|By Gilad Parann-Nissany||
|September 5, 2013 11:00 AM EDT||
The HIPAA Omnibus Final Rule went into effect on March 26, 2013. In order to stay compliant, the date for fulfilling the new rules is September 23, 2013, except for companies operating under existing “business associate agreements (BAA),” may be allowed an extension until September 23, 2014.
As healthcare and patient data move to the cloud, HIPAA compliance issues follow. With many vendors, consultants, internal and external IT departments at work, the question of who is responsible for compliance comes up quite often. Not all organizations are equipped or experienced to meet the HIPAA compliance rules by themselves. Due to the nature of the data and the privacy rules of patients, it is important to secure the data correctly the first time.
HIPAA and the Cloud
Do you have to build your own cloud HIPAA compliance solutions from scratch? The short answer is no. There are solutions and consulting companies available to help move patient data to the cloud as well as secure it following HIPAA compliance rules and best practices.
The following checklist provides a guide to help plan for meeting the new HIPAA compliance rules.
A Cloud HIPAA Compliance Checklist
1. Ensure “Business Associates” are HIPAA compliant
- Data Centers and cloud providers that serve the healthcare industry are in the category of “business associates.”
- Business Associates can also be any entity that “…creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity.” This means document storage companies and cloud providers now officially have to follow HIPAA rules as well.
- Subcontractors are also considered business associates if they are creating, receiving, transmitting, or maintaining Protected Health Information (PHI) on behalf of a business associate agreement.
- As a business associate they must meet the compliance rules for all privacy and security requirements.
What can you do?
Ensure business associates and subcontractors sign a business associate agreement and follow the HIPAA compliance rules for themselves and any of their subcontractors. A sample Business Associate Agreement is available on the HHS.gov website.
What happens if you are in violation?
The Office of Civil Rights (OCR) investigates HIPAA violations and can charge $100 – 50,000 per violation. That gets capped at $1.5 million for multiple violations. The charges are harsh to help ensure that data is safe and companies are following the HIPAA rules.
2. Data Backup
- Health care providers, business associates, and subcontractors must have a backup contingency plan.
- Requirements state that it has to include a:
Backup plan for data, disaster recovery plan, and an emergency mode operations plan
- The backup vendor needs to encrypt backup images during transit to their off-site data centers so that data cannot be read without an encryption key
- The end user/partner is required to encrypt the source data to meet HIPAA compliance
What can you do?
If you handle the data backup internally, set a plan to meet HIPAA compliance and execute it.
If you have external backup solution providers, ensure they have a working plan in place.
3. Security Rules
- Physical safeguards need to be implemented to secure the facility, like access controls for the facility
- Develop procedures to address and respond to security breaches
- There are an additional 18 technical security standards and 36 implementation specifications as well
What can you do?
Put a plan in place to protect data from internal and external threats as well as limiting access to only those that require it.
4. Technical Safeguards
Health care providers, business associates, and subcontractors must implement technical safeguards. While many technical safeguards are not required – they do mitigate your risk in case of a breach. In particular, encryption of sensitive data allows you to claim “safe harbor” in the case of a breach.
- Study encryption and decryption of electronically protected health information
- Use AES encryption for data “at rest” in the cloud
- Use strong – and highly protected – encryption key management; this is the most sensitive and difficult piece on this list – consider to use split-key cloud encryption or homomorphic key management
- Transmission of data must be secured: use SSL/TLS or IPSec
- When any data is deleted in the cloud any mirrored version of the data must be deleted as well
- Limit access to electronically protected health information
- Audit controls and procedures that record and analyze activity in information systems which contain electronically protected health information
- Implement technical security measures such as strong authentication and authorization, guarding against unauthorized access to electronically protected information transmitted over electronic communication networks
What can you do?
Adopt strong encryption technology and develop a plan to ensure data is transmitted, stored, and deleted securely. Develop a plan to monitor data access and control access.
5. Administrative Safeguards
For organizations to meet HIPAA compliance they must have HIPAA Administrative Safeguards in place to “prevent, detect, contain and correct security violations.” Policies and procedures are required to deal with: risk analysis, risk management, workforce sanctions for non-compliance, and a review of records.
- Assign a privacy officer for developing and implementing HIPAA policies and procedures
- Ensure that business associates also have a privacy officer since they are also liable for complying with the Security Rule
- Implement a set of privacy procedures to meet compliance for four areas:
“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity”
“Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).”
Workforce Sanctions for Non-Compliance
“Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.”
Review of Records
“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”
- Provide ongoing administrative employee training on Protected Health Information (PHI)
- Implement a procedure and plan for internal HIPAA compliance audits
What can you do?
Develop an internal plan to meet HIPAA compliance and have a privacy officer to implement requirements. Ensure that policies and procedures deal with analysis of risk, management of risk, policy violations, and sanctions for staff or contractors in violation of the policy. Develop and maintain documentation for internal policies to meet HIPAA compliance as it will help define those policies to your organization and could assist during a HIPAA audit.
The post The HIPAA Final Rule and Staying Compliant in the Cloud appeared first on Porticor Cloud Security.
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2015 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 ad...
