Understandably, the really big fines for HIPAA non-compliance are the ones that get the most attention in the press and social media. Case in point: The $16 million settlement with Anthem in 2018. But examples like these don’t tell the full story. Prior to 2016, the Office of Civil Rights (OCR) only went after healthcare organizations and Business Associates for breaches that affected more than 500 individuals. That changed in September of 2016 when the OCR announced an initiative to go after smaller breaches as well. Find the full HIPAA Breach Notification rules on the HHS website.
Now, if you watch the HIPAA news page, you’ll see many smaller fines as well – amounts that might not mean much to a larger organization but would be a significant penalty to a small doctor’s office or dental provider. For that matter, there doesn’t actually need to be a breach for the OCR to issue a non-compliance fine. This happens fairly frequently for covered entities that fail to get a signed Business Associate agreement with third-party contractors that handle PHI (Protected Health Information) on their behalf.
Finally, small businesses also need to understand that they are under scrutiny at the state level as well. Some states have HIPAA-like laws that are even more stringent, but unless these regulations conflict with HIPAA/HITECH, regulators will defer to the local laws. In addition, the Health Information Technology for Economic and Clinical Health Act (HITECH), passed in 2009, gave State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules.
Know Your Risks
There are two areas we see presenting the greatest risks to small businesses. The first is ignorance of the law, especially the need to get a signed Business Associate Agreement (BAA) with any third-party that handles PHI on your behalf. That includes any cloud provider housing PHI workloads. That’s why, when one of our customers’ contracts with us to manage their AWS or Azure environments, we not only sign a BAA, but we also help them get a signed agreement with Amazon or Microsoft as well.
The second common mistake involves inadvertently leaving resources exposed when migrating workloads to an unfamiliar cloud environment. AWS and Azure make it incredibly easy to migrate your workloads to the cloud, but they also offer a lot of options so you can tailor your environment to your specific needs. If you’re not familiar with all of the options, it’s easy to accidentally misconfigure your environment and leave resources exposed to the public internet.
To give you an idea of how common it is, Amazon sent an email to users they think might have accidentally misconfigured their storage resources, leaving them exposed to the public internet. Presumably, they did this as a preemptive PR move as any violations involving their services could reflect negatively on them in the public eye even if they are not at fault. But make no mistake – the OCR would lay the blame squarely at the feet of Amazon’s customers.
Two Ways to Mitigate Your Risks
Small businesses don’t often have the budget to hire a full-time security team in house, so how can they protect themselves? Many are contracting with managed security providers. According to IDC, worldwide spending on IT security-related hardware, software, and services is expected to increase by almost 10% this year over last.
Outsourcing your cloud to a managed cloud provider is another great way to make sure you’ve covered your bases, and if you’re a small organization, it may not be as expensive as you think. (And it’s certainly less expensive than a non-compliance fine and all the cleanup and reputation damage that comes with any security breach!)
Regardless of your cloud experience level, if you want to continue to manage your own environment, you need visibility. AWS and Azure offer some tools, but once again, you need to be fairly familiar with the environment so you know what to look for. Plus, if you’re housing workloads in a multi-cloud environment, as some 80%+ of organizations do, cloud governance can get a bit trickier as most tools require a separate dashboard for each instance.
To make things a bit easier, we’ve developed a cloud management platform called TRiA, which allows us to see a customers’ multiple cloud environments all from a single console. This includes cloud environments that include multiple vendors such as AWS, Azure, VMWare, and IBM. We use this platform to help our customers reach their cloud security, compliance, performance, and budget objectives.
We also believe in transparency, so all of our managed services customers get access to TRiA. This makes it easier for us to collaborate with their internal IT team as we work to help them reach their goals.
Earlier this year, we made TRiA available as a separate license for customers who don’t want to engage any of our managed services. And because TRiA is value-priced based on the number of cloud resources you’re managing, TRiA is very affordable for small businesses.