The development and advancement of cloud computing services have improved and expanded technology options across several industries. The healthcare industry is no exception. Due to legal regulations, organizations in and adjacent to healthcare have unique cloud infrastructure security considerations to prioritize to safeguard specific classes of protected information.
What Makes Cloud Security Unique?
NIST defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
Cloud computing comprises multiple hosting environments and service models, each with unique security challenges. And things are further complicated for organizations that must comply with HIPAA regulations. Understanding the challenges, requirements, and best practices will help your organization remain HIPAA compliant while making use of cloud technologies.
The HIPAA Rules
The Privacy, Security, and Breach Notification Rules of the Health Insurance Portability and Accountability Act—also known as the HIPAA Rules—declare that and how protected health information (PHI) must be protected. These rules apply to specific covered entities and select business associates thereof, who need to install and maintain controls to remain compliant.
Covered Entities and Business Associates
Covered Entities are defined as health care providers, health plans, and clearinghouses that handle electronic billing and payment-related transactions. A Business Associate is any entity outside of a covered entity that handles PHI while acting on behalf of or providing services to a covered entity. As a result, when a covered entity uses the services of a cloud services provider, that provider becomes a business associate that is subject to HIPAA regulations.
The Privacy Rule
The HIPAA Privacy Rule specifically protects all “individually identifiable health information.” This is a broad category, including anything directly related to a patient’s:
- Physical and mental health or conditions
- Received health care or prescribed medications
- Payment related to any received health care
The Privacy Rule also protects select categories of demographic information and anything else that could be used to identify the individual, such as their birthdate (except for the year).
The Security Rule
The HIPAA Security Rule requires covered entities to establish and maintain ”administrative, technical, and physical” security measures to protect electronic PHI (ePHI). Since PHI stored or processed on the cloud is by definition ePHI, the Security Rule is more directly applicable to HIPAA cloud security measures. This rule dictates that covered entities do the following:
- Protect the availability, confidentiality, and integrity of all electronic PHI they handle
- Identify, detect and protect against threats to the security of PHI
- Protect against unauthorized use and disclosure of PHI
- Enforce workforce compliance
- Review and modify security policies to ensure consistent protection of PHI
The rule doesn’t dictate how covered entities and business associates must meet these requirements. However, it does require them to consider:
- Their size, complexity, and limitations
- Technical infrastructure
- Costs
- The potential impact security risks would have on electronic PHI
While the Security Rule’s protections apply specifically to ePHI, the infrastructure created to secure these files can (and should) also account for and extend protections to traditional PHI.
The Breach Notification Rule
The HIPAA Breach Notification Rule requires covered entities and business associates to issue notifications when unsecured PHI has been breached. Impacted parties and the HHS must be notified, along with local media outlets in the case of large breaches. By default, any “impermissible use or disclosure” that compromises PHI is considered a breach. However, if a risk assessment determines that it’s unlikely PHI has been compromised, it may not qualify as a breach.
A breach impacting ePHI on cloud infrastructure must be reported as soon as possible—the Covered Entity may negotiate a protocol for monitoring data in the cloud with their provider. Depending on the contract, the cloud provider may be responsible for providing notice.
Assess your HIPAA / HITECH compliance
Working with Cloud Service Providers
Nowadays, there are many HIPAA-compliant cloud services available. However, even when engaging the services of a compliant provider, it’s crucial to do thorough research on the solutions they provide and conduct a risk analysis. Additionally, covered entities and associates are required to enter a HIPAA-compliant business associate agreement (BAA) with providers.
It is recommended to establish a HIPAA-compliant service level agreement (SLA) to address:
- System uptime
- System stability
- Data backups and recovery
- Security expectations and responsibilities
And, since it’s likely that your organization will benefit from multiple cloud services, you should implement a cloud security plan that can protect a complex cloud-based infrastructure.
Use the HIPAA Rules as a Framework
When entering agreements with service providers, refer to the HIPAA Rules to establish a secure foundation and clarify the expectations and the responsibilities of each party:
- Privacy – Even if a cloud service provider doesn’t have control over who has access to electronic PHI, they must ensure that they only use and disclose PHI as allowed by the BAA and Privacy Rule. Additionally, they must provide the covered entity with access to PHI as needed to allow the covered entity to meet its own obligations in accordance with regulations.
- Security – All cloud service providers are required to comply with the standards defined in the Security Rule. Depending on the nature of the services, there are cases where requirements for both parties may be met by either the service provider or the covered entity. But the service provider is still responsible for implementing and maintaining adequate security controls.
- Breach Notification – Since cloud service providers are business associates, they are required to notify covered entities of any event that qualifies as a breach of PHI.
As critical as HIPAA compliance is in cloud environments, it’s not the only framework that healthcare and healthcare-adjacent organizations should consider.
Use the HITRUST CSF
The HITRUST CSF is a framework designed to “normalize security and privacy requirements for organizations.” It is maintained by the HITRUST Alliance and includes 49 Control Objectives and 156 Control References across 14 Control Categories. It’s not federally required, like HIPAA, but is often demanded by business partners, such as healthcare payors.
The HITRUST CSF provides the following benefits:
- A scalable, certifiable framework – One of the challenges of designing and maintaining a HIPAA-compliant security infrastructure is the fact that covered entities must identify and–over time–reassess the appropriate measures based on the unique nature and structure of the organization. The HITRUST CSF is designed to be used by organizations of all sizes and complexities.
- Healthcare industry acceptance – The HITRUST CSF was developed through the collaboration of healthcare and technology organizations, so it is recognized and widely accepted throughout the healthcare industry. This also means it’s maintained by representatives of the industry, ensuring that requirements remain relevant as the industry and technology evolve.
- HIPAA-compliant requirements – The framework was specifically designed to help standardize HIPAA compliance, making it an invaluable tool for cloud computing security in healthcare and for working with cloud computing service providers.
- Global recognition – HITRUST follows and considers international data protection laws and best practices, which has led to it being recognized and adopted throughout much of the world. This means it can be used in cloud security assessment and infrastructure planning in places where HIPAA may not apply, but other still regulations do.
- Efficient risk reduction – As a trusted framework with clear guidelines, the HITRUST CSF can reduce the resources required to plan and implement secure, compliant cloud security.
By using the HITRUST CRF to secure cloud infrastructure, perform security assessments or become HITRUST Certified, your organization will be well-positioned to scale and keep personal health information secure while responding to evolving security threats.
Optimize Cloud Infrastructure Security for Healthcare
There are plenty of best practices for planning and implementing cloud security. But for organizations involved in the healthcare industry, it’s critical to form a strategy that accounts for the unique security requirements enforced by HIPAA and other regulations from the start. Doing so will establish a more robust foundation that can be sustainably maintained and adapted to changing demands.
Keep Your Healthcare Organization’s Cloud Compliant
Effective cloud infrastructure security requires a comprehensive security solution. Organizations in and connected to the health industry have the added responsibility of protecting protected health information and complying with HIPAA and other data protection regulations, making cloud security even more complex.
Understanding regulations and using certified frameworks like the HITRUST CSF can facilitate the process of planning and implementing an effective cloud security solution.
And as cloud infrastructure becomes complex and more widespread throughout the healthcare industry, establishing an optimized baseline becomes more crucial to remaining compliant and prepared for future demands. Contact RSI Security today to assess and optimize cloud infrastructure security within your organization.