The Lightcrest Blog

Let's talk about fluid computing, hyperconverged infrastructure, and hybrid cloud technology.

HIPAA Compliance On The Cloud 101

Posted by on Dec. 16, 2016 .

Last update on Dec. 16, 2016.

As more and more HIPAA covered entities level up to the cloud for their healthcare service-related data, compliance becomes a growing concern. HIPAA mandates establish some critical protections for individuals who entrust their sensitive information to healthcare organizations like insurance companies or hospitals. They are known collectively as covered entities. The HIPAA safeguards are designed to respect the rights of individuals by protecting their personal data.

These covered entities, in turn, put their trust in a cloud service provider, or CSP, to help create, receive, maintain and transmit that data. The CSP is designated as a business associate and enters into an HIPAA-compliant agreement with the covered entity.

It all seems pretty straightforward from the outside looking in, but the truth is, there are many variables in the relationship between a covered entity and their CSP. For example, what is meant by compliance as a service? What are the risks in choosing a public cloud over a private one?

There many such questions worth asking when you are first assessing the logistics of working in the cloud while remaining HIPAA compliant. Let’s break it down into more digestible pieces.

What Does It Mean to Be HIPAA Compliant?

The Health Insurance Portability and Accountability Act established in 1996 and the HITECH Act in 2009 require health care providers to safeguard electronically protected health information, or ePHI.

Compliance is established via a third-party audit. An auditor comes in to evaluate the environment looking specifically at security issues such as backup management, data tracking and physical server surveillance.

2016/12/02/b361248fb47b486da67b8be0d0c670d2.jpg

HIPAA Compliance and the Public Cloud

As you shop for a CSP, you’ll notice they offer either a public or a private cloud, so what’s the difference? A public cloud is exactly what it sounds like— a multi-tenant infrastructure that allows you share resources with other renters.

While it might seem like a cost-cutting option, a public cloud is more expensive in part because it is trickier to stay HIPAA compliant. Public cloud service providers that offer HIPAA compliance work hard to provide the necessary security regimes, but it’s a costly venture.

HIPAA Compliance and the Private Cloud

A private cloud is a single tenant infrastructure that puts you in control of all the storage and computing recourses. A good example of this process in action is Lightcrest’s Kahu private cloud service. It offers dedicated Kahu hypervisors, a dedicated firewall pair, and redundant L2/L3 fabric.

In general, the private cloud is the better option when considering HIPAA compliance. It provides:

  • Enhanced security

  • More consistent performance

  • Superior information assurance

  • Lower costs

What Does an HIPAA Auditor Look For in a Cloud Infrastructure?

Since not all private clouds are compliant, it helps to understand the audit process. An auditor will look at critical elements of your infrastructure to determine if it meets the HIPAA mandates.

For example:

  • Physical architecture — The auditor will assess the data location and who has access to it there. What is the process for adding and removing personnel?

  • Logical architecture — The mandates require the covered entity to have full control of ePHI data. During an audit, the evaluator will look at protocols for restricting that data like preventing unauthorized staff from seeing it.

  • Management and administrative controls — The auditor will expect to see documented procedures and SOP information. A working risk register is an effective option, as well.

  • Physical controls — Physical controls refers to the actual hardware and software security. Does the data center have onsite surveillance, for instance, both internal and external? What type of onsite security features is in place? Biometric hand scanning?

  • Network controls — What network policies are there to prevent data breaches, both intentional and unintentional? Network security is often overlooked in lieu of performance, but it serves as the first line of defense in an attack.

  • Cloud controls — If you are opting to work in the cloud, you need extra security control in place to manage multiple entry points that may provide attack vectors.

  • Backup and Disaster Recovery — Business continuity if a disaster happens is one of the perks of cloud technology, but covered entities are still responsible for protecting backup data. Failing to do so would be a potential violation. The auditor will examine the security strategy for backup systems including physical and logical architecture.

Three Things You Need to Know about HIPAA Compliance and the Cloud

Deciding to move up to the cloud is a practical solution to many problems businesses face regarding data security and storage, but making the wrong choice can cost your business dearly. Here are some things you should know:

There is no such thing as an HIPAA-certification from a CSP. You might see companies offering compliance certification or compliance as a service that requires you to pay extra as if you are leveling up. Since compliance is based solely on a third-party audit, no company can “certify” it.

Some providers, like Lightcrest, conduct a series of validation exercise to assess the control efficiency layer by layer to maximize your chance of a successful audit.

Your CSP contract must include a business associate agreement. The partnership between the covered entity and the business associate must be put into writing to comply with HIPAA requirements. That is not the same things as compliance as a service, though. The best CSPs include compliance efforts as part of the infrastructure, not as an add-on feature.

Keep an eye out for bad cloud providers. What constitutes a bad provider? The compliance as a service feature is certainly a warning sign, but there are other markers to look for like lack of customer support.

Don’t be afraid to interview a potential CSP to ensure they understand the HIPAA compliance requirements fully. A few well-placed questions will go a long way to validating their service.

Are you looking for a CSP that offers a holistic compliance regime designed to give you the best chance of a successful HIPAA audit? Contact Lightcrest today to find out more about our Kahu clouds and how they can best service your business.