ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Action Plan for HIPAA-Compliant Cloud

Action Plan for HIPAA-Compliant Cloud

Adnan Raja, VP of Marketing,
| Posted at 3:03 PM by ISACA News | Category: Government-Regulatory | Permalink | Email this Post | Comments (0)

Adnan RajaHIPAA compliance involves treating your data with extreme sensitivity, so you should view any related technology with extreme care.

Note that the security of a public cloud architecture has often been described as an asset. For instance, Tripwire wrote that “the Cloud is more secure than on-premise backup, storage, and computing systems” – citing regular audits, controlled access, security knowledge, surveillance, and perimeter defenses. However, a poll by SDxCentral found that, across industry, security and compliance was the primary challenge related to public cloud. With 62 percent of respondents indicating this, it was a higher stress than cost management (46%), lack of performance visibility (44%), and cost predictability (41%).

Since healthcare companies have to be so centrally focused on compliance, particularly with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this concern over cloud compliance deserves special attention. How can you leverage cloud for all its positives without suffering a violation? A few chief concerns should be addressed.

Focus on the BAA.
The US Department of Health and Human Services (HHS), the federal agency that develops and enforces HIPAA regulations, has issued specific guidance related to meeting compliance with cloud systems. This guidance advises that cloud service providers (CSPs) are considered business associates when they generate, receive, send, or store electronic health data, whether they are doing so for a covered entity or business associate. In fact, HIPAA compliance is necessary for cloud vendors that are entirely handling personally identifiable health records (the electronic protected health information, or ePHI, of HIPAA) that is encrypted and for which the provider does not have a key.

Even if a cloud firm does not have any way to access data except in encrypted form (thus meeting the confidentiality requirement), it still must maintain the integrity and availability of the data. As in any other business associate relationship, a business associate agreement (BAA) must be signed by both parties (or a subcontractor BAA, if applicable). Note that the HHS also refers to this document, less commonly, as a business associate contract. The cloud vendor is legally responsible for adhering to the agreement’s provisions. Beyond meeting the BAA’s parameters, the cloud firm also must be HIPAA-compliant itself: ever since the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) went into effect in 2013, business associates have been directly responsible for HIPAA compliance.

Know that the data is, in fact, protected health information.
Protected health information (PHI) is the information under the umbrella of HIPAA rules. Encrypted PHI is PHI. However, if it is unidentified (encrypted or unencrypted), it is not PHI.

Work with a cloud provider that is ready to scale.
With acquisitions on the rise in healthcare, it is particularly important to know that a CSP can expand with you. If an acquisition occurs, the vendor should be able to quickly spin up new servers. Scalability is important because you must have enough resources to meet your demand to comply with HIPAA’s availability requirement.

Create a dual relationship.
In signing a BAA with a CSP, you should be creating a two-part relationship that encompasses both business and technical functions. Permitting a balanced interconnection between different healthcare services and knowing about the covered entity or business associate that is contracting with them (i.e., you) are core elements of a cloud vendor that deserve your attention.

Pay attention to use cases.
Think in terms of use cases when you assess CSPs. Many cloud vendors now have HIPAA-compliant business associate agreements readily available (although certainly not all do). Even among those that have BAAs in place, they are not created equal. You especially must be concerned that the organization can customize to suit your requirements when you're looking for a data backup or disaster recovery service, noted Bill Kleyman. Plus, commitment and expertise related to compliance will vary greatly.

Verify transparency.
You want to have a reasonable view of the cloud firm’s operations and business to assess risk and meet compliance.

Check for HIPAA certification.
Does the CSP have a HIPAA compliance certification from a trusted, credible third party, based on a recent audit? Look over the provider’s implementations and control matrix.

Conduct routine risk assessments.
Do your CSPs conduct routine risk assessments? Risk assessments are fundamental to HIPAA compliance – and they must be ongoing. The HHS is extremely clear on this point. The language on risk assessments is somehow loose but specific: “Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every three years), depending on circumstances of their environment,” notes the HHS.

Select the right cloud partners.
Compliance can become especially challenging when you consider your business associates – and cloud providers represent specific risks. By following the above guidance and additional insights provided through the HHS site, you can feel certain that your cloud is healthcare-compliant.

Author’s note: Adnan Raja is the Vice President of Marketing at Atlantic.Net. During his tenure, Atlantic.Net has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally.


There are no comments yet for this post.
You must be logged in and a member to post a comment to this blog.