By Steven Freidkin, Founder and CEO of Ntiva, a Managed Safety Providers Supplier (MSSP) specializing in cybersecurity and compliance.
In terms of transferring their information to the cloud, some healthcare organizations may be understandably reluctant. Retaining affected person information safe and sustaining a laundry checklist of HIPAA laws are among the many chief considerations as cyber threats proceed to rise.
However attaining HIPAA compliance within the cloud is effectively throughout the grasp of all healthcare organizations. If the chosen cloud supplier has a sturdy safety framework and follows constant monitoring protocols, then all the key constructing blocks of HIPAA compliance are in place.
This framework will likely be outlined within the all-important Enterprise Affiliate Settlement (BAA). This written settlement will maintain your group safe and on the suitable aspect of the regulation by confirming protocols resembling two-factor authentication and end-to-end encryption along with your cloud supplier.
Although many healthcare groups have but to totally decide to the cloud, it’s estimated that 35 p.c of healthcare firms are utilizing the cloud to retailer greater than half of their information. That’s a quantity that’s solely set to extend given the benefit, comfort and value financial savings offered by the cloud.
So on this article I’ll run by way of a few of the key issues relating to making certain HIPAA compliance on the cloud.
Establishing a BAA
The BAA is without doubt one of the most important facets of your due diligence of cloud suppliers. Any cloud supplier that may’t present a BAA or reveals unwillingness to have interaction with this course of will have to be excluded from the choice course of, as this settlement units the situations to which a cloud associate can use and work together with affected person information.
By codifying particular safety protocols – like recording who accesses affected person information and establishing a notification system in case of a cyberattack – this settlement makes it clear your cloud supplier will adjust to the Safety Rule, Privateness Rule and Breach Notification Rule set by HIPAA. These are all required to maintain affected person medical information protected.
A good cloud supplier with demonstrable HIPAA expertise can simplify onboarding by offering recommendation and steering when establishing a BAA. Nonetheless, healthcare organizations ought to nonetheless use their very own authorized and compliance counsel throughout this course of, to make sure the settlement offers all needed protection.
Confidence when establishing a BAA with a cloud supplier is usually enhanced by the very fact there are a number of family names to select from within the market of HIPAA-compliant cloud options, resembling Amazon Internet Providers.
And although these options have gotten extra prevalent, adopting one among these cloud providers will put a medical group on the forefront, as an estimated 70 p.c of the healthcare market will not be HIPAA compliant, in response to the Division of Well being.
Implementing Safety Protocols
The BAA enshrines the cloud safety protocols that the cloud supplier should adhere to, in an effort to preserve HIPAA compliance. As soon as the settlement goes dwell, the cloud supplier should put these provisions into apply. These will embody two-factor authentication and end-to-end encryption.
These safety and privateness controls make it in order that anybody who tries to entry affected person information will likely be required to log in through two or extra methods, one among which is able to often be receiving a textual content or e-mail code. Encryption is one other must-have, as healthcare suppliers want to make sure all affected person medical information is encrypted when being processed and saved within the cloud.
HIPAA additionally requires a healthcare group and its cloud supplier to institute entry controls, which incorporates making certain solely pre-authorized customers have login credentials, and that customers can solely entry or modify information in step with their job necessities.
As well as, cloud suppliers should additionally file and retailer entry logs to affected person information, in an effort to guarantee there may be an audit path of each worker who has entry to this information.
These safety protocols should in place always to make sure HIPAA compliance and decrease the danger of a knowledge breach,
Establishing a Monitoring Routine
The ultimate ingredient of HIPAA compliance with cloud suppliers, after establishing a BAA and implementing safety protocols, is to determine a monitoring routine. Monitoring must be performed by each the healthcare group and the cloud supplier.
On the cloud supplier’s aspect, they should have 24/7 risk detection, run common danger assessments and conduct proactive cyber safety testing, resembling penetration checks. They need to additionally be capable of present proof of those actions, resembling penetration check certificates from the third social gathering that conducts this on their behalf. What’s extra, they need to be capable of present proof of the safety patches they’re putting in every month and the threats these are defending towards.
Additionally, cloud suppliers are obligated to inform their healthcare associate anytime there’s a information breach and that group, by regulation, should notify the Division of Well being. Many cloud options at present available on the market could have preset triggers that provide automated notifications that instantly alert a corporation of an assault, permitting the 2 events to work collectively to swiftly analyze the size of the assault and decrease any further dangers.
On the healthcare group’s aspect, they have to guarantee satisfactory monitoring of staff’ entry to affected person information saved on the cloud platform. This consists of making certain every worker has the right entry stage for his or her job position and making certain that worker entry is revoked as quickly as they cease working for the group.
The ONC and OCR present a Safety Threat Evaluation (SRA) device that healthcare organizations can use when designing a danger evaluation that conforms to HIPAA compliance.
The Backside Line
HIPAA compliance and the cloud finally comes all the way down to the cloud supplier you select and the provisions set out within the BAA. Selecting a cloud associate with demonstrable HIPAA expertise is the surest solution to set your self up on the suitable path. Pairing this with acceptable authorized and compliance counsel in your aspect will allow you to have full confidence that your cloud resolution and monitoring routine will keep on the suitable aspect of HIPAA compliance.