We're ready to help

Our cloud experts can answer your questions and provide a free assessment.

Schedule
a meeting
close

Why HIPAA Compliant Data Storage Belongs in the Cloud

  • 3
  •  0

The vast majority of healthcare organizations are migrating some IT infrastructure to the cloud in 2015. Unfortunately, the risk of bungling the transition has never been greater: A new round of HIPAA audits are on their way, the healthcare market is more fiercely competitive than ever, and IT departments are feeling pressure to capture smarter business intelligence data.

Data storage and backup across multiple datacenters is often one of the costliest HIPAA requirements to meet. Traditional data storage infrastructure is usually inflexible, requiring months of lead-time to increase store capacity or respond to a new line of business.

A Hybrid Cloud solution allows healthcare organizations to maintain certain infrastructure in on-premises datacenters and still take advantage of the scalability of the cloud. At Logicworks, we believe data storage and backup should be among the first considerations for migration to the cloud.

The State of the Healthcare Cloud

This year, the vast majority of healthcare companies feel their data is secure in the cloud and plan to migrate more applications in the future. Forty-six percent (46%) of healthcare respondents in one survey said cloud solutions allow their organizations to better allocate IT resources, and thirty-nine percent (39%) said cloud solutions save their organizations money.

The migration of a few applications to an IaaS cloud provider like Amazon Web Services is often the first step in a larger plan to improve resilience, availability, and cost-effectiveness in the public cloud. In reality, there are a limited number of legacy storage systems that have no replacement in AWS. The networking and encryption policies for your existing HIPAA compliant infrastructure can be implemented on AWS.

In other words, whether you move one application or all applications to the cloud is not usually dependent on the limitations of AWS or security concerns. Unless you are using infrastructure like Oracle RAC (shared storage), there is usually no technological reason why an organization would need a Hybrid Cloud solution rather than a pure AWS deployment. But it is often simpler business-wise – for staffing concerns, or to maintain infrastructure that has already seen significant capital investment – to migrate applications over time.

The Limitations of Traditional Storage

In traditional environments, storage is expensive, frequently difficult to maintain, and slow to scale up or down.

Long-term storage on tapes is especially delicate and requires time-consuming and expensive partitioning. A bad lot of hard drives can hold up a storage build-out for weeks. If no automatic storage versioning is in place, you pay top prices for data that should be in cold storage, simply because there are not enough staff resources to migrate the data regularly.

On top of this, it can take six months to substantially increase your store capacity. For many healthcare organizations, and especially for SaaS companies in competitive markets, this is an impossible time frame. It also takes IT’s attention away from upgrades, new lines of business, and innovative system management.

With that said, IT departments that are confident they can pass an audit on their traditional infrastructure may be hesitant to move critical infrastructure to the cloud. There are also perfectly sound reasons to maintain physical, on-premises or private cloud replication in dedicated environments. This is why the vast majority of healthcare organizations will maintain a Hybrid environment.

The Possibilities of AWS

In AWS, you can achieve a high degree of scalability in S3 or mounted EBS volumes on dedicated EC2 instances. S3 is an object storage system. You create objects and associate keys with them rather than storing objects in file systems. EBS is more of a traditional file system, organized into volumes and treated like a local disk drive. In both, you usually retrieve data by command line operations or API calls.

Store capacity in S3 and EBS volumes is provisioned instantly and you pay for what you use. This is the real game-changer for companies that are required to maintain and secure large amounts of data. For significantly lower costs, you can store hundreds of terabytes of data and automate migration to Glacier, Amazon’s cold storage resource. You can even automatically transition data from on-premises infrastructure to S3 or Glacier through Storage Gateway. However, Storage Gateway is not explicitly covered under Amazon’s BAA. You can also replicate tape storage and versioning to Glacier; Gateway-Virtual Tape Library (Gateway-VTL) exposes an iSCSI interface for on-line access to the virtual tapes.

Amazon has always been on the leading edge of compliant storage solutions in the cloud. S3 and EBS are covered by their BAA, meaning that Amazon is responsible for the physical security of the storage infrastructure. If a hard drive goes down, you are never going to be affected – or even know about it. This can seem like a lack of control, but engineers at Logicworks believe this actually gives us the power to manage our infrastructure rather than having the infrastructure manage us. Instead of maintaining the physical infrastructure, engineers focus on automating and optimizing build-outs – the foundational activities in a DevOps framework.

While Amazon is responsible for the security of the physical infrastructure, you are responsible for the security of the data you host there. Just as in a traditional environment, you encrypt the data at rest and in transit. For data at rest, use S3 with Server-Side Encryption, one of the strongest block ciphers available (256-bit Advanced Encryption Standard). This is the level of encryption required for companies that have to meet strict government regulations. Identity Access Management (IAM) roles govern exactly how that S3 bucket can be accessed. If you choose EBS volumes mounted on dedicated EC2 instances, you would need to encrypt data before storage. Whenever data moves between S3, EBS, and Glacier, the data stays encrypted.

Unfortunately, if you want failover across regions, snapshots will not translate across regions and Amazon’s multi-region database solution, RDS, is not HIPAA-compliant. To get around this, you set up VPN tunnels between the databases and set up a dedicated database node in your datacenter to sync the data, enabling full system restores within hours. The other, more cost-effective solution is to schedule this sync with Auto Scaling groups. Auto Scaling groups are not just for hardware failure or high traffic; you can schedule your instances to come up on a certain off-peak night so that prod can run an Rsync job, sync your data, and the instance can spin back down. This way, you do not have to pay for the separate syncing database all the time.

The speed and simplicity of disaster recovery solutions is therefore a major benefit of a Hybrid Cloud solution. Data is not only replicated once across multiple datacenters, as HIPAA requires, but it can be replicated across multiple regions, a private cloud, and dedicated infrastructure more seamlessly.

As the list of healthcare clients on AWS grows, we are seeing that it is not only possible to store data securely in AWS, it can be configured to be more secure and resilient. If you are choosing which applications to move to the cloud, migrate your data storage infrastructure to AWS.

HITRUST-on-the-Cloud-eBook