Feb. 6, 2016 05:00 AM EST Reads: 307
Most people haven’t heard the word, “gamification,” even though they probably, and perhaps unwittingly, participate in it every day. Gamification is “the process of adding games or game-like elements to something (as a task) so as to encourage participation.” Further, gamification is about bringing game mechanics – rules, constructs, processes, and methods – into the real world in an effort to engage people. In his session at @ThingsExpo, Robert Endo, owner and engagement manager of Intrepid D...
Feb. 5, 2016 09:00 PM EST Reads: 750
Advances in technology and ubiquitous connectivity have made the utilization of a dispersed workforce more common. Whether that remote team is located across the street or country, management styles/ approaches will have to be adjusted to accommodate this new dynamic. In his session at 17th Cloud Expo, Sagi Brody, Chief Technology Officer at Webair Internet Development Inc., focused on the challenges of managing remote teams, providing real-world examples that demonstrate what works and what do...
Feb. 5, 2016 07:00 PM EST Reads: 151
One of the bewildering things about DevOps is integrating the massive toolchain including the dozens of new tools that seem to crop up every year. Part of DevOps is Continuous Delivery and having a complex toolchain can add additional integration and setup to your developer environment. In his session at @DevOpsSummit at 18th Cloud Expo, Miko Matsumura, Chief Marketing Officer of Gradle Inc., will discuss which tools to use in a developer stack, how to provision the toolchain to minimize onboa...
Feb. 5, 2016 04:00 PM EST
SYS-CON Events announced today that Pythian, a global IT services company specializing in helping companies adopt disruptive technologies to optimize revenue-generating systems, has been named “Bronze Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2015 at the Javits Center in New York, New York. Founded in 1997, Pythian is a global IT services company that helps companies compete by adopting disruptive technologies such as cloud, Big Data, advanced analytics, and DevO...
Feb. 5, 2016 04:00 PM EST Reads: 113
With microservices, SOA and distributed architectures becoming more popular, it is becoming increasingly harder to keep track of where time is spent in a distributed application when trying to diagnose performance problems. Distributed tracing systems attempt to address this problem by following application requests across service boundaries, persisting metadata along the way that provide context for fine-grained performance monitoring.
Feb. 5, 2016 03:45 PM EST Reads: 766
With an estimated 50 billion devices connected to the Internet by 2020, several industries will begin to expand their capabilities for retaining end point data at the edge to better utilize the range of data types and sheer volume of M2M data generated by the Internet of Things. In his session at @ThingsExpo, Don DeLoach, CEO and President of Infobright, will discuss the infrastructures businesses will need to implement to handle this explosion of data by providing specific use cases for filte...
Feb. 5, 2016 03:00 PM EST
SYS-CON Events announced today that Men & Mice, the leading global provider of DNS, DHCP and IP address management overlay solutions, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. The Men & Mice Suite overlay solution is already known for its powerful application in heterogeneous operating environments, enabling enterprises to scale without fuss. Building on a solid range of diverse platform support,...
Feb. 5, 2016 02:45 PM EST Reads: 103
SYS-CON Events announced today that Fusion, a leading provider of cloud services, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Fusion, a leading provider of integrated cloud solutions to small, medium and large businesses, is the industry's single source for the cloud. Fusion's advanced, proprietary cloud service platform enables the integration of leading edge solutions in the cloud, including clou...
Feb. 5, 2016 02:30 PM EST Reads: 691
More and more companies are looking to microservices as an architectural pattern for breaking apart applications into more manageable pieces so that agile teams can deliver new features quicker and more effectively. What this pattern has done more than anything to date is spark organizational transformations, setting the foundation for future application development. In practice, however, there are a number of considerations to make that go beyond simply “build, ship, and run,” which changes ho...
Feb. 5, 2016 02:00 PM EST Reads: 116
SYS-CON Events announced today that Commvault, a global leader in enterprise data protection and information management, has been named “Bronze Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY, and the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Commvault is a leading provider of data protection and information management...
Feb. 5, 2016 01:30 PM EST Reads: 329
SYS-CON Events announced today that AppNeta, the leader in performance insight for business-critical web applications, will exhibit and present at SYS-CON's @DevOpsSummit at Cloud Expo New York, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. AppNeta is the only application performance monitoring (APM) company to provide solutions for all applications – applications you develop internally, business-critical SaaS applications you use and the networks that deli...
Feb. 5, 2016 01:30 PM EST Reads: 312
The maker of automated server migration software reports sales bookings increased 460 percent year-over-year and last week IDC forecast spending on public cloud services will grow to more than $141 billion in 2019. Seems (at last) we are at the tipping point where enterprises are adopting cloud in a big way opening opportunities for those who can help with the transition.
Feb. 5, 2016 01:27 PM EST
SYS-CON Events announced today that Alert Logic, Inc., the leading provider of Security-as-a-Service solutions for the cloud, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Alert Logic, Inc., provides Security-as-a-Service for on-premises, cloud, and hybrid infrastructures, delivering deep security insight and continuous protection for customers at a lower cost than traditional security solutions. Ful...
Feb. 5, 2016 01:15 PM EST Reads: 320
@DevOpsSummit taking place June 7-9, 2016 at Javits Center, New York City, and Nov 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with the 18th International @CloudExpo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. @DevOpsSummit at Cloud Expo New York Call for Papers is now open.
Feb. 5, 2016 01:00 PM EST Reads: 491