10 Ways to Determine if Your Cloud Provider Is HIPAA Compliant

Confidence in cloud computing should continue to grow, particularly when cloud MSPs can clearly demonstrate the ways in which they are HIPAA-compliant.

Before a cloud managed service provider (MSP) even attempts to attract health care customers, it must be able to provide a Business Associate Agreement (BAA) and have BAAs with its partners and cloud platforms. This makes the MSP subject to audits and accountable for data breaches or noncompliance fines. Establishing a BAA helps define and enforce responsibilities among cloud platforms, independent software vendors and MSPs so that health care companies can establish governance policies and incident-response plans.

Given there are no government-sponsored certifications for HIPAA compliance that a cloud provider can earn, partners still should have their offerings audited against the HIPAA requirements by an independent party. There also are other certifications that signal strong security practices and can help health care organizations when choosing a cloud partner, including SSAE-16 (now SAS70 Type II), SOC 2 Compliance and PCI DSS (Payment Card Industry Data Security Standard) Level 1 Certification.

Within a service-level agreement, make sure a cloud provider indicates guaranteed response times. Infrastructure as a service (IaaS) cloud platforms offer response times of 24 hours or more, causing most health care companies to use an additional managed service partner to provide traditional monitoring and security services. Health care organizations need to guarantee that their partner’s NOC and security teams will respond to routine changes and to security threats in a timely manner so that, in the case of an incident, they can meet their obligations to the authorities.

While HIPAA’s security rule only requires encryption for data in transit, data should reasonably be encrypted everywhere by default, especially in the cloud. Read the terms of the cloud platform BAA carefully because it may require users to encrypt data at rest, and you need a managed service provider to help meet these requirements. Make sure a cloud platform and managed service partner guarantees at least AES (Advanced Encryption Standard) 256 encryption, the level enforced by federal agencies.

In our increasingly hybrid cloud world, organizations must maintain compliance across multiple clouds and multiple vendors. The governance of data transfer to and from the cloud is critical. If your organization is choosing an MSP for public cloud infrastructure, selecting a partner that has a long history of maintaining both physical data center resources and public cloud architectures is crucial. These partners will have the necessary skills and context to maintain complex, hybrid databases and inter-cloud networking from legacy health care applications to Amazon Web Services or a private cloud. This may be outside the skill set of so-called “born in the cloud” providers that have expertise in only public cloud.

According to the HIPAA security rule, health care organizations must regularly audit their own environments for security threats. “Regularly” can mean anything, so health care organizations should ask their cloud platform providers how often audits are conducted. They also should ask vendors and other partners to conduct monthly or quarterly engineering reviews, biannual (or more frequent) third-party audits, regular access reports and regular reports from subcontractors.

HIPAA is not just about a technical platform, but about the capability of partners to meet administrative requirements. Cloud providers must maintain a commitment to health care organizations to train new employees and provide refresher trainings when appropriate to meet HIPAA standards. Health care organizations should ask prospective cloud providers certain questions to see what standards are being met. These include: How are employee access policies approved and maintained? How do you vet the employees who are working on the environment? Ask if your MSP is willing to let you review actual written policies.

Every large cloud platform maintains strong physical data center security standards that meet HIPAA standards, but investigating and auditing these practices is a first step for many health care organizations. For a private or hybrid cloud environment, there are global security standards for data centers to follow including ISO (International Organization for Standardization) 27001, SOC (Security Operations Center), FIPS (Federal Information Processing Services) 140-2, FISMA (Federal Information Security Management Act of 2002) and DoD (Department of Defense) CSM (Centralized Security Management) Levels 1-5. In the public cloud, you and your MSP are not controlling the physical data centers, so your logical access to the data is usually of greater focus.

Well-known in the industry, the National Institute of Standards and Technology (NIST) is a non-regulatory federal agency under the Department of Commerce that develops information security standards that set the minimum requirements for any IT system used by the federal government. NIST has released a guide to help prepare for, conduct, communicate and maintain a compliance assessment as well as identify and monitor specific risk factors. Cloud providers should be able to provide results from a compliance assessment, similar to the one NIST makes available. Ask your partners whether their compliance assessments are based on NIST 800-53 and 800-66.

Last, but certainly not least, the HIPAA Contingency Plan requires a disaster recovery plan, which anticipates how natural disasters, security attacks and other events could impact systems that contain PHI (protected health information) and develops policies and procedures for responding to such situations. Health care organizations usually pay special attention to where a cloud partner’s backup data is hosted, what business continuity plan is in place and how often the disaster-recovery plan is tested. Ask whether your MSP can assist with both a production and disaster-recovery environment and whether their emergency operating plan covers not only public cloud failures, but also emergencies in their own offices.