As more and more healthcare businesses migrate to the cloud, HIPAA compliance and security bubbles to the top of their list of concerns. That’s understandable because remaining compliant is a complex process — one that is difficult to navigate.
Even though HIPAA identifies cloud service providers as business associates, the responsibility of ensuring compliance falls most heavily on the shoulders of the healthcare organization. Many cloud service vendors are HIPAA-compliant, but it’s not always a default requirement — more like a check-box feature.
The trick is to find a cloud vendor with a different philosophy — one that takes a holistic approach to compliance instead of making it an add-on. At Lightcrest, HIPPA compliance is not a packaged service clients must tack on like it’s an afterthought. There is a deeper understanding, one that identifies the importance of security to a client’s reputation and the need to vigorously defend customer data.
A Little About HIPAA
If you work in healthcare, then you are no stranger to the Health Insurance Portability and Accountability Act. The goal of HIPAA is to ensure patient information remains private but without keeping the health system from functioning efficiently.
HIPAA defines certain elements of the healthcare industry as “covered entities,” meaning they must adhere to specific rules regarding cloud technology.
Covered entities include:
Organizations that provided a service to these covered entities, like Lightcrest, share some of the compliance responsibility as business associates, although to a much smaller extent.
A Little About Cloud Technology
By now, most business consumers understand the benefits of working in the cloud. Graham Winfrey with Inc. states nearly 80 percent of small U.S. businesses have made the move up to the cloud, based on a study conducted by consulting firm Emergent Research.
There are two key terms that confuse those new to cloud technology, though:
A private cloud is a single-tenant platform the allows the end-user to utilize computing and storage resources on-demand. A public cloud, on the other hand, is more like living in a tenement. You share that space with other customers, so it might be less secure. You are also competing for resources, so a public platform can have performance issues.
Ideally, you will look for a vendor that offers a private cloud infrastructure. Public vendors can be compliant, as well, but working in a private environment offers more security and better scalability. Products like Lightcrest’s Kahu, which is a software-defined data center product, helps make private servers more cost-effective than public offerings, as well.
Not all private clouds are HIPAA complaint, however; despite the more secure architecture. An effective business associate will work with healthcare clients to ensure compliance.
Making a Private Cloud Fully HIPAA Compliant
Passing a compliance audit is about implementing effective practices designed to reinforce the cloud environment and protect the sensitive records it holds. There are no hard and fast rules to maintaining compliance, but there are certain things an auditor will look for including a strong physical architecture.
An auditor will ask:
Where the data is kept and who has physical access to it?
How is old data removed and destroyed?
What are the security protocols for providing and removing access to the data?
Is there offsite backup and where is it kept?
An HIPAA auditor will want detailed information on who physically accesses the hardware and software, too. Your service provider should be ready to offer that information down to the second if requested. Lightcrest, for example, provides its clients with a time stamped log to show when their specialists access the technology.
The next step is to gain control over the logical architecture. There are an HIPAA mandates that require covered entities to have full control of their ePHI data, so no unauthorized personnel can access it. A private cloud is beneficial in securing ePHI data, giving you complete control over the security in your environment.
This level of security extends to backups, as well. The HIPAA auditor will look at the encryption of the data on a backup disk and what ciphers are used for it. They will want to know how strong the application-layer encryption is and how you are able to handle multiple DMZs.
Looking Beyond the Architecture
HIPAA mandates extend beyond the infrastructure. The auditor will request established documentation on procedures and controls in place to protect your data. Things like:
A risk register
Standard protocols for administering the cloud platform
An effective cloud service provider helps the client develop risk registers designed to meet the expectations of an HIPAA auditor and find ways to streamline the procedures to cut costs but stay in compliance.
Establishing Physical and Network Security
When you think security within a cloud environment, your mind automatically goes to network efforts, but physical surveillance is just as important. You need to know the cloud service provider have eyes on all hardware 24/7. Lightcrest has state-of-the-art Tier III and Tier IV data centers complete with biometric hand scanners, man traps and physical security to maintain control of the environment as required by HIPAA.
Their network security is just as impressive and setup to help their clients circumvent the difficult combination of effective performance and data protection. Cloud technology provides remote access from multiple entry points and potential compromise sites. Properly secured cloud controls are necessary. The HIPAA auditor will look for key features like encryption a rest, API-driven orchestration and SSH key management.
What does it take to make the cloud HIPAA compliant? For one thing, it takes a service provider with the governance necessary to assure every layer of your infrastructure meets that standard. You won’t get that from compliance as a service module. You need an HIPAA compliance built into the environment, not overlayed on top of it.
Contact us to find out more about creating a compliant and secure foundation using a private cloud to meet the mandates set by HIPAA and to protect the sensitive data entrusted to you by your patients.