Some healthcare organizations will store data once considered off limits for the cloud with Amazon Web Services...
now that the provider is willing to sign formal Business Associate Agreements under HIPAA.
In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) revised the Health Insurance Portability and Accountability Act (HIPAA) to encompass "business associates" of healthcare organizations that might handle patient data. A contract called a Business Associate Agreement (BAA) is generally used to ensure compliance with this provision.
As of this week, healthcare organizations are expected to comply with a new omnibus ruling that states business associates of entities already regulated under HIPAA are directly liable for compliance with HIPAA rules, with penalties of up to $1.5 million for any breaches of privacy.
Amazon Web Services (AWS) has been marketed as a good fit for HIPPA cloud workloads over the last year, but it wasn't until June that it began signing BAAs for select organizations, according to Glenn Grant, CEO of G2 Technology Group Inc., an AWS advanced partner based in Boston.
There are some design requirements for customers who want to be HIPAA-compliant while using AWS; IT pros at healthcare organizations say they are required to use dedicated instances, for example.
In addition, all files containing private health information should be encrypted, according to an AWS whitepaper on HIPAA compliance. Customers are also advised to use Elastic Block Store (EBS) volumes and take snapshots replicated to different availability zones to back up their data.
Some AWS customers say they have also opted to use AWS Direct Connect to keep traffic containing sensitive data off the public Internet.
An AWS spokesperson declined to comment on BAAs, pointing instead to the AWS compliance page.
With BAAs and partners' help, healthcare orgs embrace AWS
Two of G2's clients in the Boston area, prescription management startup ZappRX Inc. and genome sequencing firm Courtagen Life Sciences, Inc., have signed on to use AWS' Elastic Compute Cloud (EC2) under G2's BAA.
Asked if clients have any objections to ZappRX using AWS, CTO Matthew Graziano said Amazon has pushed hard to become more adept with HIPAA compliance, so it hasn't been an issue.
Certain other precautions are also necessary when using AWS for HIPAA-regulated data. ZappRX, for example, also uses AES 256-bit encryption on all data it passes to Amazon. And Courtagen contracts with three other cloud partners -- Level 3 Communications LLC for an Ethernet Private Line (EPL) directly connected to EC2; ERP Software as a Service (SaaS) vendor NetSuite Inc.; and Security as a Service vendor CipherCloud Inc.,-- to secure HIPAA-regulated data throughout its genome sequencing-and-analysis process.
Identifying information is removed from genome data, sent over the EPL, and processed using EC2. Results from this processing are sent to NetSuite via a CipherCloud gateway, which encrypts the data using tokens generated on Courtagen's premises, so NetSuite IT teams can't view any of the data in the databases they manage.
Why go through all these machinations rather than keep HIPAA data in-house?
The costs and hassles associated with public cloud pale in comparison with owning and running a private data center, said Courtagen's president and co-founder Brendan McKernan.
"It's one of the biggest cost drivers in running a clinical genomics company -- management and use of big data," McKernan said. "We had to find a partner that would scale with the business, require very little capital investment on our side and have all of the proper security controls in place to protect patient data."
While AWS signing BAAs may encourage adoption of their HIPPA cloud by startups and emerging companies in the healthcare market, larger healthcare companies that already own data centers aren't convinced.
Three years ago, when AmerisourceBergen Corp. oncology software subsidiary IntrinsiQ LLC considered options for modernizing its application, AWS wasn't signing BAAs. Even if it were, the company would have stuck with a private cloud inside AmerisourceBergen's existing data center, according to IntrinsiQ's VP of technology, Steve Hamann.
"We know where our data center is, it's within our control, within our security, and that seemed to be a stronger story with our marketplace when we go out and try to sell to doctors," Hamann said.
"Not to say our own data center doesn't go down," Hamann added. "But the press is about the cloud vendors and how critical applications are impacted when they have an outage."