As we know, healthcare providers store large quantities of patient information, and this information can be very valuable. As a result, the healthcare industry is relentlessly targeted by cyber-criminals.
In response to this problem, the United States Government introduced a federal statute called The Health Insurance Portability and Accountability Act of 1996 (HIPAA), which stipulates how healthcare service providers handle protected patient information.
A failure to comply with HIPAA can result in fines of up to $50,000 per violation, and these fines are by no means theoretical.
To illustrate my point, we’re only halfway through 2021, and the Department of Health and Human Services (HHS) has issued fines worth $5,570,000 in total, with Lifetime Healthcare Companies receiving the largest fine of $5,100,000, following a data breach affecting over 9.3 million people.
Get the free guide to the secrets of HIPAA compliance
Why are Healthcare Providers Using Cloud Services?
To some, storing confidential patient data in the cloud may seem like a dangerous idea. However, it’s important to note that cloud security has come on in leaps and bounds in recent years. Not only that, but a healthcare provider will (or at least should) only use a service provider that is already HIPAA-compliant. There are many reasons why healthcare providers are taking advantage of cloud services, which are as follows:
- Both patients and medical practitioners can access information, anytime and anywhere.
- Decreased costs associated with maintaining infrastructure and hiring security professionals.
- Reliable disaster recovery services.
- More opportunity to leverage machine learning algorithms to analyze large sets of data to monitor outcomes and improve treatments.
- Patients who wear IoT-enabled devices (heart monitors and ingestible sensors) can upload the data directly to the cloud for practitioners to examine.
- Access to new telehealth capabilities, which allow the patient to contact their GP and make appointments, pay for treatments, access test results, etc.
What Constitutes a HIPAA-Compliant Cloud Provider?
Naturally, one of the dangers of storing sensitive data in the cloud is that there’s a risk that the cloud provider (or at least one of their employees) will decide to snoop around or even leak sensitive data, for some reason or another. This is why HIPAA introduced a series of guidelines, which all covered entities, including business associates, must adhere to.
Before storing any patient data in the cloud, the covered entity must enter into a Business Associate Agreement (BAA) with the cloud provider. It is ultimately up to the healthcare provider to ensure that the cloud provider is willing and able to meet the HIPAA compliance requirements. This involves obtaining a Service Level Agreement (SLA) from the cloud provider. The SLA will contain information relating to availability, backup and disaster recovery, security, disclosure, and so on.
The cloud provider must also comply with the Security Rule, Privacy Rule, and the Breach Notification Rule. All confidential patient data stored in the cloud must be encrypted, both at rest and in transit. The healthcare provider must carry out periodic assessments of any business associates they rely on, to ensure that they are adhering to the rules laid out in the SLA.
Best Practices for HIPAA Compliance When Using Cloud Services
Use a risk assessment tool: Covered entities are required to carry out periodic risk assessments. The Office of the National Coordinator for Health Information Technology (ONC) offers a free risk assessment tool to help organizations comply with HIPAA.
Enforce “least privilege” access: You must ensure that you have the appropriate access controls in place. In other words, users should be granted the least privileges they need to be able to adequately perform their role. A common technique is to use Role-Based Access Control (RBAC), whereby users are assigned to roles (or groups), each with their own respective privileges.
Encrypt patient data: All confidential patient data must be encrypted, both at rest and in transit. You will need to use automated encryption tools which encrypt patient data at the point of creation/modification.
Monitor access to patient data: All confidential patient data must be continuously monitored to ensure that you know exactly who is accessing what data, and when. They must also maintain an immutable record of all events concerning patient data, which will enable them to carry out a forensic investigation following a potential breach, as well as used to demonstrate their compliance efforts to the supervisory authorities.
Monitor privileged accounts: As above, all privileged accounts, including service accounts, must be continuously monitored for anomalous activity.
Breach notifications: Healthcare providers must notify patients when their confidential data has been accessed, used, or disclosed in a way that compromises their privacy.
Security awareness training: All employees must receive HIPAA training, to ensure that they know their responsibilities when it comes to keeping the data they are entrusted with secure.
How does Lepide Help with Cloud HIPAA Compliance?
In order to keep your patient data secure, you must ensure that you know exactly what data you have, and where it is located. The Lepide Data Security Platform provides data discovery and classification out-of-the-box. This feature will automatically scan your cloud repositories for Protected Health Information (PHI) and classify the data accordingly. It can even classify data at the point of creation/modification.
Knowing where your most sensitive data resides will make it easier to keep track of how the data is being handled, and by which users. With Lepide Data Security Platform, anytime PHI is accessed, moved, modified, or removed, an alert will be sent to the administrator, who can review the events via a centralized dashboard to determine the legitimacy of the actions performed.
Lepide Data Security Platform is also able to generate pre-defined reports that are customized to meet HIPAA compliance requirements.