Security and compliance concerns making you hesitant to adopt the cloud? Organizations like yours that must meet HIPAA regulatory requirements are generally a little worried, especially given the high standards that the HIPAA-HITECH 2013 Final Omnibus Rule sets for protecting cloud-based ePHI. Here are some best practices that will enable you to adopt the cloud with confidence.
1. The first rule of HIPAA cloud security is: Be in control of HIPAA cloud security.
As we’ve discussed on this blog before, recent revisions to HIPAA expand the types of organizations responsible for remaining in compliance to include cloud service providers, considered Business Associates (BA) of HIPAA-covered organizations, but this doesn’t mean that you can let your cloud providers take control of your cloud data security. You are still ultimately responsible for remaining in compliance, and still liable in the event of compliance violations or data breaches. Whatever your security strategy, it must be your security strategy. All our other best practices proceed from this one fact.
HIPAA data breaches have climbed 138% since 2012 – with 29.3 million health records compromised since 2009
– Breach Report 2013 – Protected Health Information, Redspin
2. Being in control of your HIPAA cloud security means being in control of encryption.
Not just any encryption scheme will do when it comes to HIPAA-protected ePHI. Sensitive patient information demands strong encryption. To that end, CipherCloud offers industrial-strength AES 256-bit encryption and gives organizations the control to apply it right down to the character level in specified fields. This granular, field- and character-specific approach gives you the control to ensure that you meet every HIPAA requirement and internal policy required.
What’s more, the control CipherCloud offers doesn’t stop at encryption alone. Who has the encryption keys matters, too. CipherCloud leaves you in control of your encryption keys. This is the only way to ensure that you won’t suffer a data breach—and the subsequent heavy penalties and brand damage—due to an outside hacker or an insider threat at your CSP.
3. Protect both structured and unstructured data.
These days, data is proliferating. It’s no longer just about structured data fields like identification numbers, claim codes, and test results, but also about unstructured data: internal chat logs, emails between payers and providers, doctors’ notes entered into electronic systems, and the like. Within those masses of unstructured data, you may find ePHI that the HIPAA-HITECH 2013 Final Omnibus Rule mandates be protected. Make sure you know what protected data might appear within the unstructured data your organization generates, and encrypt or tokenize that, too.
4. Monitor user activity to maintain safety and compliance.
Maintaining compliance to the high standards of the HIPAA-HITECH 2013 Final Omnibus Rule means improving security not only through initial deployment of a strong information protection solution, but also through consistent monitoring to detect violations. Choose a solution that allows you to tightly control user access to data, monitor user activity, and detect and address potential HIPAA violations before they become problems. Not all encryption or tokenization providers do. Through tight integrations with cloud service and platform providers like Salesforce and NetSuite, , CipherCloud enables you not only to strongly encrypt and tokenize sensitive ePHI, but also to monitor user and systems access to that ePHI and the ePHI’s movement through your cloud.
HIPAA cloud security doesn’t have to be as complicated or as challenging as it may initially appear. In fact, taking a few simple measures can drastically reduce your scope and increase your compliance and security. As with most security and regulatory compliance issues, it’s all about control, and so is CipherCloud.
How can organizations achieve HIPAA cloud security? Tell us your thoughts in the comments.