This week on the HIPAA Vault Show, we discuss choosing the right storage for your medical data. With patient privacy and data security at stake, healthcare professionals must make informed decisions to ensure the utmost care and protection of sensitive information. With more and more healthcare records being stored digitally than ever before, questions often arise as to the most secure and convenient ways to manage this. Today we are going to explore some of the cloud storage tools available and compare options for medical data storage.
Want to learn more? Check out our blog on HIPAA-compliant cloud storage
Transcript:
Adam
Hello, and welcome to the HIPAA Vault Show, where we discuss all things HIPAA compliant and the cloud. My name is Adam Zeineddine, and I’m joined today by CTO and founder of HIPAA Vault, Gil Vidals. Hey, Gil!
Gil
Hey, I’m looking forward to today’s episode.
Adam
Yeah, me too. So last week we talked about Zoom and whether it’s HIPAA compliant. This week, we’re going to talk about choosing the right storage for medical data. With patient privacy and data security at stake, healthcare professionals must make informed decisions to ensure the utmost care and protection of sensitive information. With more and more healthcare records being stored digitally than ever before, questions often arise as to the most secure and convenient ways to manage this. So today we’re going to explore some of the cloud storage tools available and compare options for medical storage. Gil, I thought the best way, probably to structure this is to talk a little bit about, well, to approach the topic from the aspect of, well, who is going to be accessing the storage and what are the storage needs. So perhaps we could talk about personal users that are accessing the storage versus software and applications that need to access storage. Does that sound like a good way to frame it?
Gil
Yeah, I think that’s a good way to categorize it, because you do have users who personally want to sign in and have a file. And then on the other hand, you have web applications that handle the patient information. So I think that’s a good way to split that.
Adam
Okay, great. So when it comes to user storage, we could define that a little bit. I have a personal email account, and I, for example, personally use Google Workspace as a user. I might have PDF files, and videos that I want to be able to store and access readily from wherever I’m browsing or looking to get the content from. And so I would use Google Drive as a user. The good thing about Google, and maybe, Gil, you could talk to us a little bit more, is that it does provide a Business Associate Agreement, which is needed for HIPAA. Is that right?
Gil
Yeah, that’s right. With Google, you can go online, they have a process you go through, and you can get a Google Sign Business Associate Agreement, which is necessary if you’re going to be handling storage in Google, they call it Google Workspace. It used to be called Google G Suite. So some of you may know it by G Suite, but the new name is Workspace. And, yeah, you need to have that BAA.
Adam
Right? And, yeah, the advantage, at least from personal experience that I’ve seen to Google Workspace and Google Drive is that it’s all synced in one platform. So if you’ve got your Gmail account, it’s linked to your Google Drive as well as other applications like Google Docs and Sheets. So it’s all in one place, single sign-on. It’s really convenient. But there are also other providers out there like Microsoft that have OneDrive that’s linked to Outlook. You can also go for storage-specific solutions like Dropbox. They’ll also sign a BAA. Gil other than the BAA, I believe there are some parameters that also need to be considered for HIPAA compliance when it comes to the storage. Could you talk a little bit about that?
Gil
Yeah, we want to talk a little bit about Google Storage in Workspace. Again, when we say Workspace, we’re talking about individuals that can log in from their desktop and you can add files, delete them and so on. So you could, if you’re a medical practitioner, you may have a file, an image, something that has personally identifiable information or patient information. And to have end-to-end encryption in Google Workspace, it does require a module that Google recommends. They have a third-party partner called Virtue, and that module must be enabled and you have to pay for it. And unfortunately, it’s not inexpensive, but they do provide this module that once you enable it, then what it’s doing is it’s guaranteeing that you have end-to-end encryption available so that you know that no matter where your data is, it’s going to be encrypted.
Adam
Yeah. And at this point, I guess it’s important to note that you can check us out at HIPAAVault.com if you’re struggling to set up Google Workspace or Microsoft 365 in a HIPAA-compliant way. We do have experienced professionals that can help you with that. So check us out there at HIPAAVault.com. Okay, so moving on to application storage, there are a couple of notes I have here touched on, which are cloud buckets and then also disks and drives. Gil, could you break that down a little bit when it comes to applications, what one of the viewers might be looking to choose when it comes to application-specific storage?
Gil
Sure. So the applications give a realistic example that we can visualize. If you have a web application, say you have a medical app that allows the patients to log in on their mobile phone or on their desktop computer, and so that data that they’re inputting through the mobile phone or their desktop laptop is going to end up on a website. And so that website, that web server, to be more specific, has a disk drive. That’s where the data is actually residing. And there are different kinds of drives. You have different kinds of storage, some fast, some slow, some hot source, some cold storage. So there’s all sorts of flavors, and it can be a little bit intimidating because it used to be you just had a disk and that was the end of it. There was no other option. Now you have all these flavors of disks and speed and performance.
At the end of the day, though, at the end of the day, at least in the Google Cloud, we can be reassured that all of that data is encrypted. And the way you know that for sure is that when you’re creating the disk in the Google Cloud, it has the option that’s visible that says this is encrypted. And that means that when you power off sorry, the virtual machine, it’s going to be encrypted at rest. So that’s important to have that. Then there’s also atom, a different kind of storage, which is important. Those are called buckets. So these cloud buckets allow you to do long-term storage. So let’s say you have archives of your medical records and you want to keep them in there. You’re obligated to keep them for at least, say, seven years. In some states, it might be longer. What’s really neat about the buckets, besides them being encrypted, besides them being safe to access and you need credentials and two-factor authentication, you can set up a policy.
