Cloud providers whose clients work with healthcare information now face stronger security and privacy requirements due to changes in federal laws. Yet many of these vendors and suppliers are unaware of these regulations, the large fines associated with noncompliance, and the protection from these risks that cloud encryption can provide, according to legal specialist Gerard Stegmaier.
Mr. Stegmaier, an attorney at Wilson Sonsini Goodrich & Rosati in Washington, D.C., provided this analysis in a webinar we jointly hosted with CipherCloud on the topic, Healthcare and the Cloud: Solving the Security Dilemma.
He explained that change is being driven by the HIPAA/HITECH Omnibus Rule that takes effect in Sept. 2013, which expands who is covered by the regulations. In his view, cloud providers that “create, receive, maintain and/or transmit” Protected Health Information (PHI) are likely to be considered Business Associates. This means the security, privacy and breach notification requirements of HIPAA/HITECH are now suddenly a really important issue for cloud providers.
The Health Insurance Portability and Accountability Act (HIPAA) mainly covers personal health information (PHI) that reasonably identifies an individual and relates to health, disease, health services or payment for health services. Since 1996, healthcare organizations have had to keep electronic health information records confidential under the policy. With the new rule taking effect in Sept. 2013, however, Business Associates are expressly subject to the provisions of the privacy rule, portions of the security rule and the breach notification rule.
The security rule requires that organizations ensure the confidentiality, integrity, and availability of e-PHI through administrative, physical, and technical safeguards that ensure workforce compliance and protect against any reasonably anticipated threats, unauthorized uses or disclosures.
HIPAA/HITECH is not the only concern, however, as Mr. Stegmaier pointed out. Another source of liability is that companies processing electronic health information are subject to FTC breach notification rules. This includes providers of online health data repositories and applications used directly by individuals on websites and mobile phones. So ironically for many companies that are not necessarily subject to the HIPAA breach notification rule, if you provide an electronic health record you still might be subject to the FTC’s rules. And that’s very significant because of the high costs associated with data breach disclosures, not the least of which is damage to the company’ reputation.
Equally significant are the 46 states with regional health data laws that cover privacy and breach notification. Laws differ on specifics, but common themes are they hold data collectors responsible for protecting personally identifiable information from disclosure or misuse and provide for penalties that include fines, personal liability and public disclosure of data breaches.
In the face of these regulations and risks, one important step Mr. Stegmaier recommends for any organization involved in maintaining PHI in cloud services and for organizations collecting and handling PHI is to encrypt the information. For HIPAA/HITECH, adequately applied encryption is considered a “safe harbor” and is likely to be seen as “reasonable” security – assuming that the encryption keys are protected. In the case of the FTC and state data breach laws, encrypted data is typically exempted from breach disclosure requirements if it has been “rendered unreadable without use of a confidential key.”
Mr. Stegmaier’s remarks highlighted the need for exactly the type of encryption solutions offered by CipherCloud.
If you look at the legacy traditional approach to security you build a strong perimeter. You keep the good stuff inside your perimeter. You keep the bad guys out. But, as probably most people realize now, with the proliferation of cloud applications, users are going directly to the cloud, they’re skipping your security, or they’re even coming in from external devices, where you really have no control point at all.
CipherCloud can be deployed in many ways, but most commonly we are deployed as a gateway at the perimeter to your organization to provide a control point where you can enforce security policies. We have a number of different security policies we can enforce, but the most common is encrypting using top-level standards – AES 256 or tokenization. And we’re able to selectively and automatically encrypt data on the fly, triggered by the content itself whether it is a Social Security number or other PHI information.
Importantly, CipherCloud preserves operations on cloud data, so as data comes in and out of the gateway your authorized users won’t notice anything different. They will use their applications to get their jobs done. But someone who’s unauthorized coming in without appropriate access will only see encrypted gibberish.
To conclude, as Mr. Stegmaier so aptly said, life does not begin and end with HIPAA, but there are ways to prevent breaches and reduce regulatory risks while getting the benefit of using cloud technologies, and still ensuing patients’ sensitive data remains secure.applications to get their jobs done. But someone who’s unauthorized coming in without appropriate access will only see encrypted gibberish.
Business Associates and Covered Entities have embraced moving to the cloud, but remain concerned about maintaining control of patients’ health data. To prevent a breach, cloud data protection gateways are an effective technology. These gateways catch sensitive information on-premise and encrypt it or replace it with a random token that protects the data from being decoded no matter where it resides in the cloud. These techniques help associates and entities remain compliant with HIPAA as well as FTC rules on e-PHI and state health data laws.