Since the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, there have been notable advances in protecting the privacy of patient information handled by healthcare plans, health care clearinghouses and certain types of healthcare providers. Unfortunately for patients and providers, technology and the many advantages of the cloud, including its scalability, cost-efficiency, and flexibility have continued to outpace legislation.
While the cloud makes file storage and sharing comfortable and convenient, its security risks are significant enough to have pushed for the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. This regulation covers any service provider who has access to protected health information (PHI) including subcontractors who create, receive, maintain or transmit PHI on behalf of a business associate, including cloud providers.
This is serious business. The U.S. Department of Health & Human Services (www.hhs.gov) enforces HIPAA. HHS reported that in early 2018, Fresenius Medical Care North America agreed to pay $3.5 million to settle potential HIPAA violations. Moreover, in late 2017, 21st Century Oncology settled for $2.3 million to HSS. It is interesting to note that declaring bankruptcy does not let organizations skirt non-compliance fees as 21st Century Oncology had declared bankruptcy earlier that year.
It is evident that HIPAA-HITECH firmly regulates how the healthcare industry collects, stores, communicates and transmits protected health information. For healthcare organizations, compliance can be a major concern when deciding what to look for in a cloud-storage service provider.
HIPAA places additional requirements on protecting electronic PHI (ePHI), specifically the Security Final Rule’s Data Backup and Disaster Recovery Specifications that require:
These requirements can be a significant burden on backup admins and disaster recovery managers. Many of them choose to invest in HIPAA-compliant backup as a service (BaaS) and disaster recovery as a service (DraaS) to simplify and improve HIPAA compliance. (It doesn’t hurt that organizations can also save money on capital purchases and high operational expenses.)
However, watch out—many cloud service providers (CSP) will say that they are HIPAA compliant, but does that mean they automatically meet your compliance needs? Maybe, maybe not. If they say, they are HIPAA-HITECH compliant, which primarily means their data center complies with facility and digital security regulations. Nonetheless, compliance goes beyond compliant infrastructure and encryption.
The Covered Entity (that would be you) and Business Associate (that would be your cloud provider) sign Business Associate Agreements (BAA) that align your partnership with HIPAA requirements. If the CSP is only willing to sign their boilerplate BAA, that may not be enough for your needs. Does your provider offer a detailed assessment of compliance gaps? Are they willing to customize SLAs in addition to signing the BAA? Also review the service provider’s HIPAA-HITECH compliance record as well as their availability, security, and performance metrics.
Encrypting your cloud data is not just to prevent hackers from gaining unauthorized access to the data, but depending on the data in question, it is likely a requirement to comply with privacy laws such as HIPPA, PCI-DSS, FINRA, and soon GDPR. One essential element of encryption is the lack of existing CSPs that adhere to security best practices, not to mention the regulations that call for data at rest to be encrypted no matter where it resides. You guessed it one of the challenges of implementing data at rest encryption is that the most popular SaaS application and megacloud providers do not encrypt your data while at rest.
”Only 9.4% of cloud providers encrypt data once it’s stored at rest in the cloud, leaving it vulnerable to unauthorized access and data breaches.” - Source: Skyhigh Networks
Since adherence to regulations calling for encryption of data at rest in the cloud lies at the feet of the customer, not the cloud provider, it is wise to conduct your due diligence. If you are unsure what form of encryption is protecting your regulated cloud data, don’t hesitate to contact your cloud provider. Go ahead and make the call to ask what sorts of encryption they provide, if any, for cloud-based data protection. Ultimately, you are the one left holding the compliance bag.
Storing sensitive data at rest in the cloud can bring inherent risks specific to cloud deployments. Cloud data at rest risks can include:
KeepItSafe Cloud Backup performs the job of data encryption even before it leaves the customer premises. Therefore, sensitive data is protected both in flight and at rest and can only be decrypted by the same entity that encrypted the message in the first place. Utilizing best-of-breed secure and agentless data protection platforms allows us to custom-build solutions that encrypt data in flight and at rest using AES-256 encryption protocols. We keep all cloud data stored in our secure cloud vaults ensuring that your data cannot be read, even if accessed by an unauthorized source.
KeepItSafe cloud backup and recovery expertly provides HIPAA-compliant data protection for our Covered Entities customers. No boilerplate SLAs or minimal requirements with us. We start by offering a free assessment of your current HIPAA-HITECH compliance levels with backup, encryption, testing, and DR processes. Post-assessment you can use our recommendations or work with us to customize a comprehensive data protection strategy.
If you decide to go with us, your dedicated account manager will work with you to sign a Business Associate Agreement. Then we will swing into action with an automated backup and recovery plan customized for you. Our policies and procedures are optimized for your environment and your needs, ensuring that ePHI under your watch is always protected. Moreover, whenever you need help, we'll be there.
HIPAA Requirements |
KeepItSafe Response |
Technical Safeguards |
We offer ISO-27001 certification, 256-AES encryption, and a full data protection suite customized to your backup and compliance needs. |
Physical Safeguards |
Multiple tier-4 data centers provide off-site backup with geographically redundant protection. Our highly trained and certified engineers give you 24/7 live support. |
Administrative Safeguards |
We purpose-built our policies and procedures to protect ePHI and provide intensive HIPAA training to all our employees and partners. We consult with our CE customers and sign compliant BAAs. |
Organizations can get creative with some IT regulations. With the increasing enforcement of HIPAA-HITECH compliance, the ease of which a Covered Entity can accidentally violate one of the many cloud backup regulations becomes a potential make or break issue. Complying with HIPAA is not an invitation for cloud backup creativity, you should heed the call to toe the compliance line, but the right cloud partner makes it easy. Contact KeepItSafe for your free assessment and get in compliance now.
Readers of this blog post are also interested in the Whitepaper:
Enter your email below to be notified about new articles.