To put ePHI in the cloud, or not to put ePHI in the cloud? That was once the question, but these days, the economics of SaaS, PaaS, and IaaS make cloud computing ever more inevitable, even for HIPAA covered entities. For those covered entities, however, HIPAA compliance and cloud security are pressing issues that they remain responsible for addressing. Here are four of the most common HIPAA compliance risks found in cloud environments.
Risk #1: Violations by well-meaning staff
The greatest threats to HIPAA compliance are often found within the covered entities themselves, and they aren’t always malicious. Well-meaning staff, eager to take advantage of the improved file sharing and collaboration benefits of the cloud, may inadvertently upload protected ePHI, putting their organizations out of compliance and at risk of heavy penalties and potential data breaches. Intelligent data loss prevention (DLP) integration and a granular, policy-based encryption and tokenization strategy that can catch and remediate violations in real time can stop this from happening.
Risk #2: Inadvertent Data Exposure
The vast majority of cloud services are multitenant environments, with one service provider’s data center housing and processing data for numerous different customers. This makes both HIPAA compliance and cloud security a challenge. What happens if another of your cloud service provider’s customers inadvertently gets exposed and your information falls into the wrong hands? Even though your organization wasn’t the target (or the fault lies with your cloud service provider as a Business Associate), the exposure will still count. Searchable Strong Encryption (SSE) – enabled by AES 256-bit encryption – combined with exclusive access to the encryption keys, will keep your data safe from exposure in a multitenant environment.
Risk #3: Data compliance violations due to data replication
For the best of reasons, cloud service providers often make copies of their customers’ data. Data replication usually happens as part of a backup, disaster recovery, or failover strategy, and it can keep you from losing what you’ve stored due to an outage on your cloud service provider’s side. Data replication creates HIPAA compliance and cloud security problems, however. Compliance requires that you only store what data you truly need to store, and only for as long as you need to store it. Additionally, extra copies of data floating around mean more opportunities for data leakage. Strict key management that keeps the encryption keys under the covered entities’ control enables them to effectively destroy all copies of data simply by destroying the encryption keys.
Risk #4: Insider threats at the cloud service providers themselves
Is it possible that someone at your cloud service provider might maliciously access your organization’s ePHI? Yes, you can have confidence in the operations and people at your cloud service provider, but rogue employees can pop-up anywhere. Again, though your cloud service provider may count as a Business Associate under HIPAA and be responsible for maintaining HIPAA compliance, their failure to do so won’t exempt you from the consequences of a violation Exclusive customer control of encryption keys will ensure that no malicious insider at your cloud service provider can cause a breach of your ePHI.
In today’s cloud-centric world, cloud security and HIPAA compliance go hand in hand. At first glance, the relationship can seem complicated. With a comprehensive cloud information protection solution, however, protecting your organization from HIPAA compliance violations in the cloud becomes much simpler.
What risks do you think the cloud carries for HIPAA covered entities? Tell us your thoughts in the comments.