International Research Journal of Engineering and Technology (IRJET)
e-ISSN: 2395-0056
Volume: 12 Issue: 11 | Nov 2025
p-ISSN: 2395-0072
www.irjet.net
A Framework for Protecting PHI and PCI Data in Cloud Healthcare Systems Prakash Velusamy Principal Software Development Engineer, CVS Health, Arizona, USA ---------------------------------------------------------------------***---------------------------------------------------------------------
Abstract - As more healthcare systems have started
example, encryption and access control are highly recommended, and cloud platforms often support role-based access control (RBAC) and multi-factor authentication (MFA) for restricting access to PHI [4]. Rodrigues et al. discovered that cloud-based systems for Electronic Health Record (EHR) must use strong encryption and detailed access logging to maintain data confidentiality. Similarly, Al-Issa et al. confirm that contemporary methods typically tackle only specific subsets of issues and support a comprehensive security solution that addresses and meets all requirements [1]. Shojaei et al. note that healthcare organizations are still hesitant to use cloud services because they are still having difficulties in complying with HIPAA rules and do not have much control over data that is transferred to other companies [4]. These surveys show the need for a cohesive framework that is aimed at safeguarding PHI and PCI within cloud healthcare environments.
leveraging cloud services, it has become critical to secure Protected Health Information (PHI) and Payment Card Industry (PCI) data. This paper has evaluated more than 15 studies in healthcare that emphasize the protection of PHI and PCI data, and found that even though many solutions address specific issues such as encryption and access control, significant gaps still remain. For example, there is no comprehensive framework, and healthcare research does not focus enough on PCI. In addition, it is hard to follow the rules of the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS) when data crosses multiple domains. Therefore, this article offers a comprehensive framework that combines protections for PHI and PCI with existing standards such as HIPAA Security Rule and PCI DSS. The proposed framework has steps for data classification and continuous monitoring, which are specific to cloud healthcare. A unified strategy is offered by the framework for protecting the confidentiality and availability of PHI and PCI data in cloudbased healthcare settings by addressing the identified vulnerabilities.
A detailed framework is outlined in this paper for protecting PHI and PCI data in cloud healthcare systems. To find out the security methods and vulnerabilities that are most common, a comparative review of recent studies was carried out. The “Key Findings and Gaps” section summarizes these findings and highlights the critical gaps in current approaches. The Proposed Framework section presents a comprehensive security framework that integrates best practices from HIPAA, PCI DSS, and cloud security standards to address the gaps identified in the analysis. This pervasive fragmentation and the noted scarcity of research focusing on the PHI/PCI compliance intersection demonstrate an urgent need for a unified, comprehensive security framework.
Key Words: Healthcare systems, Protected Health Information, Payment Card Industry, HIPAA Security Rule, Cloud Security
1. INTRODUCTION While cloud adoption offers unprecedented flexibility and cost savings for healthcare—enabling services like telehealth and advanced analytics—it simultaneously introduces significant, complex security, privacy, and regulatory challenges [1]. When billing patients, for example, PHI must be protected by healthcare systems under HIPAA and payment card data under PCI DSS. It is important to note that the HIPAA Security Rule requires covered entities and business associates to implement specific administrative and technical safeguards for keeping all electronic PHI confidential and accessible [2]. In addition, PCI DSS lists 12 high-level requirements that range from firewalls to monitoring for protecting environments that store or transmit payment account data [3]. Because these rules are similar but different, cloud healthcare providers often must follow both sets of rules.
2. Methodology This paper carried out a literature review of studies, mainly journal articles, related to cloud security in healthcare, focusing on the protection of PHI and PCI data. Multiple databases were searched, such as PubMed, IEEE Xplore, ACM Digital Library, and Google Scholar (2015–2025). The search terms included "cloud computing," "healthcare," "PHI," "HIPAA," "PCI DSS," "data security," and "framework." Finally, more than 15 relevant works were selected after reviewing the titles and abstracts. These works either discussed how to protect PHI or payment data in cloudbased health systems or examined compliance requirements (HIPAA, PCI) in this context.
Many isolated solutions and frameworks are provided by the current body of literature for healthcare cloud security. For
© 2025, IRJET
|
Impact Factor value: 8.315
|
ISO 9001:2008 Certified Journal
|
Page 403