The policy can say something like, keep this data for seven years or keep it for four years, or whatever you want to set it to. And then what happens is any data that ages past that threshold will get deleted automatically. You don’t have to remember one day and go, oh my gosh, I have to put in my calendar, I have to go back in the future and remember to delete that. You don’t have to remember anything. You just set the policy. Once the policy is there, you dump all the medical data you want in there. And as time goes by, that policy will make sure that older data that passes the threshold will be deleted. And that way you’ll be compliant. And you also don’t want to be hanging on to data that you shouldn’t have. Right. Once the period of time is over, you don’t want to just be having that data hanging around because that’s a liability to you. Right. You don’t want to have it there unless you have to.
Adam
And is there a compromise being made there? Is it cost versus speed? Or how do cloud buckets play in here as an option?
Gil
Right, I’m glad you asked that. That’s a good thing to clarify. So buckets are not known for speed. They’re not slow, but they’re not going to be the storage that you want for your web application, that you want to be very snappy and very responsive. For that, you want to have something like an SSD or a persistent disk. So you don’t want to use the bucket. A bucket is mainly for archival purposes and you want to use buckets, by the way, a lot of times are used when you have a massive amount of data, you have not just a few gigabytes, but you have tens of thousands of gigabytes, which is called terabytes. You have terabytes of data. You’re going to want to put it in a bucket.
Adam
Yeah. And I think probably important to caveat that with when we talk about speed, cloud buckets can still be pretty snappy, right? But it’s really for the user. You’re talking about the difference between something loading instantly and it taking 5 seconds to load, maybe. Would that be about right?
Gil
Yeah, I would say that depending on.
Adam
The file size, obviously.
Gil
Yeah, I think that’s close to being accurate. However, let’s say you have a site or a web app that has a lot of traffic. You wouldn’t want to use a bucket because imagine all those visitors trying to access the files and each one takes three or four or 5 seconds and then it gets queued up. So yeah, it might take three or 4 seconds for the first guy, but for the second guy, he has to wait for the first guy to consume the file and the next guy. So it wouldn’t be good for that. And I also wanted to mention the cost of the buckets. The cost is really super cheap because again, it’s meant for archival purposes. So I think that’s an important point. SSDs, I mentioned that a second ago, SSDs are perfect for hosting databases. Normally you want the databases to be really super fast, in fact, probably faster than the web pages themselves.
And I’m blurring the lines a little bit there, Adam, because web pages do come from databases. In the old days, you have a web page sitting on a disk drive on a website. But now most of the content that is delivered through a web page or through a website is coming from the database, through the web server, and onto the end user. So the database you want to be very fast and that’s why SSDs are good for that. Adam, I just want to mention one more thing that I think is important. We mentioned that module that encrypts end to end for the workspace. Some of our viewers may be wondering, well, what about Google Web applications? Do you also need a virtual module for that? The answer is no because Google has divided its world into two areas. One is a workspace which is meant for end users to log in and write documents, personal documents, or business documents.
Whereas Google Cloud is meant for business transactions, it’s meant for building applications. So they’ve made that environment called Google Cloud Platform GCP. They’ve made that HIPAA compliant. You don’t need to buy another license or do anything extra for the environment. You don’t need an extra license is what I mean.
Adam
Yeah, no, that’s a really important point when it comes to overall considerations for the viewers and listeners. How should they approach this in terms of because often I think we raise as many questions as we answer? So what would be the next step for them in terms of finding the right storage solution for them?
Gil
Well, again, the way you set this podcast up I think is perfect. Adam so if you are a medical practitioner or you’re a web app developer and you have a need to store some documents yourself, google docs, spreadsheets, keep notes, all sorts of things that Google offers. You want to use this virtual module and pretty much have someone else set it up for you. It’s going to be a hassle. If you’re trying to learn it all yourself, you’re a medical professional. You don’t have time to be messing around with that. So better to reach out if you’re going to be a web app developer or if you’re a business owner. We have a lot of medical practitioners that own their own applications. They have their own development team. In that case, you want that team to access the Google Cloud platform. Or what we do for our customers is we work with these scenarios.
We’re the ones in charge of making sure that on the Google Cloud side, everything is set up properly and maintained HIPAA compliance. So there is work involved in doing it and maintaining it. Setting something up is one thing, but maintaining it secure is just another matter altogether. So I would say make sure you have a HIPAA-compliant provider that can assist you along the journey.
Adam
Yeah, absolutely. And to the listeners and viewers, if you have any questions, you can email us at podcast@hipaavault.com. Now you can tweet us at @HIPAAhosting. So today we’ve covered the various storage options for medical data, including Google Workspace, Google Drive, OneDrive Dropbox, as well as the options for application storage like Cloud Buckets offered by Google Cloud, as well as AWS. We also explored the differences between SSDs and HDDs that can be utilized for primary and secondary storage. But ultimately, it’s essential to consider compliance, security, scalability, speed, and cost when making the right storage choice for your medical data.