Cloud Compliance for Genomics

By Matthew Dublin

Well it looks like the argument that says it's doubtful the cloud can ever be used to host patient data securely is becoming increasingly moot — or at least harder to make.

GenomeQuest announced this week the rollout of a Health Insurance Portability and Accountability Act-certified "genomic decision support system" in the cloud, referred to as the GQ-DX platform.

GQ-Dx is basically an IT-support system that allows labs to create diagnostic reports from next-generation sequencing data.

Just to review, HIPPA compliance means that medical data — genomic or otherwise — must be stored, transmitted, and accessed according to a strict set of security or privacy protection standards. The certification steps entail specific training for IT personnel, audits by HIPAA inspectors, as well as required reporting and guarantees to ensure that data is kept safe at all times.

HIPAA also requires that patient data never leave the US and that the physical security housing the hosting hardware is adequate.

The concern with the cloud and patient data has centered on whether or not there can ever be a simple and effective way of ensuring that every identifiable piece of patient data will never be exposed as it is being moved and stored on either a private cloud or a large public cloud hosting service, such as Amazon's EC2.

As is often the case in the cloud computing, the GenomeQuest announcement is a bit ephemeral — there's no explanation of where the physical location of the hosting will be and how exactly they plan on securing genomic data at the networking and hosting levels.

The Centers for Disease Control and Prevention has made some progress in this area using Amazon's AWS GovCloud to create a secure, HIPAA-compliant cloud for hosting a national repository of syndromic surveillance data. The CDC has also built HIPAA-compliant gateways, including data exchanges with Beth Israel Deaconess and the Boston Public Health Commission for the transfer of data to the CDC cloud.

There are other hosting services that have claimed HIPPA compliance in the last year, including Firehost, Symform, Logicworks, and ClearDATA, so it looks like cloud service providers are tackling the challenge of HIPAA compliance head-on.

Matthew Dublin is a senior writer at Genome Technology.