Health IT

HIPAA Compliance in the Cloud: Q&A

All companies handling personal health information (PHI) are required to comply with HIPAA regulations. These laws are important, yet complex. Confusion has ensued in healthcare businesses, who wish to understand what their obligations are. As more companies migrate to cloud computing, many new questions arise. Here, we answer some of the most frequent questions regarding […]

All companies handling personal health information (PHI) are required to comply with HIPAA regulations. These laws are important, yet complex. Confusion has ensued in healthcare businesses, who wish to understand what their obligations are. As more companies migrate to cloud computing, many new questions arise. Here, we answer some of the most frequent questions regarding HIPAA compliance and cloud security:

What is the purpose of HIPAA?

HIPAA regulations ensure that individual patient information remains private, while allowing the health system to function. PHI should not be available to anyone who doesn’t need the information, yet it should be available and usable to those who do legitimately need it – such as caregivers. Thus, patients can receive good medical care without compromising their right to privacy.

 

What is a Covered Entity?

HIPAA sets rules for “Covered Entities.” In simple terms, these are the organizations that provide healthcare. They may, for example, be health care providers (doctors, clinics, hospitals, etc.) or health plans (insurers, HMOs, health programs, etc.)

 

What is a Business Associate?

Covered entities often engage other businesses, business associates, to help them carry out their healthcare activities and functions. HIPAA defines rules for these business associates as well.

The covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to protect the privacy and security of health information. In addition to these contractual obligations, business associates are directly liable under HIPAA for compliance with certain provisions of the rules.

The latest updates to HIPAA extend the Business Associate definition to cloud service providers and other hosting providers used in the health industry.

 

What are the advantages of securing data in the cloud?

There are many good business reasons to use the cloud for managing healthcare applications and data. They include flexible infrastructure and a pay-as-you-go economic model. Taking advantage of these benefits, while meeting regulations, requires proper security for your cloud deployment.

This task is not more daunting than securing data in a traditional physical data center. In fact, if you have used a good cloud provider, much of it may have already be done for you. Just as in the “old” physical world, you should check that your cloud provider does a good job of security, reviewing its documentation and practices; and you should also study best practices for using the cloud securely.

One new area were you should devote time and attention is a stronger emphasis on encryption and management of the encryption keys in the cloud.

If you do this properly, you will actually have a HIPAA compliant solution which is much more flexible and cost effective, with less effort.

 

Does all data in the cloud need to be encrypted?

While HIPAA does not require cloud encryption, but it is strongly suggested. The best way to ensure data security when in use, in transit or in storage – is with encryption. Additionally, companies who have encrypted their data can claim “SafeHarbor” if a security problem occurs. To enable organizations to minimize the risk of both data loss and the need to report, the HIPAA guidelines specify technologies that render data unreadable and unusable. If those technologies are implemented, the organization can usually claim to have achieved a “safe harbor,” thus freeing the organization from the obligation of reporting the breach.

 

Should backups be encrypted as well?

Any storage medium which contains private information about patients needs to be secured. This includes backups and snapshots.

 

What is the best method of cloud encryption?

As a first step, use strong encryption for your data – the standard is AES-256.

Secondly, take good care of your encryption keys. Encryption is worthless if the hacker gets hold of the encryption keys. The best practice is to keep ownership of encryption keys completely to yourself – it is the one thing you do not want to share with your cloud provider.

The most secure method of protecting encryption keys is split-key encryption with homomorphic key management. This is a state-of-the-art solution for securing your keys so they remain in the hands of your company and are not available even to the cloud provider. Even if security is breached, the data will not be readable by anyone outside the company, and you are likely to enjoy Safe Harbor rules.

 

Do good Cloud Providers and Cloud Encryption cover all bases?

Technology is critical, but people are no less important. Your employees must be trained to use technology properly and processes must be put in place for the handling of private patient information.

Procedures are also important. These range from how you handle suspected breaches to the use of strong passwords.

And in HIPAA, everything you do must also be documented. This is onerous, but you cannot escape it.

 

Further reading

Educate yourself about the steps to HIPAA compliance by reading the official Security Rule Guidance Material. To make it simpler, Porticor has created a summary: HIPAA and the Cloud: Securing Patient Data.