After attending HIMSS 2014…Some observations
The economics of cloud adoption are almost a no-brainer, but the logistics of HIPAA compliance in the cloud, unfortunately, are not. There are several key challenges to HIPAA compliance in the cloud. Let’s examine three of them and how to address these challenges.
1. Loss of visibility
Back in the pre-cloud days, enterprises had a much better handle on their data. Sensitive data resided on-premises, behind firewalls and other perimeter technologies designed to prevent intrusion and unwanted access. Cloud adoption changes the boundary of the perimeter. It also makes visibility into data access and use more of a challenge. This raises several questions:
- Where does the data actually reside? The geographical location of a cloud provider’s data center has bearing on what regional privacy and disclosure laws apply to it.
- What content is in which cloud?
- Who has access to the data? Maintaining HIPAA compliance requires a full knowledge of what data you send to the cloud, where it lives, and who can access it.
2. Loss of control
Also key to HIPAA compliance in the cloud is control. Simply put, HIPAA compliance and
data protection in general demand control. You must be able to control which data gets put in the cloud, how that data is protected, and who has access to it. The recent modifications to HIPAA seemingly extend responsibility for control to cloud providers as Business Associates (BAs), but ultimately, covered entities remain responsible for their data and must maintain control.
Loss of visibility and control can lead to disaster, as several healthcare organizations have learned the hard way. Back in 2013, more than 3,000 patients at the Oregon Health & Science University (OHSU) had their information stored in unencrypted spreadsheets on the Google cloud, in violation not only of HIPAA but also of internal policy. This incident speaks not only to a loss of control on OHSU’s part—the personnel who inappropriately stored the information should never have been able to do so in the first place—but also to a lack of visibility into OHSU’s Google cloud adoption.
In an even more alarming incident, the Santa Barbara, CA-based Cottage Health System was found to have exposed the health care information of 32,500 patients for a full 14 months. The breach involved both Google and a third party BA, which had failed to appropriately protect one of its servers. Again, a lack of visibility and control into third party clouds proved problematic.
3. Interoperability and Scalability
While attending HIMSS14 this week, I had the opportunity to talk with and attend several HIPAA/HITECH experts’ sessions. Much of the discussions were around breach notification mitigation, sharing of data amongst ACOs/OHCAs and covered entities and the inherent complexities of security and privacy of patient data.
To that end, any successful cloud protection solution for HIPAA compliance must be architected from the ground up to support advanced security capabilities and extensible enough to integrate with customer-centric use cases as well as business logic workflow now and into the future.
Before you can protect sensitive patient information in the cloud it’s important to ensure that:
- The cloud information platform architecture is globally distributed and redundant and can be supported out-of-the-box to minimize downtime and performance overhead
- Options are available to avoid storing any sensitive data in mission critical databases on-premise
- A single, easily-manageable platform can scale to secure multiple cloud applications and extend to accommodate interoperability requirements now and into the future
To address these challenges, CipherCloud advocates a policy we call “Discover, Protect, Monitor.”
To ensure HIPAA compliance, you must first discover what you have to protect. CipherCloud offers turnkey DLP controls and policies for HIPAA compliance and provides the tools to monitor user activity and data access across cloud applications like Salesforce, Chatter, and Gmail. These tools, in conjunction with a clear understanding of your data’s residency in the cloud and the implications for privacy, give you a solid footing.
With that footing, it becomes possible to protect the data. For HIPAA compliance, that protection will most likely involve Searchable Strong Encryption (SSE) enabled by AES 256-bit encryption or tokenization applied at a granular level and on the fly if necessary depending on content type. Enterprises keep the encryption keys, of course, adding another layer of control. Meanwhile, cloud applications continue to function seamlessly.
Once protection has been put into place, it’s time to monitor what’s happening with your data in the cloud. HIPAA compliance is a moving target. Granular, context-based visibility and reporting into user activity in cloud applications can help enterprises quickly identify anomalous behavior and violations. Correlation between different cloud applications unifies control and provides a consistent, centralized point of command.
HIPAA compliance in the cloud can be a challenge, but the solution is ultimately simple. If you appropriately discover, protect, and monitor your data in the cloud, you can enjoy the benefits of the cloud without incurring its risks.
How does your organization plan to achieve HIPAA compliance in the cloud? Tell us your thoughts in the comments.