Welcome!

Related Topics: @CloudExpo, Microservices Expo, Containers Expo Blog, Cloud Security, @DXWorldExpo, SDN Journal

@CloudExpo: Blog Feed Post

The HIPAA Final Rule and Staying Compliant in the Cloud

As healthcare and patient data move to the cloud, HIPAA compliance issues follow

The HIPAA Omnibus Final Rule went into effect on March 26, 2013.  In order to stay compliant, the date for fulfilling the new rules is September 23, 2013, except for companies operating under existing “business associate agreements (BAA),” may be allowed an extension until September 23, 2014.

As healthcare and patient data move to the cloud, HIPAA compliance issues follow.  With many vendors, consultants, internal and external IT departments at work, the question of who is responsible for compliance comes up quite often.  Not all organizations are equipped or experienced to meet the HIPAA compliance rules by themselves.  Due to the nature of the data and the privacy rules of patients, it is important to secure the data correctly the first time.

HIPAA and the Cloud
Do you have to build your own cloud HIPAA compliance solutions from scratch?  The short answer is no.  There are solutions and consulting companies available to help move patient data to the cloud as well as secure it following HIPAA compliance rules and best practices.

The following checklist provides a guide to help plan for meeting the new HIPAA compliance rules.

A Cloud HIPAA Compliance Checklist

1. Ensure “Business Associates” are HIPAA compliant

-          Data Centers and cloud providers that serve the healthcare industry are in the category of “business associates.”

-          Business Associates can also be any entity that “…creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity.”  This means document storage companies and cloud providers now officially have to follow HIPAA rules as well.

-          Subcontractors are also considered business associates if they are creating, receiving, transmitting, or maintaining Protected Health Information (PHI) on behalf of a business associate agreement.

-          As a business associate they must meet the compliance rules for all privacy and security requirements.

What can you do?
Ensure business associates and subcontractors sign a business associate agreement and follow the HIPAA compliance rules for themselves and any of their subcontractors. A sample Business Associate Agreement is available on the HHS.gov website.

What happens if you are in violation?
The Office of Civil Rights (OCR) investigates HIPAA violations and can charge $100 – 50,000 per violation.  That gets capped at $1.5 million for multiple violations.  The charges are harsh to help ensure that data is safe and companies are following the HIPAA rules.

2. Data Backup

- Health care providers, business associates, and subcontractors must have a backup contingency plan.

- Requirements state that it has to include a:

Backup plan for data, disaster recovery plan, and an emergency mode operations plan

- The backup vendor needs to encrypt backup images during transit to their off-site data centers so that data cannot be read without an encryption key

- The end user/partner is required to encrypt the source data to meet HIPAA compliance

What can you do?

If you handle the data backup internally, set a plan to meet HIPAA compliance and execute it.
If you have external backup solution providers, ensure they have a working plan in place.

3. Security Rules

-          Physical safeguards need to be implemented to secure the facility, like access controls for the facility

-          Develop procedures to address and respond to security breaches

-          There are an additional 18 technical security standards and 36 implementation specifications as well

What can you do?

Put a plan in place to protect data from internal and external threats as well as limiting access to only those that require it.

4. Technical Safeguards
Health care providers, business associates, and subcontractors must implement technical safeguards. While many technical safeguards are not required – they do mitigate your risk in case of a breach. In particular, encryption of sensitive data allows you to claim “safe harbor” in the case of a breach.

-  Study encryption and decryption of electronically protected health information

-  Use AES encryption for data “at rest” in the cloud

-  Use strong – and highly protected – encryption key management; this is the most sensitive and difficult piece on this list – consider to use split-key cloud encryption or homomorphic key management

-  Transmission of data must be secured: use SSL/TLS or IPSec

-  When any data is deleted in the cloud any mirrored version of the data must be deleted as well

-  Limit access to electronically protected health information

-  Audit controls and procedures that record and analyze activity in information systems which contain electronically protected health information

-  Implement technical security measures such as strong authentication and authorization, guarding against unauthorized access to electronically protected information transmitted over electronic communication networks

What can you do?

Adopt strong encryption technology and develop a plan to ensure data is transmitted, stored, and deleted securely. Develop a plan to monitor data access and control access.

5. Administrative Safeguards

For organizations to meet HIPAA compliance they must have HIPAA Administrative Safeguards in place to “prevent, detect, contain and correct security violations.”  Policies and procedures are required to deal with: risk analysis, risk management, workforce sanctions for non-compliance, and a review of records.

-  Assign a privacy officer for developing and implementing HIPAA policies and procedures

  • Ensure that business associates also have a privacy officer since they are also liable for complying with the Security Rule

-  Implement a set of privacy procedures to meet compliance for four areas:

Risk Analysis
“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity”

Risk Management
“Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).”

