Healthcare organizations have massive regulatory obligation and liability risk when using cloud services to store, or process protected health information (PHI) or building web-based applications that handle PHI, and therefore are subject to the strictest security requirements.
Risk Analysis of Platforms
HIPAA certification does not guarantee the cloud provider's compliance. And even when they claim to be HIPAA compliant or support HIPAA compliance, covered entities must perform a risk assessment of the risks associated with using the platform with ePHI.
Risk Management
Creating risk management policies related to a service is the next step after performing a risk analysis. There should be a reasonable and appropriate level of risk management for all risks identified.
The covered entity must fully comprehend cloud computing and the platform provider's services to perform a comprehensive, HIPAA-compliant risk analysis.
Business Associate Agreement (BAA)
As a result of the HIPAA Omnibus Rule, businesses that create, receive, maintain, or transmit PHI are part of the HIPAA business associates' definition. Cloud computing platforms providers clearly fall under the latter two categories.
Therefore, an entity covered by a cloud platform must obtain a business associate agreement (BAA) from the provider. BAAs are contracts between covered entities and service providers. Platform providers must explain all elements of HIPAA Rules that apply to them, establish clear guidelines on the permitted uses and disclosures of PHI, and implement appropriate safeguards to prevent unauthorized disclosures of ePHI.
Common Challenges for Covered Entities
A BAA doesn't automatically make you HIPAA compliant.
It is still possible to violate the HIPAA Rules even with a BAA in place. As a result, no cloud service by itself can truly comply with HIPAA. The responsibility for compliance falls on the covered entity. If an entity misconfigures or does not enforce the right access controls, it is the entity that is faulted for non-compliance, not Amazon, Microsoft, or Google.
Complex requirements for access controls
Access to ePHI must be verified and authenticated before anyone is allowed access to it. That means that you must secure the infrastructure containing electronic health information in all its aspects—from servers to databases, load balancers, and more.
Extensive audit logs and controls
Reporting on all attempts to access ePHI, whether successful and unsuccessful, is mandatory.
Security concerns in storage
ePHI is stored in a lot of healthcare information systems. A document scan, X-ray, or CT scan are all classified under this category. Encryption and access management controls are mandatory to prevent unauthorized access to these files when they are sent over a network.
Requirements for encryption of data-in-transit
To prevent the transmission of ePHI over an open wire on an open connection, all messages and data that leave a server must be encrypted.
Requirements for encryption of data-at-rest
There is no HIPAA requirement for encryption at rest. However, data encryption at rest is a best practice to protect it from external users with physical access to hardware.
Access controls
One of the most robust ways of securing your servers is to firewall them so that only people with appropriate access can log on and use them to enable Active Directory integration. The result is a double layer of protection. This prevents operation system vulnerabilities from getting exploited by hackers.
Audit logs and controls
The software you write must allow for audit logging of every access to HIPAA data and when it was accessed. You can create a log file (or SQL database table) to track these logs.
Secure storage
It's possible to store files in a secure manner using the following options:
Amazon S3: Amazon Simple Storage Service provides industry-leading storage, scalability, availability, security, and performance of data.
AWS EBS: AWS offers Amazon EBS (Amazon Elastic Block Store), which allows persistent block storage across Amazon EC2 instances
Encrypt data-in-transit
You can encrypt all traffic over NFS with an industry-standard AES-256 cipher and Transport Layer Security 1.2 (TLS). AWS's EFS mount helper simplifies using EFS, including configuring data encryption in transit through an open-source utility.
Encrypt data at rest
The option for disk encryption is available when cloud providers provision disk storage for databases, file storage, disk storage, and virtual machines. If a hard drive were stolen from a cloud data center (highly unlikely), the data would be rendered useless by the encryption.
Conclusion
The Health Insurance Portability and Accountability Act of 1996 requires compliance by many organizations in the healthcare industry. Use this guide to set the foundation of your HIPAA compliance for your cloud-based health services and solutions, or contact us here for more information.