The healthcare cloud computing market is forecast to reach $15.50 billion by 2024. That’s not surprising given the number of healthcare companies signing on for the many benefits the cloud offers. It’s not only convenient and cost-effective but also offers scalability, reliability, and, yes, even security. Some organizations choose it due to its capabilities for disaster recovery, backup and compliance.
As we mentioned in a recent blog, covered entities, including healthcare providers and payers that create, receive or transmit protected health information (PHI) and invest in cloud computing must take certain precautions to verify they’re compliant with the Security Rule of HIPAA and its administrative, physical, and technical safeguards.
Even if you encounter a cloud storage solution labeled HIPAA-compliant, the best cloud storage vendors (hereafters CSVs) might not help you configure the necessary components to meet the requirements of both the law’s security and privacy rules. A better approach, then, is to use a third party cloud vendor that can arrange for proper HIPAA-compliant storage independent of platform. A good partner should help you assess security controls are arranged and verified so that only authorized users can access your data stored in the cloud.
Indeed, the IBM X-Force Report noted in 2017 that “inadvertent activity such as misconfigured cloud infrastructure was responsible for the exposure of nearly 70 percent of compromised records.” Those kinds of breaches are very costly for businesses, in both money and reputation. Thus, is pays to understand how government rules and regulations affect cloud storage and the level of access you have to your mission-critical applications and data. Knowing this, you can ensure that any choice of cloud storage you make meshes well with your specific business needs and provides the necessary tools to confirm your information remains HIPAA-compliant.
Be Familiar with Business Associate Agreements
The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted in 2009, extended HIPAA’s requirements to business associates. Healthcare organizations that utilize cloud computing and storage are required to have a Business Associate Agreement (BAA), which is a contract between a covered entity and a business associate that establishes the permitted and required uses and disclosures of PHI by the BA, provided that the BA will use PHI only as permitted by the contract or required by law, use appropriate safeguards, and report any disclosures not permitted by the contract. A business associate is usually a CSV, cloud service provider (CSP), managed service provider (MSP) or other organization that processes patient data through the services it conducts.
If the CSVs you’re considering aren’t familiar with a BAA and don’t have experience with customers in the healthcare industry, those should be red flags to you. They should understand not only what a BAA is but also what it entails and have no issue signing one with you.
There are numerous HIPAA compliance questions you should ask your business associates. Know that even if you have a BAA with your selected CSV, you’re not automatically exempt from any breaches that occur. Also, you and your business associates should read and understand the CSVs policies and procedures before placing any of your PHI with them.
Conduct a Detailed Risk Assessment
Though it may seem time-consuming, conducting a risk assessment before opting for a CSV adds another level of protection for your data. It verifies your selected vendor uses the appropriate safeguards, technology and policies and procedures. Even after you’re chosen a CSV, performing risk assessment management is critical. According to the National Institute of Standards and Technology’s (NIST), healthcare risk assessment management should include the following steps:
- Categorize information systems
- Identify and implement security controls
- Access security controls
- Authorize information systems
- Monitor and adjust security controls
Ensure Your CSV Utilizes Encryption
If the CSV you’re considering doesn’t encrypt the data you store with it, select another one. Your data, including PHI, should be encrypted in transit and at rest. Therefore, it’s not valuable to unauthorized individuals who might intercept it illegally.
The Office of Civil Rights, which is responsible for issuing periodic guidance on the provisions in the HIPAA Security Rule, notes that downfalls in data security are often linked to the absence of encryption and a lack of authentication to protect data integrity. You need to know that your CSV has procedures and plans in place to combat these issues and address them accordingly.
Sign a Comprehensive Service Level Agreement
Service level agreements (SLAs) are contracts designed to document what your CSV and/or CSP is providing to you. For healthcare entities, it’s an important part of ensuring security and compliance. As the U.S. Department of Health & Human Services (HHS) explains, SLAs address various HIPAA concerns, including:
- System availability and reliability
- Back-up and data recovery (e.g., as necessary to be able to respond to a ransomware attack or other emergency situation)
- Manner in which data will be returned to the customer after service use termination
- Security responsibility
- Use, retention, and disclosure limitations
Don’t sign an SLA unless its policies encompass security and privacy, disaster recovery, downtime, support and disclosure of information. The aforementioned Office of Civil Rights offers a copy of the online HIPAA guidelines you can view to ensure you have all areas covered.
Employ the Services of a Proven Partner
Again, thought it may seem too time-consuming, doing the appropriate research before selecting a CSV will help mitigate problems with the applications and data you store in the cloud. Cybercriminals are usually able to change as their methods are defended, so you need to make sure you’re one step ahead.
At Connectria, we aid healthcare organizations like yours in maintaining compliance with HIPAA/HITECH security standards for the storage of PHI. Whether you choose to utilize private hosted or compliant public clouds, we’ll work with you to monitor your cloud environment for potential compliance issues, manage performance and achieve cost-optimization. Contact us today to learn more about the services we offer.
One of our recent blog explores the difference between HIPAA and HITECH.
Learn more about Connectria being included on Computerworld’s 2019 list of 100 Best Places to Work in IT.