10 Ways to Determine if Your Cloud Provider Is HIPAA Compliant

 
 
By Chris Preimesberger  |  Posted 2016-03-11 Print this article Print
 
 
 
 
 
 
 
 
 
  • Previous
    10 Ways to Determine if Your Cloud Provider Is HIPAA Compliant
    Next

    10 Ways to Determine if Your Cloud Provider Is HIPAA Compliant

    Confidence in cloud computing should continue to grow, particularly when cloud MSPs can clearly demonstrate the ways in which they are HIPAA-compliant.
  • Previous
    Offers a Business Associate Agreement
    Next

    Offers a Business Associate Agreement

    Before a cloud managed service provider (MSP) even attempts to attract health care customers, it must be able to provide a Business Associate Agreement (BAA) and have BAAs with its partners and cloud platforms. This makes the MSP subject to audits and accountable for data breaches or noncompliance fines. Establishing a BAA helps define and enforce responsibilities among cloud platforms, independent software vendors and MSPs so that health care companies can establish governance policies and incident-response plans.
  • Previous
    Maintains Strict Certifications
    Next

    Maintains Strict Certifications

    Given there are no government-sponsored certifications for HIPAA compliance that a cloud provider can earn, partners still should have their offerings audited against the HIPAA requirements by an independent party. There also are other certifications that signal strong security practices and can help health care organizations when choosing a cloud partner, including SSAE-16 (now SAS70 Type II), SOC 2 Compliance and PCI DSS (Payment Card Industry Data Security Standard) Level 1 Certification.
  • Previous
    Provides Guaranteed Response Times in SLAs
    Next

    Provides Guaranteed Response Times in SLAs

    Within a service-level agreement, make sure a cloud provider indicates guaranteed response times. Infrastructure as a service (IaaS) cloud platforms offer response times of 24 hours or more, causing most health care companies to use an additional managed service partner to provide traditional monitoring and security services. Health care organizations need to guarantee that their partner's NOC and security teams will respond to routine changes and to security threats in a timely manner so that, in the case of an incident, they can meet their obligations to the authorities.
  • Previous
    Meets Data Encryption Standards
    Next

    Meets Data Encryption Standards

    While HIPAA's security rule only requires encryption for data in transit, data should reasonably be encrypted everywhere by default, especially in the cloud. Read the terms of the cloud platform BAA carefully because it may require users to encrypt data at rest, and you need a managed service provider to help meet these requirements. Make sure a cloud platform and managed service partner guarantees at least AES (Advanced Encryption Standard) 256 encryption, the level enforced by federal agencies.
  • Previous
    Provides Both Traditional IT and Cloud Expertise
    Next

    Provides Both Traditional IT and Cloud Expertise

    In our increasingly hybrid cloud world, organizations must maintain compliance across multiple clouds and multiple vendors. The governance of data transfer to and from the cloud is critical. If your organization is choosing an MSP for public cloud infrastructure, selecting a partner that has a long history of maintaining both physical data center resources and public cloud architectures is crucial. These partners will have the necessary skills and context to maintain complex, hybrid databases and inter-cloud networking from legacy health care applications to Amazon Web Services or a private cloud. This may be outside the skill set of so-called "born in the cloud" providers that have expertise in only public cloud.
  • Previous
    Offers Ongoing Auditing and Reporting
    Next

    Offers Ongoing Auditing and Reporting

    According to the HIPAA security rule, health care organizations must regularly audit their own environments for security threats. "Regularly" can mean anything, so health care organizations should ask their cloud platform providers how often audits are conducted. They also should ask vendors and other partners to conduct monthly or quarterly engineering reviews, biannual (or more frequent) third-party audits, regular access reports and regular reports from subcontractors.
  • Previous
    Keeps Staffers Compliant Through Training and Refreshers
    Next

    Keeps Staffers Compliant Through Training and Refreshers

    HIPAA is not just about a technical platform, but about the capability of partners to meet administrative requirements. Cloud providers must maintain a commitment to health care organizations to train new employees and provide refresher trainings when appropriate to meet HIPAA standards. Health care organizations should ask prospective cloud providers certain questions to see what standards are being met. These include: How are employee access policies approved and maintained? How do you vet the employees who are working on the environment? Ask if your MSP is willing to let you review actual written policies.
  • Previous
    Secures Physical Access to Servers
    Next

