When it comes to moving their data to the cloud, some healthcare organizations can be understandably reluctant. Keeping patient data secure and maintaining a laundry list of HIPAA regulations are among the chief concerns as cyber threats continue to rise.
But achieving HIPAA compliance in the cloud is well within the grasp of all healthcare organizations. If the chosen cloud provider has a robust security framework and follows consistent monitoring protocols, then all the major building blocks of HIPAA compliance are in place.
This framework will be defined in the all-important Business Associate Agreement (BAA). This written agreement will keep your organization secure and on the right side of the law by confirming protocols such as two-factor authentication and end-to-end encryption with your cloud provider.
Though many healthcare teams have yet to fully commit to the cloud, it’s estimated that 35 percent of healthcare companies are using the cloud to store more than half of their data. That’s a number that’s only set to increase given the ease, convenience and cost savings provided by the cloud.
So in this article I’ll run through some of the key considerations when it comes to ensuring HIPAA compliance on the cloud.
Establishing a BAA
The BAA is one of the most crucial aspects of your due diligence of cloud providers. Any cloud provider that can’t provide a BAA or shows unwillingness to engage with this process will need to be excluded from the selection process, as this agreement sets the conditions to which a cloud partner can use and interact with patient data.
By codifying specific security protocols – like recording who accesses patient data and setting up a notification system in case of a cyberattack – this agreement makes it clear your cloud provider will comply with the Security Rule, Privacy Rule and Breach Notification Rule set by HIPAA. These are all required to keep patient medical data protected.
A reputable cloud provider with demonstrable HIPAA experience can simplify onboarding by providing advice and guidance when setting up a BAA. However, healthcare organizations should still use their own legal and compliance counsel during this process, to ensure the agreement provides all necessary coverage.
Confidence when setting up a BAA with a cloud provider is often enhanced by the fact there are several household names to choose from in the marketplace of HIPAA-compliant cloud solutions, such as Amazon Web Services.
And even though these solutions are becoming more prevalent, adopting one of these cloud services will put a medical team on the forefront, as an estimated 70 percent of the healthcare market is not HIPAA compliant, according to the Department of Health.
Implementing Security Protocols
The BAA enshrines the cloud security protocols that the cloud provider must adhere to, in order to maintain HIPAA compliance. Once the agreement goes live, the cloud provider must put these provisions into practice. These will include two-factor authentication and end-to-end encryption.
These security and privacy controls make it so that anyone who tries to access patient data will be required to log in via two or more ways, one of which will usually be receiving a text or email code. Encryption is another must-have, as healthcare providers need to ensure all patient medical data is encrypted when being processed and stored in the cloud.
HIPAA also requires a healthcare organization and its cloud provider to institute access controls, which includes ensuring only pre-authorized users have login credentials, and that users can only access or modify data in line with their job requirements.
In addition, cloud providers must also record and store access logs to patient data, in order to ensure there is an audit trail of every employee who has access to this data.
These security protocols must in place at all times to ensure HIPAA compliance and minimize the risk of a data breach,
Setting up a Monitoring Regimen
The final element of HIPAA compliance with cloud providers, after setting up a BAA and implementing security protocols, is to establish a monitoring regimen. Monitoring needs to be conducted by both the healthcare organization and the cloud provider.
On the cloud provider’s side, they must have 24/7 threat detection, run regular risk assessments and conduct proactive cyber security testing, such as penetration tests. They should also be able to provide proof of these activities, such as penetration test certificates from the third party that conducts this on their behalf. What’s more, they should be able to provide proof of the security patches they are installing each month and the threats these are protecting against.
Also, cloud providers are obligated to notify their healthcare partner anytime there is a data breach and that organization, by law, must notify the Department of Health. Many cloud solutions currently on the market will have preset triggers that offer automated notifications that immediately alert an organization of an attack, allowing the two parties to work together to swiftly analyze the scale of the attack and minimize any additional risks.
On the healthcare organization’s side, they must ensure adequate monitoring of employees’ access to patient data stored on the cloud platform. This includes ensuring each employee has the correct access level for their job role and ensuring that employee access is revoked as soon as they stop working for the organization.
The ONC and OCR provide a Security Risk Assessment (SRA) tool that healthcare organizations can use when designing a risk assessment that conforms to HIPAA compliance.
The Bottom Line
HIPAA compliance and the cloud ultimately comes down to the cloud provider you choose and the provisions set out in the BAA. Choosing a cloud partner with demonstrable HIPAA experience is the surest way to set yourself up on the right path. Pairing this with appropriate legal and compliance counsel on your side will enable you to have full confidence that your cloud solution and monitoring regimen will stay on the right side of HIPAA compliance.