Workforce Sanctions for Non-Compliance
“Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.”

Review of Records
“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

-  Provide ongoing administrative employee training on Protected Health Information (PHI)

-  Implement a procedure and plan for internal HIPAA compliance audits

What can you do?
Develop an internal plan to meet HIPAA compliance and have a privacy officer to implement requirements.  Ensure that policies and procedures deal with analysis of risk, management of risk, policy violations, and sanctions for staff or contractors in violation of the policy.  Develop and maintain documentation for internal policies to meet HIPAA compliance as it will help define those policies to your organization and could assist during a HIPAA audit.

The post The HIPAA Final Rule and Staying Compliant in the Cloud appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

Latest Stories
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world.
"DivvyCloud as a company set out to help customers automate solutions to the most common cloud problems," noted Jeremy Snyder, VP of Business Development at DivvyCloud, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Without lifecycle traceability and visibility across the tool chain, stakeholders from Planning-to-Ops have limited insight and answers to who, what, when, why and how across the DevOps lifecycle. This impacts the ability to deliver high quality software at the needed velocity to drive positive business outcomes. In his general session at @DevOpsSummit at 19th Cloud Expo, Eric Robertson, General Manager at CollabNet, will discuss how customers are able to achieve a level of transparency that e...
More and more brands have jumped on the IoT bandwagon. We have an excess of wearables – activity trackers, smartwatches, smart glasses and sneakers, and more that track seemingly endless datapoints. However, most consumers have no idea what “IoT” means. Creating more wearables that track data shouldn't be the aim of brands; delivering meaningful, tangible relevance to their users should be. We're in a period in which the IoT pendulum is still swinging. Initially, it swung toward "smart for smart...
"We were founded in 2003 and the way we were founded was about good backup and good disaster recovery for our clients, and for the last 20 years we've been pretty consistent with that," noted Marc Malafronte, Territory Manager at StorageCraft, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
As data explodes in quantity, importance and from new sources, the need for managing and protecting data residing across physical, virtual, and cloud environments grow with it. Managing data includes protecting it, indexing and classifying it for true, long-term management, compliance and E-Discovery. Commvault can ensure this with a single pane of glass solution – whether in a private cloud, a Service Provider delivered public cloud or a hybrid cloud environment – across the heterogeneous enter...
We all know that end users experience the internet primarily with mobile devices. From an app development perspective, we know that successfully responding to the needs of mobile customers depends on rapid DevOps – failing fast, in short, until the right solution evolves in your customers' relationship to your business. Whether you’re decomposing an SOA monolith, or developing a new application cloud natively, it’s not a question of using microservices - not doing so will be a path to eventual ...
We all know that end users experience the internet primarily with mobile devices. From an app development perspective, we know that successfully responding to the needs of mobile customers depends on rapid DevOps – failing fast, in short, until the right solution evolves in your customers' relationship to your business. Whether you’re decomposing an SOA monolith, or developing a new application cloud natively, it’s not a question of using microservices - not doing so will be a path to eventual ...
DXWorldEXPO LLC announced today that ICC-USA, a computer systems integrator and server manufacturing company focused on developing products and product appliances, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City. ICC is a computer systems integrator and server manufacturing company focused on developing products and product appliances to meet a wide range of ...
Michael Maximilien, better known as max or Dr. Max, is a computer scientist with IBM. At IBM Research Triangle Park, he was a principal engineer for the worldwide industry point-of-sale standard: JavaPOS. At IBM Research, some highlights include pioneering research on semantic Web services, mashups, and cloud computing, and platform-as-a-service. He joined the IBM Cloud Labs in 2014 and works closely with Pivotal Inc., to help make the Cloud Found the best PaaS.
We all know that end users experience the Internet primarily with mobile devices. From an app development perspective, we know that successfully responding to the needs of mobile customers depends on rapid DevOps – failing fast, in short, until the right solution evolves in your customers' relationship to your business. Whether you’re decomposing an SOA monolith, or developing a new application cloud natively, it’s not a question of using microservices – not doing so will be a path to eventual b...
Sanjeev Sharma Joins November 11-13, 2018 @DevOpsSummit at @CloudEXPO New York Faculty. Sanjeev Sharma is an internationally known DevOps and Cloud Transformation thought leader, technology executive, and author. Sanjeev's industry experience includes tenures as CTO, Technical Sales leader, and Cloud Architect leader. As an IBM Distinguished Engineer, Sanjeev is recognized at the highest levels of IBM's core of technical leaders.
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or per...
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.