By Marty Puranik
Cloud computing is compelling to healthcare covered entities and other organizations that handle protected health information (PHI). Cloud improves efficiency and speed by allowing for various servers to all work in unison, with software that orchestrates many different machines to allow them to each operate at closer to total capacity. You also get greater availability and uptime: if a server fails or is not ready, you are shifted straight to another server.
However, this technology presents those who use it with risks that must be addressed if you want to meet the HIPAA Security Rule (which applies the patient rights described in the Privacy Rule to digital environments via a mandate for technical, administrative, and physical safeguards) and the rest of federal healthcare law.
How can you know that PHI is safe in the cloud?
Cloud should be considered a secure way to store data. However, a standard cloud plan can certainly be bolstered with extra security measures.
To look at the cloud in its “raw form” (prior to addition of any security tools), the perspective of New York Times deputy technology editor Quentin Hardy is compelling; he notes that cloud systems from credible providers have built-in defenses from computer scientists who focus entirely on IT security.
Security concerns with cloud have been around for years, but security mechanisms built into cloud environments have proliferated as a result. David Linthicum noted back in 2015 that even at that point, public cloud “is more secure than the typical data center,” with vendors of cloud services “more paranoid – and attentive – to security risks throughout their entire stack.”
While having confidence in the base technology and setting helps, you also want to know specifically that your data is safe and that appropriate protections are in place for HIPAA compliance. The centerpiece of that assurance you want is the business associate agreement (BAA), which will better establish who is responsible for protections (i.e., you or the cloud provider) at what points. Below is information on the BAA and other simple steps you can take.
Steps to make sure your cloud provider is healthcare-compliant
While it is simple for an IT provider to claim the ability to offer HIPAA-compliant systems, you must be able to validate their statements and have recourse if they do not do as they say. Here are a few specific steps you can take:
#1 – Sign HIPAA-compliant BAAs with all providers.
The Department of Health & Human Services (HHS) has released specific guidance for cloud computing since it has raised considerable confusion related to HIPAA. That information states that when a cloud service provider (CSP) is sending, storing, receiving, or producing electronic health data for you, that automatically gives them status as a business associate. Notably, the cloud provider is a BA even if they cannot even access the information: if your data is encrypted and the cloud BA does not have a decryption key to see it, a BA is still required because you still need high availability and integrity of data, even if confidentiality is protected. A risk analysis and risk management plan can help you as you determine exactly what you will need for safety (since the analysis will reveal risks that need mitigation). As long as you have a signed BAA founded on a strong risk analysis, cloud partnerships are fine with the HHS, which states that “a covered entity or business associate may use cloud-based services of any configuration (public, hybrid, private, etc.).”
#2 – Tap expertise.
Find and implement ideas on how to improve your data protection from the nonprofit Cloud Security Alliance.
#3 – Harden your perimeter.
Use firewalls to safeguard your network, along with strong endpoint security mechanisms so that your user devices that access the cloud are not putting you at risk.
#4 – Encrypt.
Implement file-level encryption beyond what is provided through the cloud service, suggested Dr. Rao Papolu in Forbes. Encrypt prior to uploading so you know nothing is in unencrypted form.
#5 – Partner wisely.
Choose cloud vendors that have strong security technologies and protocols.
#6 – Close gaps as needed.
Figure out how you have to bolster what you are getting from the service – as revealed through a risk analysis.
#7 – Close any documentation holes with the SLA.
While the BAA is your core paperwork concern related to HIPAA, the HHS also notes that you should ensure the SLA is covering anything unaddressed by the BAA related to compliance – typically expectations of the service:
- Disclosure, retention, and use restrictions
- Responsibilities related to security
- Reliability and availability of the service
- Data recovery and backup process (allowing for fast recovery in worst-case scenarios, including ransomware)
- How the information would be given back to the customer if they depart.
#8 – Check for HIPAA certification and service control auditing.
You need to make sure the third parties with which you partner have met guidelines, and one of the surest ways to do that is through another third-party. Check for independent HIPAA and HITECH auditing, as well as adherence with other trusted standards – such as SSAE 18 (formerly SSAE 16) SOC 1 and SOC 2 from the AICPA.
HIPAA is complex, but you can certainly meet its parameters with cloud computing. Sign a strong business associate agreement with each of your providers, and take additional steps to strengthen your data environments and ensure you avoid a violation.