By Gilad Parann-Nissany | Article Rating: |
|
February 3, 2015 12:00 PM EST |

Healthcare businesses are adopting cloud computing in record numbers due to the available cost-efficiency, scalability, and flexibility. According to a report by Accenture, nearly one-third of healthcare sector decision makers said they are using cloud applications, and 73% said they are planning to move more applications to the cloud. When considering cloud computing for personal health information, healthcare businesses must be aware about the effect of HIPAA compliance in the cloud.
1. Strive to achieve “Safe Harbor”
Safe Harbor is a provision to HIPAA’s Final Breach Notification Rule, which kicks in when a breach occurs, and allows a “covered entity” (pending a breach risk assessment) to determine that Protected Health Information (PHI) was not disclosed. Encryption of PHI data is considered a primary way to achieve Safe Harbor.
In case of an information breach and assuming the risk assessment will find that PHI was encrypted, the covered entity will not be exposed to onerous reporting requirements; especially, they will not need to report the breach to every single effected patient, thus saving cost and their reputation. Additionally painful fines are likely to be avoided.
2. Encryption is only part of the solution
Strong data encryption, like AES-256, is critical to HIPAA compliance in the cloud, but it is not the end of the necessary cloud security. Strong encryption must be coupled with strong encryption key management in order to be effective.
3. Backups and snapshots must be secured
You need to properly secure any storage medium which contains protected health information about patients. This includes backups and snapshots.
4. Business Associate Agreements (BAAs) and liability
If a company you do business with (for example, a payment processor) has a data breach and ePHI is compromised, you could be liable too. Companies must sign a BAA, but are still potentially liable.
5. Monitor data access
According to TechTarget’s SearchHealthIT, you must monitor who has access to your data. “In order to ensure data is protected adequately, cloud providers implement advanced firewalls and intrusion detection systems that can help detect and prevent hackers from accessing their clients’ sensitive data.”
6. Employee training is a necessity
In addition to formal annual training, make sure you provide a constant stream of information and security awareness to train employees about their HIPAA compliance responsibilities. Use diverse methods to garner staff attention: posters, letters, memos, web based training, meetings, and promotions.
7. Policies and notices may need to be updated
Whenever the HIPAA rules change and/or your systems change, re-evaluate your policies and privacy notices as they will likely need to be updated and redistributed to patients.
8. Mobile devices and apps
All mobile devices and apps that are used by healthcare professionals must comply with HIPAA rules and regulations. Conduct a risk analysis to identify potential threats and vulnerabilities to ePHI, and implement a mitigation plan to address the gaps. Encrypt data on mobile devices before sending information to the app and always use strong user authentication to avoid data theft or inappropriate access.
9. Cloud storage can be made HIPAA compliant
Most cloud storage options are not HIPAA compliant “out of the box.” One of the reasons is because many cloud storage solutions allow encryption, but require that they have access to encryption keys. To maintain compliance and achieve safe harbor, use a solution like split key encryption that ensures that you maintain ownership and control of encryption keys.
10. HIPAA is not to be feared
Possibly the most important thing to know about HIPAA is that you should not fear it; it exists to protect patients, providers, and business associates and to facilitate appropriate data sharing. None of us want to suffer a breach and by following the provisions set forth in HIPAA, we protect ourselves.
Interested in learning more about HIPAA compliance? Read our white paper.
The post 10 Things You Need To Know about HIPAA Compliance in the Cloud appeared first on Porticor Cloud Security.
Read the original blog entry...
Published February 3, 2015
Copyright © 2015 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
More Stories By Gilad Parann-Nissany
Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.
- Database Security in the Cloud
- Disruptive Innovations and the 'Internet of Things' | @ThingsExpo [#IoT]
- Securing Cloud Data from Cybercrime, Intrusion and Surveillance
- Cloud Computing Security Issues and Challenges By @GiladPN | @CloudExpo [#Cloud]
- MySQL in the Cloud
- Cloud Security – Implementing a Secure Cloud Backup Case Study
- Four Great Tips: Cloud Security for Big Data
- Sixteen Tips for Moving Your Workloads to the Cloud By @GiladPN | @CloudExpo [#Cloud]
- Securing Your ‘Data at Rest’ in the Cloud
- Encrypted Cloud Storage – The Missing Piece