8 Things Healthcare Organizations Can Do to Ensure HIPAA Compliance in the Cloud
“Clouds come floating into my life, no longer to carry rain or usher storm, but to add color to my sunset sky,” said Bengali polymath Rabindranath Tagore. It’s a nice, optimistic sentiment, but if you’re a healthcare provider using the cloud, you’re likely thinking that, in your position, clouds are still plenty capable of ushering storms where your HIPAA compliance is concerned.
The Health Insurance Portability and Accountability Act (HIPAA) provides clear rules about the storage and sharing of protected health information (PHI). All organizations that handle PHI are required to comply with HIPAA standards, but that can become a little trickier if you engage a cloud service provider (CSP).
As long-time, highly experienced HIPAA assessors, we provide valuable insight and services that help organizations avoid any HIPAA missteps. In this article, we’re going to outline eight things you can do to ensure you stay compliant when engaging a cloud service provider (CSP) so that your cloud doesn’t “usher in any storms.”
HIPAA and the Advantages of the Cloud
Healthcare organizations are increasingly turning to the cloud—it’s an appealing option for HIPAA-compliant applications, storage, and networking options as it provides a low-cost way to develop the complex infrastructure required to support a variety of critical organizational activities:
- Storage and Easier Access of Electronic Protected Health Information (ePHI): Files stored in the cloud are accessible anytime and anywhere from any device, making it easy to share critical medical information.
- Data Backup: Cloud computing also protects healthcare organizations from losing sensitive data in the event of a natural disaster or data breach.
That being said, is cloud storage secure enough to store, access, and transfer ePHI?
While HIPAA does not prohibit the storage of ePHI in the cloud, the legislation does require certain privacy and security protections to be in place to ensure the confidentiality, integrity, and availability of that data. So, before moving health-related data to cloud storage, healthcare organizations need to make sure that the software they plan to use is HIPAA compliant.
What Does a HIPAA-Compliant Cloud Look Like?
No cloud platform is inherently HIPAA compliant. Large public clouds (like AWS and Azure) may support HIPAA compliance, but they cannot offer or guarantee it because compliance comes not from having a certain kind of technology or platform, but rather from configuring the platform in the appropriate ways.
So, when a CSP tells you they’re “HIPAA compliant,” they mean that their underlying infrastructure is secure and that they provide tools for ensuring compliance. Healthcare organizations must then use these tools appropriately and follow up with appropriate monitoring and reporting.
There are no official HIPAA certifications for compliance, and no government or industry certifies HIPAA compliance for cloud services, so, yes, it’s up to both parties to ensure adherence to HIPAA’s requirements:
- The healthcare organization must:
- Develop policies and procedures covering the use of HIPAA secure cloud storage of ePHI.
- The CSP must:
- Satisfy all relevant provisions of the HIPAA Privacy and Security Rules before it can be used in connection with any ePHI (i.e., incorporate all the required controls to ensure the confidentiality, integrity, and availability of ePHI).
- Review HIPAA regulations and possibly update its products, policies, and procedures to support HIPAA compliance.
How to Maintain HIPAA Compliance While Engaging Cloud Providers
No CSP may be HIPAA-compliant right out of the box, but, luckily, the Department of Health and Human Services Office of Civil Rights (OCR) recently issued guidance on HIPAA and cloud computing.
There all also other ways healthcare organizations can pave an easier way to cloud HIPAA compliance. for the needs of healthcare organizations—here are eight things to do when engaging a CSP.
1. Sign a Business Associate Agreement (BAA) with Your CSP.
When a healthcare organization stores ePHI in the cloud, the CSP is considered by law to be a business associate, which means you’re required to enter a contract with the CSP that outlines its legal obligations under HIPAA.
The BAA should spell out allowable uses and disclosures of PHI and the safeguards in place to prevent unauthorized access or use of that data—it should also state that the CSP must:
- Secure the data transmitted to the cloud
- Store the data securely
- Provide a system that allows careful control of data access
- Record logs of all activity, including both successful and failed attempts at access
2. Set Up Access Controls.
These must be robust—like two-factor authentication or single sign-on, secure passwords, and secure file-sharing procedures —and your CSP should let you designate different access levels for different users. These access controls must be carefully configured so that any given piece of ePHI can be accessed only by authorized individuals.
You should have procedures in place for consistently granting, revoking, modifying, and reviewing such access over time while your CSP must conduct regular, rigorous assessments to ensure its platform remains secure and in compliance with HIPAA.
3. Enable Logging in Firewalls.
You likely already understand that on-premises data centers and workstations should already be behind a compliant firewall because that’s a requirement during a typical HIPAA audit. But the HIPAA rules also require logging, auditing, and monitoring access to ePHI data, which means that any firewalls, whether on-premise or in the cloud, will need such logging enabled.
Moreover, you must review access logs regularly to ensure you spot improper activity promptly—you’ll also need to log events to maintain the HIPAA-required audit trail.
4. Ensure Encryption is In Place.
Any data shared via the cloud should be protected by end-to-end encryption, but you need to ensure data is encrypted both at rest and in transit to the standard recommended by the National Institute of Standards and Technology (NIST).
All devices used to access or send ePHI must be able to both encrypt messages that are sent outside the firewall and decrypt the messages received.
5. Implement Controls for File Integrity Monitoring.
These integrity controls will confirm that ePHI has not been altered or destroyed in any unauthorized way.
When the right controls are in place, you should be able to identify and verify:
- When unauthorized access happens
- When changes to data are made
- The “authenticity” of any given piece of ePHI
6. Classify Data by Sensitivity Level.
Regarding the inventory and grouping of ePHI, you must classify your data by sensitivity level. Doing so clearly will help you ensure confidentiality, integrity, and availability of that information as required by the HIPAA Security Rule.
For more on data classification and protection, click here.
7. Ensure That Information Handled by Your CSP is Always Available.
A HIPAA-compliant CSP must have near-100% uptime to ensure ePHI can always be accessed—look for a HIPAA cloud storage solution provider that offers a service level agreement (SLA) guaranteeing high performance and that near-100% uptime to ensure that all stored data can be accessed the instant it is required.
But you’ll also need that data in the event of a breach, ransomware attack, or disaster, so ensure that your CSP has a robust disaster recovery plan so that your data can easily be recovered, including robust backup policies and offsite backup storage.
8. Continuously Monitor Your CSP.
All these prior measures—the proper configuring of security controls--won’t matter much to your compliance efforts if you don’t also monitor activity around data stored in that system.
To ensure your organization’s cloud storage service stays compliant, be sure to regularly perform risk assessments and develop strict cybersecurity policies and procedures.
Next Steps Regarding Your HIPAA Compliance
As Tagore said, clouds “add color” and they certainly have their benefits for healthcare organizations. That being said, cloud computing can also “usher storms” when it comes to your HIPAA compliance. If you choose to engage a CSP, to be HIPAA-compliant, it must ensure multiple safeguards are implemented to ensure ePHI is protected at all times.
But the onus is not only on your CSP—there are certain responsibilities you, as the covered entity, also have to maintain compliance when using cloud computing, and now you know of eight things you can do to both keep your ePHI safe and be ready in the event of an OCR audit.
For more information that can further simplify your HIPAA obligations and boost your security, check out our other articles that address different useful facets:
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.