Increasingly, companies in the healthcare industry are interested in taking advantage of the many benefits of the cloud. So what’s holding them back? It’s largely a matter of fear, not just because of security issues related to the cloud but also because of compliance issues.
The healthcare industry is one of the most highly regulated, and just about any company that handles protected health information (PHI) is subject to the requirements of HIPAA and HITECH. Many of these companies don’t know that it is possible to achieve both security and HIPAA/HITECH compliance in the cloud ─ or that solutions from Peak 10 can help.
Here’s what you can do to help educate your prospects:
Ensure your prospects understand that there are no “HIPAA-certified” CSPs.
The U.S. Department of Health and Human Services (HHS), the entity responsible for HIPAA, does not require or formally recognize any HIPAA certification programs for CSPs.
What your prospects need is a CSP that has the necessary controls and processes in place to comply with the HIPAA requirements for which it is responsible. One way to ensure this is for them to go with a CSP, such as Peak 10, that undergoes annual independent audits of its data center operations and cloud infrastructure. The CSP should also be willing to sign a BAA. (Peak 10 is.)
Make sure your prospects know the definitionsfor HIPAA compliance that apply to both covered entities and to business associates.
The HHS web site provides in-depth information about all aspects of HIPAA. Encourage your prospects to review the section on the omnibus final rule, which expands many of the requirements for HIPAA compliance to business associates.
Business associates are defined as any person or organization that performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of PHI. The final rule clarifies that “a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis.”
All the rules and regulations can be a bit difficult to understand so if your prospects have questions, you should also encourage them to consult an expert that specializes in HIPAA.
Inform prospects about the importance of making sure their contract with a CSP includes a business associate agreement (BAA).
Covered entities are required to have a written contract ─a business associate agreement (BAA) ─ with any third-party supplier it works that will be handling PHI on the organization’s behalf. The BAA specifies what the supplier will do for the covered entity and that it will comply with the HIPAA requirements to protect the privacy and security of PHI. If a prospect has been working with a CSP and doesn’t have a BAA in place, it’s a good time for them to consider moving to a provider that will sign one.
Encourage prospects to perform a comprehensive assessment on any CSP they are currently using or are considering.
Due diligence is a must. Prospects should always ask questions to validate that any CSP being considered understands their HIPAA requirements, as well as its responsibilities for compliance. Does it have a dedicated person on staff whose job is to be responsible for matching the CSP’s processes and protocols with the requirements of HIPAA? Does it have a business continuity plan in place? Does it have a proven track record of successfully managing cloud services for other healthcare clients? Does it have a security awareness program in place for its entire organization in place?
One of the best assurances that a CSP has the appropriate technology, processes and policies in place for HIPAA compliance is to review its annual HIPAA audit report on compliance. That audit should be conducted by a reputable third-party auditor and comply with the OCR HIPAA Audit Protocol, which was adopted in 2012 and serves as a set of guidelines stipulating how HIPAA audits should be performed). The audit should cover all 169 requirements of the HIPAA law.
CSPs that undergo other types of audits may also be more likely to meet HIPAA requirements for data security and privacy because of the stringent protocols entailed, such as those required by PCI DSS and SSAE 16. (Peak 10 undergoes all of the above.)
Stress the importance of encrypting PHI.
Encryption is considered a “best practice” for data security. Surprisingly, the HIPAA rules state that the use of encryption is not “mandatory” but “addressable.” While it may not be mandatory, encrypting data provides “safe harbor.” If your prospect’s data is somehow breached or lost, provided it was properly encrypted, it will not be considered a breach of unsecured PHI”. For the prospect to protect itself and its data, it is essential that PHI is encrypted in any possible location.
Encourage prospects to deploy strong encryption for all PHI-related data, and use strong encryption algorithms like SHA-2 and AES-256. They should also verify the encryption keys are protected as well. As a best practice, the key management system should split the encryption key between at least two entities, and if possible homomorphic key encryption should be used to secure encryption keys while in use in the cloud.
As a covered entity, prospects in the healthcare business should also implement technical security measures to guard against unauthorized access to PHI that is being transmitted over an electronic network. Data in Transit Encryption is again a recommended tool to use. They should always enable SSL (HTTPS) and TLS; and if possible, deploy an IPSEC tunnel between your application servers and clients.
There are many other considerations for assessing CSPs to store PHI, but these five will help you give your prospects a start ─ and help establish you as a knowledgeable partner. The important thing to keep in mind is that as more healthcare organizations move data to the cloud to reap the many benefits offered, an increasing number of CSPs are hoping to capitalize on the trend. Help make sure the ones your prospect is considering are able to deliver what they need ─ including HIPAA compliance.