Welcome!

Blog Feed Post

10 Things You Need To Know about HIPAA Compliance in the Cloud

HIPAA Compliance in the cloudHealthcare businesses are adopting cloud computing in record numbers due to the available cost-efficiency, scalability, and flexibility. According to a report by Accenture, nearly one-third of healthcare sector decision makers said they are using cloud applications, and 73% said they are planning to move more applications to the cloud. When considering cloud computing for personal health information, healthcare businesses must be aware about the effect of HIPAA compliance in the cloud.

1. Strive to achieve “Safe Harbor”

Safe Harbor is a provision to HIPAA’s Final Breach Notification Rule, which kicks in when a breach occurs, and allows a “covered entity” (pending a breach risk assessment) to determine that Protected Health Information (PHI) was not disclosed. Encryption of PHI data is considered a primary way to achieve Safe Harbor.

In case of an information breach and assuming the risk assessment will find that PHI was encrypted, the covered entity will not be exposed to onerous reporting requirements; especially, they will not need to report the breach to every single effected patient, thus saving cost and their reputation. Additionally painful fines are likely to be avoided.

2. Encryption is only part of the solution

Strong data encryption, like AES-256, is critical to HIPAA compliance in the cloud, but it is not the end of the necessary cloud security. Strong encryption must be coupled with strong encryption key management in order to be effective.

3. Backups and snapshots must be secured

You need to properly secure any storage medium which contains protected health information about patients. This includes backups and snapshots.

4. Business Associate Agreements (BAAs) and liability

If a company you do business with (for example, a payment processor) has a data breach and ePHI is compromised, you could be liable too. Companies must sign a BAA, but are still potentially liable.

5. Monitor data access

According to TechTarget’s SearchHealthIT, you must monitor who has access to your data. “In order to ensure data is protected adequately, cloud providers implement advanced firewalls and intrusion detection systems that can help detect and prevent hackers from accessing their clients’ sensitive data.”

6. Employee training is a necessity

In addition to formal annual training, make sure you provide a constant stream of information and security awareness to train employees about their HIPAA compliance responsibilities. Use diverse methods to garner staff attention: posters, letters, memos, web based training, meetings, and promotions.

7. Policies and notices may need to be updated

Whenever the HIPAA rules change and/or your systems change, re-evaluate your policies and privacy notices as they will likely need to be updated and redistributed to patients.

8. Mobile devices and apps

All mobile devices and apps that are used by healthcare professionals must comply with HIPAA rules and regulations. Conduct a risk analysis to identify potential threats and vulnerabilities to ePHI, and implement a mitigation plan to address the gaps. Encrypt data on mobile devices before sending information to the app and always use strong user authentication to avoid data theft or inappropriate access.

9. Cloud storage can be made HIPAA compliant

Most cloud storage options are not HIPAA compliant “out of the box.” One of the reasons is because many cloud storage solutions allow encryption, but require that they have access to encryption keys. To maintain compliance and achieve safe harbor, use a solution like split key encryption that ensures that you maintain ownership and control of encryption keys.

10. HIPAA is not to be feared

Possibly the most important thing to know about HIPAA is that you should not fear it; it exists to protect patients, providers, and business associates and to facilitate appropriate data sharing. None of us want to suffer a breach and by following the provisions set forth in HIPAA, we protect ourselves.

 

Interested in learning more about HIPAA compliance? Read our white paper.

 

The post 10 Things You Need To Know about HIPAA Compliance in the Cloud appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

