|By Gilad Parann-Nissany||
|September 5, 2013 11:00 AM EDT||
The HIPAA Omnibus Final Rule went into effect on March 26, 2013. In order to stay compliant, the date for fulfilling the new rules is September 23, 2013, except for companies operating under existing “business associate agreements (BAA),” may be allowed an extension until September 23, 2014.
As healthcare and patient data move to the cloud, HIPAA compliance issues follow. With many vendors, consultants, internal and external IT departments at work, the question of who is responsible for compliance comes up quite often. Not all organizations are equipped or experienced to meet the HIPAA compliance rules by themselves. Due to the nature of the data and the privacy rules of patients, it is important to secure the data correctly the first time.
HIPAA and the Cloud
Do you have to build your own cloud HIPAA compliance solutions from scratch? The short answer is no. There are solutions and consulting companies available to help move patient data to the cloud as well as secure it following HIPAA compliance rules and best practices.
The following checklist provides a guide to help plan for meeting the new HIPAA compliance rules.
A Cloud HIPAA Compliance Checklist
1. Ensure “Business Associates” are HIPAA compliant
- Data Centers and cloud providers that serve the healthcare industry are in the category of “business associates.”
- Business Associates can also be any entity that “…creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity.” This means document storage companies and cloud providers now officially have to follow HIPAA rules as well.
- Subcontractors are also considered business associates if they are creating, receiving, transmitting, or maintaining Protected Health Information (PHI) on behalf of a business associate agreement.
- As a business associate they must meet the compliance rules for all privacy and security requirements.
What can you do?
Ensure business associates and subcontractors sign a business associate agreement and follow the HIPAA compliance rules for themselves and any of their subcontractors. A sample Business Associate Agreement is available on the HHS.gov website.
What happens if you are in violation?
The Office of Civil Rights (OCR) investigates HIPAA violations and can charge $100 – 50,000 per violation. That gets capped at $1.5 million for multiple violations. The charges are harsh to help ensure that data is safe and companies are following the HIPAA rules.
2. Data Backup
- Health care providers, business associates, and subcontractors must have a backup contingency plan.
- Requirements state that it has to include a:
Backup plan for data, disaster recovery plan, and an emergency mode operations plan
- The backup vendor needs to encrypt backup images during transit to their off-site data centers so that data cannot be read without an encryption key
- The end user/partner is required to encrypt the source data to meet HIPAA compliance
What can you do?
If you handle the data backup internally, set a plan to meet HIPAA compliance and execute it.
If you have external backup solution providers, ensure they have a working plan in place.
3. Security Rules
- Physical safeguards need to be implemented to secure the facility, like access controls for the facility
- Develop procedures to address and respond to security breaches
- There are an additional 18 technical security standards and 36 implementation specifications as well
What can you do?
Put a plan in place to protect data from internal and external threats as well as limiting access to only those that require it.
4. Technical Safeguards
Health care providers, business associates, and subcontractors must implement technical safeguards. While many technical safeguards are not required – they do mitigate your risk in case of a breach. In particular, encryption of sensitive data allows you to claim “safe harbor” in the case of a breach.
- Study encryption and decryption of electronically protected health information
- Use AES encryption for data “at rest” in the cloud
- Use strong – and highly protected – encryption key management; this is the most sensitive and difficult piece on this list – consider to use split-key cloud encryption or homomorphic key management
- Transmission of data must be secured: use SSL/TLS or IPSec
- When any data is deleted in the cloud any mirrored version of the data must be deleted as well
- Limit access to electronically protected health information
- Audit controls and procedures that record and analyze activity in information systems which contain electronically protected health information
- Implement technical security measures such as strong authentication and authorization, guarding against unauthorized access to electronically protected information transmitted over electronic communication networks
What can you do?
Adopt strong encryption technology and develop a plan to ensure data is transmitted, stored, and deleted securely. Develop a plan to monitor data access and control access.
5. Administrative Safeguards
For organizations to meet HIPAA compliance they must have HIPAA Administrative Safeguards in place to “prevent, detect, contain and correct security violations.” Policies and procedures are required to deal with: risk analysis, risk management, workforce sanctions for non-compliance, and a review of records.
- Assign a privacy officer for developing and implementing HIPAA policies and procedures
- Ensure that business associates also have a privacy officer since they are also liable for complying with the Security Rule
- Implement a set of privacy procedures to meet compliance for four areas:
“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity”
“Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).”
Workforce Sanctions for Non-Compliance
“Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.”
Review of Records
“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”
- Provide ongoing administrative employee training on Protected Health Information (PHI)
- Implement a procedure and plan for internal HIPAA compliance audits
What can you do?
Develop an internal plan to meet HIPAA compliance and have a privacy officer to implement requirements. Ensure that policies and procedures deal with analysis of risk, management of risk, policy violations, and sanctions for staff or contractors in violation of the policy. Develop and maintain documentation for internal policies to meet HIPAA compliance as it will help define those policies to your organization and could assist during a HIPAA audit.
The post The HIPAA Final Rule and Staying Compliant in the Cloud appeared first on Porticor Cloud Security.
Cloud computing delivers on-demand resources that provide businesses with flexibility and cost-savings. The challenge in moving workloads to the cloud has been the cost and complexity of ensuring the initial and ongoing security and regulatory (PCI, HIPAA, FFIEC) compliance across private and public clouds. Manual security compliance is slow, prone to human error, and represents over 50% of the cost of managing cloud applications. Determining how to automate cloud security compliance is critical...