    Secures Physical Access to Servers

    Every large cloud platform maintains strong physical data center security standards that meet HIPAA standards, but investigating and auditing these practices is a first step for many health care organizations. For a private or hybrid cloud environment, there are global security standards for data centers to follow including ISO (International Organization for Standardization) 27001, SOC (Security Operations Center), FIPS (Federal Information Processing Services) 140-2, FISMA (Federal Information Security Management Act of 2002) and DoD (Department of Defense) CSM (Centralized Security Management) Levels 1-5. In the public cloud, you and your MSP are not controlling the physical data centers, so your logical access to the data is usually of greater focus.
  • Previous
    Follows NIST Guidelines When Conducting Compliance Assessment
    Next

    Follows NIST Guidelines When Conducting Compliance Assessment

    Well-known in the industry, the National Institute of Standards and Technology (NIST) is a non-regulatory federal agency under the Department of Commerce that develops information security standards that set the minimum requirements for any IT system used by the federal government. NIST has released a guide to help prepare for, conduct, communicate and maintain a compliance assessment as well as identify and monitor specific risk factors. Cloud providers should be able to provide results from a compliance assessment, similar to the one NIST makes available. Ask your partners whether their compliance assessments are based on NIST 800-53 and 800-66.
  • Previous
    Develops Disaster Recovery and Business Continuity Plan
    Next

    Develops Disaster Recovery and Business Continuity Plan

    Last, but certainly not least, the HIPAA Contingency Plan requires a disaster recovery plan, which anticipates how natural disasters, security attacks and other events could impact systems that contain PHI (protected health information) and develops policies and procedures for responding to such situations. Health care organizations usually pay special attention to where a cloud partner's backup data is hosted, what business continuity plan is in place and how often the disaster-recovery plan is tested. Ask whether your MSP can assist with both a production and disaster-recovery environment and whether their emergency operating plan covers not only public cloud failures, but also emergencies in their own offices.
 

While HIPAA (Health Insurance Portability and Accountability Act of 1996) and HITECH (Health Information Technology for Economic and Clinical Health Act of 2009) establish standards to protect electronic health care records and transactions, many health care organizations have yet to realize exactly how much new technologies, specifically cloud computing, will impact standards and the medical field. According to researcher IDC, both comfort levels and budgets are growing around cloud adoption: 41.5 percent and 40 percent, respectively. However, confidence in the cloud will continue to rise only when health care organizations can easily confirm that their cloud partners—namely, providers of cloud platforms and managed services—are HIPAA-compliant. This eWEEK slide show, using industry perspective from IDC and Stephanie Tayengco, senior vice president of operations at Logicworks, offers insight on what health care organizations should ask cloud providers to see if they meet HIPAA compliance standards.

 
 
 
 
 
Chris Preimesberger Chris Preimesberger was named Editor-in-Chief of Features & Analysis at eWEEK in November 2011. Previously he served eWEEK as Senior Writer, covering a range of IT sectors that include data center systems, cloud computing, storage, virtualization, green IT, e-discovery and IT governance. His blog, Storage Station, is considered a go-to information source. Chris won a national Folio Award for magazine writing in November 2011 for a cover story on Salesforce.com and CEO-founder Marc Benioff, and he has served as a judge for the SIIA Codie Awards since 2005. In previous IT journalism, Chris was a founding editor of both IT Manager's Journal and DevX.com and was managing editor of Software Development magazine. His diverse resume also includes: sportswriter for the Los Angeles Daily News, covering NCAA and NBA basketball, television critic for the Palo Alto Times Tribune, and Sports Information Director at Stanford University. He has served as a correspondent for The Associated Press, covering Stanford and NCAA tournament basketball, since 1983. He has covered a number of major events, including the 1984 Democratic National Convention, a Presidential press conference at the White House in 1993, the Emmy Awards (three times), two Rose Bowls, the Fiesta Bowl, several NCAA men's and women's basketball tournaments, a Formula One Grand Prix auto race, a heavyweight boxing championship bout (Ali vs. Spinks, 1978), and the 1985 Super Bowl. A 1975 graduate of Pepperdine University in Malibu, Calif., Chris has won more than a dozen regional and national awards for his work. He and his wife, Rebecca, have four children and reside in Redwood City, Calif.Follow on Twitter: editingwhiz
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
Rocket Fuel