, the transformational shift of the cloud can only be successfully enabled if organizations rethink their fundamental approach to compliance.

Interested in learning more? Download our new Datica white paper on cloud compliance in healthcare.

tag Cloud Computing Healthcare Cloud Compliance