Security in the Cloud: The Key to HIPAA Hosting Done Right

Updated on January 21, 2022
Adam Stern

It’s now part of the conventional wisdom that cloud computing has altered the IT delivery model.  The steady embrace of the cloud among healthcare providers large and small does not, however, mean that organizations can or should let their guard down on matters of security and data protection.  While cloud server hosting provides compelling benefits, security is an essential part of any discussion of cloud adoption, especially in a HIPAA-compliant world.  Mitigating security risks is imperative to creating a comfort level among those in the healthcare field, to transition applications and data to the cloud.

Applications, systems and data all have different security thresholds.  Even in a highly regulated industry like healthcare, Infrastructure-as-a-Service (IaaS) can be the architecture of choice.  With IaaS, web, mobile and social can be moved to a virtual server with an increasingly high degree of confidence.  When deciding whether an application, product or service belongs in a cloud server, healthcare CIOs must consider:

  • Type of data or application
  • Service-level agreement
  • Security environment

The decision to move to the cloud, especially the public cloud, should depend on the sensitivity of the data and the level of security offered by the cloud provider.  With healthcare organizations, of course, security and privacy aren’t simply check-off items; they’re federal mandates. 

Still, cloud hosting and Infrastructure-as-a-Service aren’t commodities.  While the federal Office of Civil Rights established a comprehensive HIPAA audit protocol that specifies requirements to be assessed through these performance audits, the quality of implementation – and, by extension, the quality of the provider — matters.  The HIPAA audit protocol is organized around modules representing separate elements of privacy, security, and breach notification.  The combination of these multiple requirements may vary based on the type of covered entity selected for review.

With an eye toward unfailing HIPAA compliance, cloud service providers (CSPs) place enormous  emphasis on security protections, with technologies like clustered firewalls and IDPS (intrusion detection and prevention systems).  In the cloud’s infancy, CSPs touted scalability, initial cost savings and speed.  But the prospect of enhanced security in the cloud – indeed, that the better cloud deployments now mean that data is safer in the cloud than on a typical unsecured desktop – has altered the conversation.  Healthcare organizations assessing cloud service providers can now seek out CSPs whose security controls more than mitigate  any risk of moving to the cloud. 

When considering a move to virtual server hosting, hospitals and others in the healthcare space need to audit a CSP’s security controls.  The better CSPs rely on the American Insti­tute of Certified Public Accountants’ Service Organization Control process (SOC), the organization’s certification of controls with verification for cloud environments. Some of the larger cloud service providers now publish SOC reports on their security controls.  Mandates from CIOs and CISOs may be required before SOC reports are published by all cloud providers.

Now more than ever, HIPAA-compliant cloud service providers are realizing that managing privacy and security is fundamental to facilitating cloud adoption.  Those cloud providers concerned about safeguarding their clients’ data and applications are taking steps to mitigate those risks with tight security controls and transparency regarding those controls.

Adam Stern is founder and CEO of Infinitely Virtual ( – @iv_cloudhosting) in Los Angeles.