HIPAA and Cloud Storage: Choosing a Vendor
When choosing which vendor is right for your healthcare clients, it is important to understand what HIPAA requires from cloud storage solutions.
HIPAA compliant cloud storage providers must have measures in place to ensure the confidentiality of patient data stored in their servers. All ePHI on cloud storage needs to be encrypted to prevent hacking incidents. Multi-factor user authentication and role-based access are also key to preventing unauthorized or improper data access.
To prevent patient data from being improperly altered, cloud storage solutions should enable baselining and hashing algorithms, and ensure that platform is configured for HIPAA compliance. Various methodologies help ensure data integrity in cloud storage, including high-availability and integrity layer (HAIL) and provable data possession (PDP). There are also several cloud security management solutions that continuously monitor the current state of cloud data compared to the last known good data state, and notify admins of any mismatch there may be.
Readily Available Patient Health Records
Part of HIPAA compliance requires healthcare organizations to maintain exact retrievable copies of patient records in an offsite storage facility. No, backing up to an external hard drive and taking it to your house at night doesn’t count! HIPAA requires that you back up your data offsite, and you need to be able to PROVE you can retrieve an exact copy of all ePHI in the case of a disaster or attack, which, as you probably know, is best done through the cloud.
This actually leads to one of the more serious mistakes businesses make when working with cloud service providers – they assume that because it’s in the cloud, it’s automatically backed up. Unfortunately, this is NOT the case. For example, two of the largest and most commonly used cloud vendors (Microsoft and Google), both make clear in their Customer Agreement that your data is NOT backed up in their cloud. Microsoft even goes so far as to recommend that you use a third party to back up all data in their cloud. HIPAA compliant cloud backup is essential to incident management and implementing a successful disaster recovery plan.
Privacy and Security of PHI
HIPAA cloud requirements are the same as if it were a traditional data center. This means that end-to-end encryption is a must. Additionally, data access must be traceable. With this said, many CSPs have taken the necessary steps to encrypt data in accordance with HIPAA law. However, not all cover the full regulation. Therefore, it is your responsibility as your client’s trusted advisor to know if the CSP has met all security requirements, or if you need to take additional measures to protect your clients’ data. Does the CSP offer MFA? Can role based access controls be implemented? Are there audit trails?
Accessibility and Ownership of Data
The HIPAA Privacy Rule dictates that healthcare organizations have access to their data. This is particularly important when a client ceases to use the provider. HIPAA compliant CSPs are required to allow healthcare clients to extract their data at the end of service.
Business Associate Agreements
When storing or maintaining PHI, CSPs are considered business associates under HIPAA. Consequently, healthcare organizations need to have business associate agreements (BAAs) in place with CSPs before they can use their service. The obligation of getting these signed BAAs will fall to you. It is important to note that even if a cloud provider meets all necessary security requirements, it is not HIPAA compliant if the provider will not sign a BAA.
Some provisions you should look for in a cloud storage solution’s BAA include:
- Secure data transmission and storage
- Controlled data access
- Access logging in reference to your healthcare client’s information
Examples of HIPAA Compliant Cloud Storage Solutions
- Microsoft Azure
- Acronis Cyber Cloud