Cloud computing reduces HIPAA compliance risk in managing genomic data

By Lee Bendekgey
September 04, 2013
08:14 AM

How Have Large HIPAA Breaches Happened?

Since 2009, some 21 million health records have been compromised in major HIPAA security breaches reported to the US government.  Loss or theft of electronic equipment or storage media has been the source of more than 66% of all large HIPAA breaches during this period. The individuals affected by these breaches amount to nearly 73% of all individuals affected by large HIPAA breaches reported to HHS during the same time period. In most cases the theft or loss involved a laptop or electronic media, such as a flash drive, containing unencrypted PHI. In contrast, large breaches attributed to hacking amounted to 8% of the total incidents and affected 6% of the individuals whose PHI was disclosed.

These data suggest that the implementation of IT systems that enable secure sharing of information without the need to transport it on a computer or storage media will go a long way toward eliminating the majority of large HIPAA breaches.

Use the Cloud to Reduce HIPAA Risk

The first, and perhaps the most important, step one can take in reducing the risk of HIPAA breaches is to make sure that users of PHI are not transporting unencrypted data on portable equipment (like laptops) or media (like flash drives). New genomic data management systems enable this goal by keeping data in the cloud, and providing access to users via a web browser. In this architecture, only the PHI that the user is viewing in his or her web browser is resident on the user’s computer; all other data remains on secure servers.

The use of the cloud can also facilitate enforcement of encryption requirements. For example, many of the new commercial systems encrypt all data while in transit and while at rest. This means that even if data somehow become accessible to an unauthorized person, they would be secured and could not be read unless the hacker also obtains the encryption key. While this is also possible using an on-premises data center, it is much harder to enforce where users download and store data.

Further, the significant costs of security audits, certifications, and assessments to demonstrate best efforts to comply with HIPAA security requirements are more easily borne by cloud providers than by private data centers. Such certifications could provide meaningful defense against civil or criminal prosecution, even if there is an unavoidable breach.

The use of an appropriately designed and developed cloud-based system for managing genomic PHI can also facilitate compliance with the physical and technical safeguards required by the HIPAA Security Rule.  Most cloud service providers implement physical security measures that exceed those that are practical for all but the largest of single-institution data centers.  In addition, systems designed to manage genomic data automatically implement technical and other safeguards to ensure data confidentiality and integrity, including encryption, multi-factor authentication, automatic session timeouts, and logging for auditability.

While it may not be intuitively obvious, in most cases a user of genomic PHI can dramatically reduce its compliance risk by using a cloud-based solution consistent with the standards described in this article.

[1] Rodriguez, L. et. al, “The Complexities of  Genomic Identifiability”, Science, vol. 339, no. 6117, p.275 (January 18, 2013).

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story
EHR tips on migrating an all-digital hospital to Epic

Most Read

India to harness ABDM data to develop public AI
South Korea to digitise medical image exchange system
ASTP intros 2024 draft Federal FHIR Action Plan
VA must strengthen controls addressing EHR performance
CrowdStrike all but assures Capitol Hill: Never again
Korea's largest hospital bags APAC's first Stage 6 of new INFRAM

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

More Stories

Agency cybersecurity infosec illustrated by many colored streams harnessed by a lock
OIG again deems HHS' infosec program ineffective
Joanna Lucas, RN, of St. Luke's University Health Network
Case and referral management technology gets big results for St. Luke's
Dr. Benoit Desjardins of the University of Montreal
Cyberattacks are becoming more widespread, and more disruptive
Northwestern Medicine
Northwestern Medicine announces international healthcare collaboration
BJ Schaknowski of symplr
Too many IT systems with limited alignment impacts care quality
Doctor in scrubs using computer
Tenet to deploy AI platform across its physician network
Healthcare CIO with other healthcare executives
Health system CIOs' strategic responsibilities continue to evolve
George Pappas at Intraprise Health_Digital shield and lock Photo by da-kuk/Getty Images
Tighter cyber mandates hold New York providers to higher security standards