PCI responsibilities of the cloud provider include firewalls, intrusion detection, disaster recovery, physical controls, and appropriate segmentation of staff duties, Day noted. Servers handling PCI data should be in a separate room with solid walls and a monitored door, rather than being placed in the main floor of the datacenter with the other servers, he indicated.
However, the customer-side application has its own requirements, including storing identifying card information no longer than is necessary to process the transaction. "But if you do those things and you are on [Terremark's] baseline, you're going to get to compliance in a relatively straightforward manner," Day said.
"We can certify that the memory is cleared out," said Bryce at Mosso. "But the specification also says that the place where the data is stored can only be accessed by you, and servers that you control are locked down." But in the cloud environment, servers may be shared by multiple clients, and even if they are not, there remains the question of whether the client or the cloud vendor controls them, he noted. "It's a gray area," Bryce said.
"HIPAA is a big monster, with a lot of facets," noted Day at Terremark. "I have to be able to warrant to customers that they are in a HIPAA-compliant environment, that the environment is suitably secure both physically and logically, that the data is protected, and that we have controls in place to keep people from walking in and picking up a hard drive containing patient data.
"But customers still have an obligation to encrypt the data and ensure that the data is handled properly," Day added.
Day noted that encryption is not absolutely required under HIPAA, but if there is no encryption, then there must be other mitigating controls such as physical security to prevent unauthorized access. Personal data sent over public networks must be encrypted, however. It is also necessary to log access and validate who has access, and do periodic reviews to make sure that those people who do have access have a good reason to be viewing the data, Day noted.
"The biggest violations result from people getting sloppy as to who can access patient records," he noted.
Paul Horvath, chief technology officer at TC3 Health LLC in Costa Mesa, Calif., said he was able to put together a HIPAA-compliant cloud application that looks for fraud and billing errors in backlogs of health care insurance payment claims. He said he chose to use Amazon's cloud service to avoid investing in the amount of hardware it would take to analyze 20 million claims at a time. But to ensure HIPAA compliance, he strips out all "protected health care information" before uploading the data, so that only transaction data reaches the cloud.
"But we also encrypt the data, and we would have been compliant just from doing that," he said. Horvath said that he saved $500,000 over the cost of acquiring the necessary hardware, licenses, power, and cooling, by using the cloud.
A huge piece of work
Whatever regulatory environment is targeted, cloud-based compliance is nearly always a nontrivial task.