Latest Stories
Due of the rise of Hadoop, many enterprises are now deploying their first small clusters of 10 to 20 servers. At this small scale, the complexity of operating the cluster looks and feels like general data center servers. It is not until the clusters scale, as they inevitably do, when the pain caused by the exponential complexity becomes apparent. We've seen this problem occur time and time again. In his session at Big Data Expo, Greg Bruno, Vice President of Engineering and co-founder of StackIQ...
The security needs of IoT environments require a strong, proven approach to maintain security, trust and privacy in their ecosystem. Assurance and protection of device identity, secure data encryption and authentication are the key security challenges organizations are trying to address when integrating IoT devices. This holds true for IoT applications in a wide range of industries, for example, healthcare, consumer devices, and manufacturing. In his session at @ThingsExpo, Lancen LaChance, vic...
"Plutora provides release and testing environment capabilities to the enterprise," explained Dalibor Siroky, Director and Co-founder of Plutora, in this SYS-CON.tv interview at @DevOpsSummit, held June 9-11, 2015, at the Javits Center in New York City.
FinTech is the sum of financial and technology, and it’s one of the fastest growing tech industries. Total global investments in FinTech almost reached $50 billion last year, but there is still a great deal of confusion over what it is and what it means – especially as it applies to retirement. Building financial startups is not simple, but with the right team, technology and an innovative approach it can be an extremely interesting domain to disrupt. FinTech heralds a financial revolution that...
In his session at DevOps Summit, Tapabrata Pal, Director of Enterprise Architecture at Capital One, will tell a story about how Capital One has embraced Agile and DevOps Security practices across the Enterprise – driven by Enterprise Architecture; bringing in Development, Operations and Information Security organizations together. Capital Ones DevOpsSec practice is based upon three "pillars" – Shift-Left, Automate Everything, Dashboard Everything. Within about three years, from 100% waterfall, C...
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place June 6-8, 2017, at the Javits Center in New York City, New York, is co-located with 20th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry p...
SYS-CON Media announced today that @WebRTCSummit Blog, the largest WebRTC resource in the world, has been launched. @WebRTCSummit Blog offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. @WebRTCSummit Blog can be bookmarked ▸ Here @WebRTCSummit conference site can be bookmarked ▸ Here
SYS-CON Events announced today that Addteq will exhibit at SYS-CON's @DevOpsSummit at Cloud Expo New York, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Addteq is one of the top 10 Platinum Atlassian Experts who specialize in DevOps, custom and continuous integration, automation, plugin development, and consulting for midsize and global firms. Addteq firmly believes that automation is essential for successful software releases. Addteq centers its products an...
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
SYS-CON Events announced today that IoT Now has been named “Media Sponsor” of SYS-CON's 20th International Cloud Expo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. IoT Now explores the evolving opportunities and challenges facing CSPs, and it passes on some lessons learned from those who have taken the first steps in next-gen IoT services.
You think you know what’s in your data. But do you? Most organizations are now aware of the business intelligence represented by their data. Data science stands to take this to a level you never thought of – literally. The techniques of data science, when used with the capabilities of Big Data technologies, can make connections you had not yet imagined, helping you discover new insights and ask new questions of your data. In his session at @ThingsExpo, Sarbjit Sarkaria, data science team lead ...
SYS-CON Events announced today that WineSOFT will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Based in Seoul and Irvine, WineSOFT is an innovative software house focusing on internet infrastructure solutions. The venture started as a bootstrap start-up in 2010 by focusing on making the internet faster and more powerful. WineSOFT’s knowledge is based on the expertise of TCP/IP, VPN, SSL, peer-to-peer, mob...
The Internet of Things can drive efficiency for airlines and airports. In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect with GE, and Sudip Majumder, senior director of development at Oracle, discussed the technical details of the connected airline baggage and related social media solutions. These IoT applications will enhance travelers' journey experience and drive efficiency for the airlines and the airports.
For organizations that have amassed large sums of software complexity, taking a microservices approach is the first step toward DevOps and continuous improvement / development. Integrating system-level analysis with microservices makes it easier to change and add functionality to applications at any time without the increase of risk. Before you start big transformation projects or a cloud migration, make sure these changes won’t take down your entire organization.
Big Data, cloud, analytics, contextual information, wearable tech, sensors, mobility, and WebRTC: together, these advances have created a perfect storm of technologies that are disrupting and transforming classic communications models and ecosystems. In his session at @ThingsExpo, Erik Perotti, Senior Manager of New Ventures on Plantronics’ Innovation team, provided an overview of this technological shift, including associated business and consumer communications impacts, and opportunities it m...