Cloud computing allows users to access data stored in the cloud from anywhere with an internet connection. Because of its ease of use, using the cloud to store business and patient data has become standard best practices for most businesses across every industry. However as of late, with the rise of remote workers and the scramble to quickly adopt remote working practices, many businesses have fallen short in protecting their data. To provide guidance on HIPAA compliance and cloud computing, how you can use cloud software and comply with HIPAA is discussed.

Guidance on HIPAA and Cloud Computing: Security Threats and Security Measures

Guidance on HIPAA and Cloud Computing

2020 saw a huge increase in cloud computing, and as such, cybersecurity threats have increased. A recent study determined that there was a 10% increase in healthcare web application attacks, with an average of 187 million attacks a month. 

Proceeding a string of cyberattacks targeting remote workers, the FBI issued a warning, and the CISA provided guidance on bolstering cloud security

Some of CISA’s recommendations include:

  • Implement MFA for all users, without exception.
  • Focus on awareness and training. Make employees aware of the threats—such as phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
  • Implement conditional access (CA) policies based upon your organization’s needs.
  • Establish a baseline for normal network activity within your environment.
  • Ensure user access logging is enabled. Forward logs to a security information and event management appliance for aggregation and monitoring so as to not lose visibility on logs outside of logging periods.
  • Establish blame-free employee reporting and ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.

For more information on CISA’s recommendations, please click here.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

Many of the above-mentioned recommendations directly tie into guidance on HIPAA and cloud computing. This is because many of these practices are required by the HIPAA Security, Privacy, or Breach Notification Rules. In fact, HIPAA cloud computing is necessary.

For instance HIPAA requires healthcare organizations to have policies and procedures in place that limit risks to PHI security such as implementing strong passwords, tracking access to data, and limiting access to data to only the employees that need access. HIPAA also requires healthcare employees to be trained annually on cybersecurity best practices, HIPAA basics, and their organization’s policies and procedures. Additionally, under HIPAA, organizations are required to report suspected breaches, and encourage employees to report incidents without fear of retaliation. 

Guidance on HIPAA and Cloud Computing: Signing a Business Associate Agreement

Healthcare organizations that create, maintain, store, receive, or transmit protected health information (PHI) through the cloud must have signed business associate agreements with their cloud service providers. This may include email providers, cloud storage providers, telehealth tools, and electronic medical records providers, to name a few.

A HIPAA business associate agreement (BAA) is a legal document that requires each signing party to be HIPAA compliant, and maintain their compliance. A BAA also dictates the security measures that the business associate is required to have in place, and determines which party is responsible for reporting a breach, should one occur. To be HIPAA compliant, healthcare organizations must have a signed BAA in place before using any tool in conjunction with PHI.

Are you using HIPAA compliant tools?

Make sure you’re following all of the HIPAA rules.