The Lightcrest Blog

Let's talk about fluid computing, hyperconverged infrastructure, and hybrid cloud technology.

Why You Should Be Wary of HIPAA Compliance As A Service

Last update on Dec. 30, 2016.

There are both financial and operating benefits to moving your healthcare-related services into the cloud, especially if you partner with the right service provider. One of the most difficult obstacles to conquer is how to remain HIPAA compliant if you make the change. Navigating HIPAA mandates are tricky enough, but then some cloud service providers complicate it further by offering pre-packaged compliance as part of their service plan.

HIPAA Compliance as a service in itself is a misnomer because compliance is not a feature you package and sell. It is built around the assessment of a third-party auditor and is not something a vendor can certify. Offering compliance as "a feature" is just another way for cloud providers to get more money for less value. You should consider these reasons why organizations should be wary of a service provider that offers "HIPAA compliance as a feature".

How Important is HIPAA Compliance?

Gilad Parann-Nissany with MedCity News explains that the HIPAA regulations are designed to ensure patient information remains secure and private without interfering with healthcare. The Health Insurance Portability and Accountability Act sets the standard for securing electronic records and protecting sensitive information to ensure that the physical, network and operational protocols work.

Compliance is about more than just following rules, though. Meeting these standards shows respect for your users and an understanding of the importance of protecting their sensitive data. For some cloud service providers, it is critical for a different reason. It gives them a level up option that pads the bottom line.

Lightcrest sees the HIPAA compliance issue a little differently, though. Their holistic compliance regime is part of the infrastructure foundation they supply their customers, not an add-on that costs extra. They partner with the client working towards HIPAA compliance, instead of selling it like snake oil. 

What’s Wrong with HIPAA Compliance as a Service?

The very concept of HIPAA compliance as a service is flawed; because it’s not a tangible asset that one can sell. The reason HIPAA audits exists is to objectively analysis the environment to determine if it meets the established standards. To offer it as a service suggests it is something you can lay over an existing environment, so it suddenly fits all the mandates.

You should not be looking to purchase an added feature, but instead to partner with a service provider that helps you to build a secure cloud infrastructure and maximize the likelihood that you will pass the HIPAA compliance audit with flying colors.


Things to Keep in Mind When Searching for a Cloud Service Provider

The responsibility for compliance lies almost completely on the covered entities. The U.S. Department of Health & Human Services defines a covered entity as the individual, organization or agency required to protect the privacy and security of health information. A cloud service provider falls under the category of a business associate, so their responsibility is less when it comes to compliance.

With that in mind, businesses should look for a partner that understands what auditors expect and incorporate solutions into the fabric of the environment. You want to show the auditor how critical security is to your company and your provider should be part of that process.

For example, an auditor will look closely at the physical architecture to determine data location and key attributes such as who has access to the data and how is deleted. Lightcrest provides a physical access log time-stamped to show exactly when their specialists access the data to ensure compliance.

The HIPAA auditor is concerned with the logical architecture, as well. The covered entity has full control over ePHI data and is responsible for keeping it secure from unauthorized personnel, including any offsite backups. The auditor will need to know who has access to the backup environment and how that data is stored.

Lightcrest works to empower its customers, not charge them more for ambiguous add-ons. With technology like the Kahu Compute Fabric, you gain access to a private cloud with a single-tenant physical architecture designed to minimize the attack surface while maximizing application availability.

Before deploying the environment, Lightcrest coordinates validation exercises to improve the customer’s control and ensure data integrity and safety.

There is no extra feature necessary to maximize your ability to pass an audit. Lightcrest works to secure the environment layer by layer from the foundation up, instead of trying to add it on later. Once you pass that audit, they will work you to keep you in compliance by performing periodic validation assessments, updating the risk register and enhancing the environment to meet the changing needs of the business.

Before you sign any compliance as service options, give Lightcrest a call to find out more about Kahu and how it can lower costs while increasing efficiency.