Guest post by Gilad Parann-Nissany, founder and CEO, Porticor Cloud Security.
Add to the list of known certainties: death, taxes, and the need to lower the cost of healthcare.
Neither HIPAA standards nor encryption were created with the purpose of lowering the cost of healthcare, but neither was penicillin originally purposed as an antibiotic. Both welcome side effects in the world of medicine.
Cloud Computing and Healthcare
Healthcare and medical companies are migrating to cloud computing in record numbers. The cloud offers flexibility and scalability to manage ever-growing databases of patient records. At the same time, it offers mobility to enable care providers to access patient information remotely and shareability to share data with colleagues, specialists, and labs. The cloud, perhaps most importantly, enables cost reduction on several levels.
- It eliminates the need healthcare organization have to purchase, maintain, upgrade, and replace costly computing equipment and staff.
- It saves costs of multiple providers running multiple tests by enabling them to share and track the results.
- It saves time and money by enabling paperless transmission of prescriptions and insurance claims. It also increases the accuracy of reimbursement coding.
Now, HIPAA omnibus and the American Recovery and Reinvestment Act (ARRA) requirements stipulate everyone in the healthcare industry begin migrating patient records and other data to cloud computing. Essentially, by 2015, all medical professionals with access to patient records must utilize electronic medical and health records (EMR and EHR), or face penalties.
The North American healthcare cloud computing market is expected to grow to nearly $6.5 billion by 2018.  Healthcare Financial Management recently reported that savings benefits of EMRs/EHRs can amount to upwards of $37 million over a five-year period.
These are big numbers and big savings for healthcare.
HIPAA Standards and Encryption
HIPAA advises us to encrypt our e-PHI, whether at rest or in motion, whenever it is “reasonable and appropriate” to do so. And, especially in the cloud, it is fair to say that it is always “reasonable and appropriate” to encrypt Personal Health Information.
What encryption of ePHI aims to resolve, essentially, is breaches of patient data.
And, it is succeeding!
A Ponemon Institute study recently found that healthcare data breaches declined in both number and size in 2013, which is great news because data breaches cost healthcare organizations $5.6 billion annually.
To enable organizations to both protect e-PHI and lower the overall cost of healthcare, the Secretary of Health and Human Services published guidance on “technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.” The guidance emphasizes that data encryption is not only a best practice for protecting privacy and security – it also provides a safe harbor to the organization in case of data loss.
By using accepted HIPAA encryption techniques, companies can mitigate risks and reduce their exposure to costly data breaches, thereby reducing the cost of healthcare.
Encryption Key Management for HIPAA Compliance
In the cloud, security and privacy concerns amass. Experts agree that while encryption is a critical component of a cloud security policy, it is not sufficient. To fully protect e-PHI in cloud computing scenarios, encryption keys must be managed in a way that is secure, automated, and constantly remains at the sole ownership and discretion of the covered entity or their business associate.
That is, encryption keys absolutely cannot be stored alongside encrypted data or visible to (much less, managed by) a cloud provider or other third party. An accepted best practice for encryption key management and HIPAA compliance is split key encryption with homomorphic key management.
Cloud Encryption and Cloud Key Management Lower Costs
By enabling healthcare organizations to securely enjoy the benefits of cloud computing, innovations like these reduce risk and mitigate costs associated with expensive data breaches. By enabling the covered entities to claim “safe harbor,” they also negate the possibility of additional fines, penalties, and expensive bureaucracy that can accompany a breach in the cloud.