The 1996 Health Insurance Portability and Accountability Act (HIPAA) shapes much of the data policy that’s applied to patient records, and healthcare organizations must be aware of how their handling of information could impact patient privacy.
What is often a challenging task is ensuring that business partners that may have access to patient data are also adhering to HIPAA rules. Healthcare organizations know the risk of not following the regulations, but developing a plan to address that risk with business partners requires a plan. When it comes to cloud providers, there are a few items to keep in mind:
Cloud providers are not exempt. The Department of Health and Human Services does provide a HIPAA Conduit Exception Rule, but it doesn’t apply to cloud providers. By supporting healthcare providers, cloud providers are also subject to HIPAA rules.
There’s no certification process. If a cloud provider tells you they’re HIPAA certified, be suspicious because there’s no such designation. Making sure a cloud provider is adhering to HIPAA is up to the healthcare organization and the cloud provider.
Know what you’re responsible for protecting. As with any cloud security question, you should have a clear understanding of how each component of your data, network, and connection points are being secured. In a shared responsibility model, the cloud service provider is responsible for security of the cloud, while you handle the security of what’s in the cloud.
For instance, in this model, your cloud provider is responsible for securing the infrastructure that supports your cloud application, including the hardware, software, network, and facility. You, as the client, are responsible for what’s in the cloud, based on the services you select from your service provider.
Encryption is key. Protecting data according to HIPAA standards requires that data be encrypted while it’s being stored, but encryption is also critical while the data is being uploaded or downloaded.
Segmentation in the network limits exposure. Accessing a network solution that keeps data that travels to and from the cloud in a separate path of connection to the network can help IT identify a security issue and prevent it from causing extensive problems. For instance, as Internet of Things (IoT) devices become more common in the healthcare industry, segmentation can prevent a security breach from affecting the entire organization.
Your cloud provider is acting as a business associate, according to HIPAA rules, and you must approach security as only being as effective as its weakest component. Talk with your cloud provider about the practices they have in place for adhering to HIPAA.
To learn more about the necessary steps for HIPAA compliance with your cloud provider, contact us at SimpleWAN.