It seems like everyone is coercing organizations to move their data to the cloud. Before your healthcare company signs on the dotted line, there are a few critical security measures that you need to know inside and out. Whereas most cloud hosts align well with the finance sector, few position themselves towards healthcare. Here are ten critical measures to ensure HIPAA compliance on the cloud.
The first item to ensure HIPAA compliance is to sign is the standard Business Associate Agreement. When a company is named under a BAA, liability is shifted and the companies assigned under the BAA may become subject to audits by the Office for Civil Rights (OCR) and could be held liable for data breaches. As a result, the company may be subject to monetary fines for privacy noncompliance. The HHS Office for Civil Rights is responsible for enforcing Privacy and Security Rules for most HIPAA covered entities.
Regardless of who’s ultimately at fault during a data breach, conventional wisdom still places the burden of embarrassment and scrutiny on the healthcare provider.
As part of designing a BAA, all covered entities should be able to provide and agree on a detailed responsibility matrix that outlines all aspects of compliance and the responsibility attached to each of the covered entities involved.
It is essential to know and fully understand your legal rights and obligations as well as those of the Managed Services Provider (MSP) and all associated parties identified in the BAA.
There is no “seal of approval” for HIPAA compliance that a Managed Services Provider (MSP) can earn. However, any hosting provider offering HIPAA compliant hosting should be audited by a reputable auditor against the HIPAA requirements as defined by HHS.
At a minimum, fully compliant MSPs will maintain the following certifications:
SAS70 Type II
PCI DSS Compliance
Providers should indicate guaranteed response times within their Service Level Agreement. While 24/7/365 support is crucial, healthcare organizations need a guarantee that the MSP’s technical and security teams will respond to routine changes and to security threats in a timely manner.
The right MSP will – by default – create infrastructure that is highly secure. In the case of data encryption, HIPAA’s Security Rule only requires encryption for data in transit, meaning it should be encrypted everywhere, including at rest and in transit. Strong encryption policies are particularly important in public cloud deployments and should be at least AES-256 Encryption.
Maintaining security in public clouds and in hybrid environments across on-premises and cloud infrastructure is a specialty few MSPs have learned. While many of the MSPs employ cloud experts, many lack the necessary experience in complex, traditional database, and networking methodologies that would enable them to migrate legacy healthcare applications and aging EHR systems onto the public cloud securely or efficiently.
HIPAA Security Rule requires that the covered entities “regularly” audit their own environment for security threats. It does not, however, define “regularly.”
Healthcare organizations should request the following from their MSPs:
Monthly or quarterly engineering reviews, both for security concerns and cost effectiveness
Annual 3rd party audits
A credential log to be generated every four hours; listing all the organizations’ active users and access keys.
Monthly re-certification of staff’s access management roles
Weekly or daily audit reports from 3rd party security providers
HIPAA requires organizations to provide training for new workforce members as well as recurrent training. As a business associate, the MSP has an obligation for training their own technical and non-technical staff in HIPAA compliance. A covered entity should ask the MSP the following questions:
What formal sanctions exist against employees who fail to comply with security procedures?
What type of supervision exists on employees who work around PHI?
What is the approval process for internal collaboration software or cloud technologies?
How do employees gain access to your company facility?
What is your email encryption policy?
Who communicates deployments and infrastructure modifications to all stakeholders and how is it communicated?
Is there a central authorization hub such as Active Directory for the rapid decommissioning of employees?
Can you provide the staff’s HIPAA training documents and records?
Do you provide security threat updates to staff?
What are internal policies for password rotation?
If a hybrid or private cloud is also maintained with the MSP, they should provide a list of global security standards for their data centers, including ISO 27001, SOC, FIPS 140-2, FISMA, and DoD CSM Levels 1-5, among others. ISO 27001 documentation covers the specific best practices for physical data center security.
The National Institute of Standards and Technology, or NIST produces Standard Reference Materials (SRMs) that outline the security practices. Their most recent Guide for Conducting Risk Assessments provides guidance on how to prepare for, conduct, communicate, and maintain a risk assessment as well as how to identify and monitor specific risk factors.
An MSP should be able to provide a report that communicates the results of the most recent risk assessment, as well as how the procedure accomplished the assessment and the frequency of risk assessments.
While HIPAA Business Associates do not require this, it indicates a sophisticated risk management procedure — and is a much more powerful piece of evidence than standard marketing material around disaster recovery and security auditing.
The HIPAA Contingency Plan standard requires the implementation of a disaster recovery plan. This plan must anticipate how natural disasters, security attacks, and other events could impact systems that contain PHI and develop risk mitigation policies and procedures.
An MSP must be able to provide their disaster recovery plan to a healthcare organization, which should include answers to questions like these:
Where is backup data hosted? What procedure maintains retrievable copies of ePHI?
What procedures identify suspected security incidents?
Who do we notify in the event of a security incident? How are such incidents documented?
What procedure documents and restores the loss of ePHI?
What is the business continuity plan for maintaining operations during a security incident?
How often is the disaster recovery plan tested?
Involve the legal eagles, bring in the business process and risk folks, as well as the technical team. Discuss your options. Where are you now? Where do you want to be? Has risk been mitigated?
Challenge your providers. Don’t rely on hearsay, corporate image, track record, or arrogance. Ask informed questions and demand answers, your company and clients will thank you for it. Besides, you’ll sleep better knowing that a little due diligence goes a long way.
In today's healthcare system, people need to have a serious event to qualify for care, meaning they can't get care before they are sick.
If you still have questions, please feel free to ask and we will be more than happy to partner with you and your team to work through the process.