Regulatory Compliance Assessments of Cloud Infrastructure for Healthcare

The term “Compliance Protocols” refers to a set of standard guidelines or framework rules (laid out by a national or international standards body) that a “Covered Entity” must follow.  A “Covered Entity” is a set of companies that are servicing the industry vertical (like Healthcare, BFSI etc.) for whom the standard guidelines are laid out and that are generally required to adhere to these protocols.  In healthcare and Life sciences industry some of the common compliance protocols are HIPAA, HITRUST, GDPR, SOC2 and ISO.

The primary intent of these compliance protocols is to protect Protected Health Information (PHI) of any individual from being disclosed to outside world by the covered entities either voluntarily or involuntarily.  The covered entities that need to abide by these standards are healthcare providers, health plan, healthcare clearing house and any business associate of healthcare providers like a cloud provider, IT Contractor, Email Provider which deal with protected health information (PHI) data.

Compliance protocol in Healthcare & Life sciences in India

The applicability of most of these protocols in India pertains to hospitals, health care providers, IT and Cloud Companies that deal with Patient protected health information data.   Here again the protected health information data could be of a) a patient who is in India or b) could be a patient who is not in India, but whose record is processed/handles/stored by cloud/IT providers based out of India.  Most of the protocols mentioned above are towards entities that deal with option b).  Although lately lot of awareness has come about in protection of patient personally identifiable information (PII) (i.e., option a) in India too.   This is primarily due to the post-covid scenario.

So why is it important to follow compliance protocols especially in post-covid world?

The primary reason why most of these compliance protocols were introduced in the first place in the western world, was to help employees not lose their health insurance coverage due to a pre-existing condition, especially when they go to a new employer. Thus, applying this to a post-covid scenario, it is highly important that patients are not wrongly vilified and denied healthcare coverage because someone got Covid, and their health records were breached to obtain that information.  As we see this scenario applies to all citizens whether in India or abroad.  So, the HIPAA rules normally say that unless it is for the patient’s treatment, payment or for healthcare operations the PII should not be disclosed.

We see that cloud companies (who normally are the business associates of healthcare, life sciences and pharma enterprises) handle patient and associated diagnosis/medicine data either to store, process or analyze them.  It is highly imperative that the employees of the associate cloud companies follow all the technical, physical and administrative guidelines that help to keep the PII data within premises of the healthcare provider.

Technical, Physical and Administrative Controls:

• Some of the typical technical controls needed to keep this data safe are Authentication, Access Control, Encryption/Decryption, Audit and Activity Logs, Auto-shutoff/logoff of virtual instances/data servers where PII data resides.
• Physical Guidelines mandate that appropriate policies are followed to use workstations/servers (especially those that are in the cloud), mobile devices, mobile applications, physical facility access to locations where PII data resides including cloud locations.
• Administrative Controls normally range from risk assessments, risk management policies, contingency plans, training and restricted third-party access to prevent PHI record breaches.

What are the challenges to maintain the above controls by Cloud Companies that process Enterprise Life Sciences data?

If we look at the above controls, it is evident that compliance process should be organic and cannot be implemented as a one-off solution by cloud companies.  Since many critical aspects like awareness, risk, governance, technology, administration and physical security is involved, it is imperative that the cloud integrators deploy a comprehensive team armed with executing a set of parallel controls that mitigate the problems in each of these disciplines.  This should be followed up by strictly enforcing the cloud integrator employees to follow these controls to protect the PII data.  Significantly,

• Data states like data in rest, (temporary storage, permanent storage, cache etc.) and
• data in transition (data in temp dB’s, data in different cloud regions, data transferred between on-premises to cloud etc.) should be carefully handled from a technical and policy perspective.
• Also, appropriate risk management protocols and strong encryption/decryption methodologies should be followed as part of the continuous integration and continuous deployment (CI/CD) DevOps/SecOps processes diligently.

Where does India stand in implementing such stringent compliance protocol standards?

Although, there is significant awareness due to Covid in critical handling of PII data, still there is a long way to go to make the process automatic and secure, especially from a policy and procedures perspective.  The reason being the vast number of domain areas that need to be addressed, monitored and maintained (on a day-to-day basis) in order to become compliant to most of these protocols.

Some of these domain areas are: Endpoint Protection, Healthcare Data Protection & Privacy, Wireless Protection, Information Protection, Access Control, Transmission Protection, Network Protection, Third Party Security, Vulnerability Management, Portable Media Security, Risk Management, Mobile Device Security, Audit Logging & Monitoring, Physical & Environmental Security, Configuration Management, Password Management, Incident Management,  Business Continuity Management & Disaster Recovery, Education/Training Awareness.

Even though most of the above domains are addressed by most of the protocols, there could be variations in control implementations for each compliance protocol.  Hence organizations have to have separate protocol teams in order to keep track of each compliance protocol and ensure adherence to the same.  Due to the above complexities, there is a lot of room to improve for any cloud provider and integrator in India, especially when we read a statistic that patient records are the most vulnerable to be hacked.

Gartner had predicted that “By 2020, the backup and archiving of personal data will represent the largest area of privacy risk for 70% of organizations, up from 10% in 2018”.  Hence the criticality of PII data and the adherence to the corresponding compliance protocols cannot be emphasized better.  If the correct set of policies, technology and administration is applied, very good results in PII compliance parameters like privacy, confidentiality, Security, Availability and processing integrity can be achieved.  Annual internal and ISO audits by the cloud companies will further strengthen the process of continuous compliance to these compliance protocols.

(The author is  CTO,  SecureKloud Technologies Limited and the views expressed in his article are his own)