Nov. 27, 2015 06:00 PM EST Reads: 413
We all know that data growth is exploding and storage budgets are shrinking. Instead of showing you charts on about how much data there is, in his General Session at 17th Cloud Expo, Scott Cleland, Senior Director of Product Marketing at HGST, showed how to capture all of your data in one place. After you have your data under control, you can then analyze it in one place, saving time and resources.
Nov. 27, 2015 04:00 PM EST Reads: 174
Today air travel is a minefield of delays, hassles and customer disappointment. Airlines struggle to revitalize the experience. GE and M2Mi will demonstrate practical examples of how IoT solutions are helping airlines bring back personalization, reduce trip time and improve reliability. In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect with GE, and Dr. Sarah Cooper, M2Mi’s VP Business Development and Engineering, explored the IoT cloud-based platform technologies driving t...
Nov. 27, 2015 02:00 PM EST Reads: 411
As organizations shift towards IT-as-a-service models, the need for managing & protecting data residing across physical, virtual, and now cloud environments grows with it. CommVault can ensure protection & E-Discovery of your data - whether in a private cloud, a Service Provider delivered public cloud, or a hybrid cloud environment – across the heterogeneous enterprise.
Nov. 27, 2015 01:00 PM EST Reads: 172
In recent years, at least 40% of companies using cloud applications have experienced data loss. One of the best prevention against cloud data loss is backing up your cloud data. In his General Session at 17th Cloud Expo, Sam McIntyre, Partner Enablement Specialist at eFolder, presented how organizations can use eFolder Cloudfinder to automate backups of cloud application data. He also demonstrated how easy it is to search and restore cloud application data using Cloudfinder.
Nov. 27, 2015 01:00 PM EST Reads: 155
The Internet of Things (IoT) is growing rapidly by extending current technologies, products and networks. By 2020, Cisco estimates there will be 50 billion connected devices. Gartner has forecast revenues of over $300 billion, just to IoT suppliers. Now is the time to figure out how you’ll make money – not just create innovative products. With hundreds of new products and companies jumping into the IoT fray every month, there’s no shortage of innovation. Despite this, McKinsey/VisionMobile data...
Nov. 27, 2015 12:00 PM EST Reads: 464
Internet of @ThingsExpo, taking place June 7-9, 2016 at Javits Center, New York City and Nov 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with the 18th International @CloudExpo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world and ThingsExpo New York Call for Papers is now open.
Nov. 27, 2015 12:00 PM EST Reads: 542
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York and Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty ...
Nov. 27, 2015 11:45 AM EST Reads: 538
Just over a week ago I received a long and loud sustained applause for a presentation I delivered at this year’s Cloud Expo in Santa Clara. I was extremely pleased with the turnout and had some very good conversations with many of the attendees. Over the next few days I had many more meaningful conversations and was not only happy with the results but also learned a few new things. Here is everything I learned in those three days distilled into three short points.
Nov. 27, 2015 11:00 AM EST Reads: 315
As organizations realize the scope of the Internet of Things, gaining key insights from Big Data, through the use of advanced analytics, becomes crucial. However, IoT also creates the need for petabyte scale storage of data from millions of devices. A new type of Storage is required which seamlessly integrates robust data analytics with massive scale. These storage systems will act as “smart systems” provide in-place analytics that speed discovery and enable businesses to quickly derive meaningf...
Nov. 27, 2015 10:45 AM EST Reads: 398
DevOps is about increasing efficiency, but nothing is more inefficient than building the same application twice. However, this is a routine occurrence with enterprise applications that need both a rich desktop web interface and strong mobile support. With recent technological advances from Isomorphic Software and others, rich desktop and tuned mobile experiences can now be created with a single codebase – without compromising functionality, performance or usability. In his session at DevOps Su...
Nov. 27, 2015 10:45 AM EST Reads: 384
SYS-CON Events announced today that Alert Logic, Inc., the leading provider of Security-as-a-Service solutions for the cloud, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Alert Logic, Inc., provides Security-as-a-Service for on-premises, cloud, and hybrid infrastructures, delivering deep security insight and continuous protection for customers at a lower cost than traditional security solutions. Ful...
Nov. 27, 2015 10:00 AM EST Reads: 308
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
Nov. 27, 2015 10:00 AM EST Reads: 491
The buzz continues for cloud, data analytics and the Internet of Things (IoT) and their collective impact across all industries. But a new conversation is emerging - how do companies use industry disruption and technology enablers to lead in markets undergoing change, uncertainty and ambiguity? Organizations of all sizes need to evolve and transform, often under massive pressure, as industry lines blur and merge and traditional business models are assaulted and turned upside down. In this new da...
Nov. 27, 2015 09:45 AM EST Reads: 221
In his General Session at 17th Cloud Expo, Bruce Swann, Senior Product Marketing Manager for Adobe Campaign, explored the key ingredients of cross-channel marketing in a digital world. Learn how the Adobe Marketing Cloud can help marketers embrace opportunities for personalized, relevant and real-time customer engagement across offline (direct mail, point of sale, call center) and digital (email, website, SMS, mobile apps, social networks, connected objects).
Nov. 27, 2015 09:15 AM EST Reads: 292