A few weeks ago, we attended the HIMSS Privacy & Security Forum in Boston and liveblogged the panel discussion, Managing Security Risks of Health Data in the Cloud. The speakers provided a list of questions to ask in order to manage cloud security risks, as HealthITSecurity.com outlined below. As a HIPAA compliant cloud host, the bolded text is our response to their questions:
- Have you looked at the cloud provider’s application and/or network architecture? This applies more to the SaaS cloud app providers, but make sure your IaaS cloud provider can explain and/or show you a diagram of the cloud environment and infrastructure you’ll be using.
- Have you conducted business due diligence on the cloud provider (e.g., how long have they been in business, do they service other healthcare providers, etc.)? With the new omnibus rule forcing cloud providers to reexamine their clouds within the healthcare framework, there are newbies everywhere. Ask for references, and how long they’ve been operating under HIPAA compliance.
- Have you reviewed the cloud provider’s policies, procedures, and processes and any relevant reports (e.g., SSAE 16, SOC 2)? A business associate agreement should outline policies and procedures. Review a copy of your cloud provider’s independent HIPAA audit report, if they invested in one, and check that they’ve been audited against the OCR HIPAA Audit Protocol.
- Can you periodically audit the cloud provider? If you don’t want to spend the time and money auditing your cloud provider, partner with a cloud provider that already invests in compliance audits yearly.
- Have you interviewed key cloud provider personnel? Talk to their IT team, IT leads and engineers that will be handling deployment and infrastructure management. Ensure support is prompt and responsive after your project is handed off from sales.
- Does the cloud provider use a third party data center and where is it located? This may also apply to cloud SaaS providers, but when it comes to cloud IaaS, they should ideally own and operate their own data centers within the country (HIPAA’s not international). Data centers located in a safe, disaster-free zone with redundant, high-availability design will give you the peace of mind that your cloud servers are secure. Visit and tour their data centers before signing the contract.
Other security precautions to take when it comes to the HIPAA cloud is to ensure that data encryption is an option. Encryption of data at rest can be achieved with built-in, hardware-based and disk-level encryption that encrypts data as it’s being written to drives.
Data in transit is also important to encrypt, as it travels from within tiers in applications and over wireless connections. The use of VPNs (Virtual Private Networks), SSL and two-factor authentication can ensure data is protected along its entire path.
Read our Encryption of Cloud Data white paper that outlines every option and provides a diagram of a defense in depth solution to protect data in every state.
HIPAA Compliant Cloud: Real Companies, Real Solutions
With the final HIPAA omnibus rule officially in place last week, cloud and data center providers supporting the healthcare industry are starting to sign BAAs (business associate agreements) and get familiar with the security requirements of HIPAA. But this means … Continue reading →
Get Compliant or Get Out of the Game: HIPAA’s No Joke
Attention hosting companies currently supporting healthcare clients: get compliant or get out of the game. For those still unaware, cloud hosting and other IT vendors involved with the storage or transmission of healthcare data must meet HIPAA compliance by…two days … Continue reading →
Alleviating Healthcare Cloud Security Concerns
An interesting infographic by WeLiveSecurity.com delivers the latest statistics about health IT security with data from HHS.gov. They found that: Despite 91 percent of healthcare providers using cloud-based services, 47 percent are not confident in the ability to keep data … Continue reading →
Healthcare Cloud Security: Staying Current with BAAs, SLAs