iHT2 recommendations for HIPAA-compliant cloud business associates

Cyber criminals are being drawn to the healthcare industry like moths to a flame and providers are more vulnerable as the sharing of electronic health records proliferates.

To help diminish both those trends, the Institute for Health Technology Transformation (iHT2) recently compiled its “10 Steps to Maintaining Data Privacy in a Changing Mobile World.”

With a goal of explaining “how healthcare organizations can best protect themselves from the rapidly growing threat of security breaches and medical identity theft,” the paper is compiled by CIOs and security consultants who describe best practices for preventing these incidents and suggesting “how to deal with the proliferation of electronic data on the web and on mobile devices, which has created many new avenues for cyber attacks and the theft of personal health information.”

The paper ends with 10 suggested strategies to follow, each of them worth investigating further. For brevity’s sake, let’s take a look at two of the suggested strategies that are particularly relevant to our secure and compliant data hosting world.

The first deals with business associate agreements:

Get business associate agreements. All outside partners and service providers, including cloud storage providers, should sign BAAs acknowledging their responsibility to protect PHI. You should also require business associates to upgrade their security procedures.

As of September 2013, the HIPAA Omnibus Final Rule asserts that business associates are as liable for data security breaches as the HIPAA-covered entities they work with. This includes cloud vendors, many of whom had earlier been reluctant to sign these pacts.

There’s strong rationale for providers to insist vendors and partners sign business associate agreements: according to the Ponemon Institute, healthcare organizations simply don’t trust their third parties or business associates with sensitive patient information.

A recent Ponemon study revealed that 73 percent of organizations are either “somewhat confident” (33 percent) or “not confident” (40 percent) that their business associates would be able to detect, perform an incident risk assessment and notify their organization in the event of a data breach incident as required under the business associate agreement. … Only 30 percent are “very confident” or “confident” that their business associates are appropriately safeguarding patient data as required under the Final Rule.

To fully manage cloud security risks, we recommend you go beyond business associate agreements and review the provider’s complete policies, procedures and processes. The business associate agreement should outline policies and procedures. Review a copy of your cloud provider’s independent HIPAA audit report, if they invested in one, and check that they’ve been audited against the OCR HIPAA Audit Protocol.

The good news: The iHT2 report presents data that indicates business associates are paying greater attention to data security. From 2009 to 2012, business associates were involved in 56 percent of large-scale data breaches of 500 records or more. In 2013, that number was reduced to just 10 percent of breaches.

The second suggested strategy deals directly with cloud security:

Choose your cloud provider and cloud type carefully. A cloud service provider should sign a BAA and be HIPAA compliant. Healthcare providers might find the public cloud enticing because of cost efficiencies, but a hybrid cloud might be preferable because it allows them to control their data.

The iHT2 report cites a HIMSS focus group of senior health IT executives that said they are “more comfortable using a private cloud” than a public cloud and were “more likely to store administrative data than clinical data in the cloud.”

The report also cites legal expert John DeGaspari recommending healthcare organizations wanting to use a cloud vendor should make sure the company has a comprehensive set of security procedures. At a minimum, DeGaspari says, the vendor should have third-party certification from an entity such as Services Organization Control (SOC) 2.

Online Tech — which is backed by independent HIPAA, PCI, SOC 2 and Safe Harbor audits — produced its own list of what to look for in a HIPAA cloud provider:

1. Encryption. Do they offer encryption of data at rest and in transit with their cloud solution? Or do you have to spend more time and resources to add another encryption service on top of their cloud to make it work? Encrypting data exempts you from the HIPAA Breach Notification Rule and keeps data confidential even if accessed.

2. HIPAA Report on Compliance (HROC). The final HIPAA rule says cloud providers are considered business associates. Wouldn’t you rather your cloud provider has already undergone a third-party audit of their services to ensure your data safety and compliance (and to save you the trouble of paying for another audit of your business associate)? Don’t just take their word for it – review a copy of their HIPAA audit report and check they’re audited against the OCR HIPAA Audit Protocol.

3. Business Associate Agreement (BAA). Check on their policies around data breach notification, data termination, data access and what services they provide that help you meet compliance.

4. Private clouds. A HIPAA compliant private cloud environment can give you dedicated compute, memory and disk performance, meaning your resources are always reserved for you when you need them. Some public cloud setups allocate resources to other tenants on a first-come, first-served basis, meaning you may be out of luck.

5. Disaster recovery and offsite backup. The HIPAA Contingency Plan standard requires covered entities to establish and implement a backup and full disaster recovery plan to recover systems that contain electronic protected health information (ePHI) – having one for the cloud ensures your data is always available regardless of a natural disaster.

Resources:
IHT2’s 10 Steps to Maintaining Data Privacy in a Changing Mobile World
Ponemon Institute’s Benchmark Study on Patient Privacy and Data Security