It’s hard to imagine any modern healthcare operator not making use out of cloud storage these days. The benefits of being accessible from any device in any location cannot be understated, but easier accessibility to legitimate employees and patients might also mean making things easier for cybercriminals too. Fortunately, there are many ways to mitigate these risks without having to sacrifice usability and accessibility.
When HIPAA was incorporated into federal law in 1996, cloud storage was practically unheard of, and even the internet itself was very much a novelty compared to what it is today. As such, there is no such thing as a HIPAA-compliant cloud in terms of what’s defined by law. However, there are HIPAA-compliant online storage services, such as Google Cloud for Business, which thousands of healthcare providers across the country use every day. That said, there are certain steps you need to take to ensure compliance whenever you’re adopting any new technology in your workplace – and cloud storage is no exception.
Here are the key steps you need to take to ensure compliance during your cloud migration:
Whether your company is defined as a covered organization or a business associate that handles protected health information (PHI) on behalf of one, you need to sign a business associate agreement with any third-party who will be responsible for looking after your data. In this case, you might use Google Cloud or Amazon AWS to store patient health records but, before you do, you will need to ensure you have the necessary agreement in place. If any cloud storage provider claims to be HIPAA-compliant, then they will be prepared to sign a business associate agreement (BAA)
It’s essential to remember that signing a BAA doesn’t guarantee compliance itself. Reputable cloud providers use a shared responsibility model, simply because they don’t have complete control over your data when it’s in their care. For example, if an unauthorized party exploits a weak password to access an online account, then the fault falls with the client, rather than the cloud provider. While a cloud provider should offer the controls necessary to help you protect your information, it’s up to you to ensure they’re used correctly. This involves deploying a strict password policy, full end-to-end encryption, and multifactor authentication at minimum.
Since you can’t expect to protect what you don’t know, it’s important to have auditing controls in place that give administrators complete visibility into their data and systems. For example, security information and event management (SIEM) solutions log all access attempts, so you can keep an eye on who’s accessing your cloud-hosted systems, which device they’re using, and which network they’re using. Auditing controls monitor these metrics in real-time to alert you of any potentially risky activities, such as suspicious login attempts or security controls or policies that may have been compromised.
Encryption is an essential component of any HIPAA-compliant cloud storage or any other data-bearing system. Data should be encrypted according to the AES-256 standard, whether it’s at rest or in transit. During transmission, data should be encrypted end-to-end so that, even if it’s intercepted, it will be useless to anyone who doesn’t have the decryption key. User accounts should also be protected by two or more user verification layers – also known as multi factor authentication or MFA. This requires users to verify their identities with, for example, a single-use authentication code, rather than relying on passwords alone.
Cloud storage offers extremely compelling opportunities for backup and disaster recovery, and most service providers offer automated backup scheduling with automatic rollovers to ensure the integrity of your data. However, this isn’t something you should take for granted. Backup and disaster recovery should be incorporated into cloud migration strategies to ensure compliance with HIPAA’s rules on data integrity and accessibility. Ideally, you should have at least three off-site backups of your data, updated automatically and in real time. There is also still a strong case for storing a copy of your patient records and other data locally, for easy access in cases where you lose your internet connection.
Charles IT helps organizations maintain HIPAA compliance with comprehensive assessments, expert guidance, and cutting-edge technical solutions. Call us today to become compliant.
Editor's Note: This blog was originally published on March 26, 2021. It was edited on June 28, 2023 for accuracy.