HIPAA & Cloud Compliance – A Growing Relationship
The healthcare industry has been flooded, overwhelmed, and exhausted over the last 15 months. COVID-19 has stretched hospitals, clinics, and private medical offices to their limits trying to treat and mitigate the virus. However, simultaneously, the healthcare industry has been fighting another pandemic — cybersecurity attacks. While inundated with global health concerns, healthcare networks around the world have been quietly getting hit with digital attacks. This issue raises the question, how is the healthcare industry supposed to put patient care first if their security is being compromised?
During the COVID-19 pandemic, cybersecurity attacks on the healthcare industry doubled, with 28 percent of targeted attacks being ransomware focused. This dramatic uptick in attacks was the result of cybercriminals taking advantage of an already vulnerable industry. Multiple well-regarded studies, including one published by Oxford University Press, have shown that these attacks have resulted in being an “urgent threat to global health.” Over the past year, extremely sensitive data has been created and stored by healthcare institutions, including patient health information (PHI), data relating to COVID-19 vaccine development, pandemic modeling, and experimental therapeutics info. Protecting important information like this is critical to the industry’s overall security, but it is also federal law.
The Health Insurance Portability and Accountability Act (HIPAA) is legislation that was signed into law in 1996 which, “Required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.” Upholding HIPAA compliance has been a focal point that healthcare institutions have been attempting to master throughout the changing landscape of data collection. By now, most major healthcare networks and institutions are using cloud computing for all their data storage and capture which has opened new doors to convenience, accessibility, and enhanced security — but it needs to be utilized correctly.
The Health and Human Services Department (HHS) has released guidance on the relationship between HIPAA and cloud computing. In this, they address common questions and mandatory regulations to ensure that privacy isn’t broken and breaches are reduced to their lowest probability. With the healthcare industry’s increasing reliance on the benefits of cloud computing, there is a deepening relationship between HIPAA compliance and cloud compliance.
Even though the HHS has given the go-ahead with cloud computing, they have made clear that HIPAA covered entities and business associates are permitted to only use cloud computing to store and process PHI as long as they have a Business Associate Agreement (BAA) with the Cloud Service Provider (CSP). This agreement would make the CSP responsible for safeguarding PHI in compliance with the HIPAA Security Rule.
Here are the five critical steps laid out by the HHS regarding cloud computing and HIPAA compliance, and what constitutes a compliant relationship:
- Sign a Business Associate Agreement – This requires the business associate/CSP to appropriately safeguard PHI, and other data.
- Conduct a HIPAA Security Risk Analysis – The covered entity that engages a CSP, vets, and documents the cloud computing environment and security solutions offered by the CSP.
- Comply with the HIPAA Privacy Rule – A business associate may only use and disclose PHI as permitted by the BAA and the HIPAA Privacy Rule.
- Put in Place HIPAA Security Rule Safeguards – A business associate must comply with the applicable standards and implementation specifications of the security rule with respect to PHI.
- Adhere to the HIPAA Breach Notification Rule – Covered entities and business associates are directly liable if they fail to safeguard PHI in accordance with the security rule, and a CSP is obligated to notify immediately upon discovery if a data breach has occurred.
This puts a large amount of responsibility on CSPs like Amazon AWS, Google Cloud, and Microsoft Azure to ensure that their cloud compliance is aligned with HIPAA standards. That being said, meeting and securing HIPAA and cloud compliance is a team effort between the CSP and the customer. It requires the health institution to practice healthy digital hygiene to best reduce the risk of network compromise or breach. These items include actions like using two-factor authentication, implementing strong password combinations, the ability to identify phishing communications, and more. A healthcare institution’s CISO and/or IT department should have a list of do’s and dont’s regarding best cybersecurity practices.
For any healthcare institution, it is imperative to vet CSPs and understand their solutions, encryption, and offerings. HIPAA violations are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. The potential financial burden makes it a serious decision for healthcare networks to decide who to entrust their data with. Not every CSP is right for every healthcare institution. Here are some areas to examine when looking at CSPs:
- Risk Assessment: Does your provider meet all of your HIPAA protocols?
- Business Associate Agreements: Does the cloud provider understand the need to backup data, protect the integrity of the information, and have it available 24/7?
- Encryption Standards: What form of encryption do they use? Your CSP should use a minimum of 128-bit encryption and encrypt all files in transit, storage, and at rest.
- Logging: Can your CSP accurately track who accessed what files when and where?
- Access Levels: Can your provider allow you to designate access levels for information?
- Audit Report: Will your CSP produce an annual HIPAA audit report that you can internally review?
As the healthcare industry continues to evolve throughout the COVID-19 pandemic and enters a new era of medicine, cybersecurity will only become a bigger issue facing every healthcare system. HIPAA compliance is a necessary law that protects the wellbeing of healthcare patients, while also working to elevate the security that CSPs provide — over 20 years after the bill was signed into law. With the healthcare industry being one of the biggest economic sectors, we can expect to see HIPAA compliance and cloud compliance continue to grow closer together in standards and objectives in the decade ahead.
If you’re looking for more guidance on how to move your cybersecurity program forward, Cyber Defense Group can help. We are shifting the cybersecurity consulting paradigm to address the needs of mid-market, cloud-native or cloud-reliant companies who are experiencing rapid growth.
Founded in 2016 by global security expert Lou Rabon, our nimble team draws on decades of experience and diverse technical expertise to deliver a full spectrum of information security advisory and implementation services on a fixed-cost basis. Our right-sized, results-driven approach will help you meet your immediate needs, but also ready you to navigate what’s ahead. Get in touch, and see what results are possible for your organization.