How to Maintain HIPAA Compliance in Public Cloud Environments

The benefits of public cloud computing solutions make them very attractive to all types of businesses. One of the advantages offered by public cloud vendors is the availability of advanced technology and the ability to configure systems to meet the needs of any business. This includes assisting businesses that need to maintain regulatory compliance with guidelines affecting their industry.

In this article, we are going to discuss the factors and characteristics of public cloud solutions that are important for companies operating in the healthcare field in the United States. Specifically, we will look at the challenges associated with migrating from in-house data processing to a public cloud solution. With the right planning and questions, businesses can establish a relationship with a managed service provider (MSP) offering HIPAA Cloud Hosting services. 

HIPAA compliance and cloud computing

The Health Insurance Portability and Accountability Act (HIPAA) mandates certain levels of data privacy and security as it relates to protected health information (PHI) and electronic protected health information (ePHI). This covers all paper and electronically stored or transmitted individually identifiable information relating to a patient’s past, present, or future health status. 

Public cloud HIPAA compliance refers to offerings by MSPs that conform to the privacy and security standards laid out in the HIPAA rules. The rules define physical, technical, and administrative safeguards that need to be followed when handling PHI. Failure to implement the safeguards will result in HIPAA violations. 

What to look for in a HIPAA compliant cloud hosting solution

Many small and medium-sized businesses don’t have the IT resources necessary to ensure their data processing is HIPAA compliant. But by taking advantage of services offered by cloud hosting providers, many companies can achieve HIPAA compliance at an affordable price.

The following is a checklist of the security features and services that must be offered by a provider to establish HIPAA compliant cloud hosting for your computing environment.

• Private and segmented infrastructure is a cybersecurity best practice that will minimize vulnerabilities and ensure the protection of your data. Sharing resources with other businesses is common in standard public cloud offerings. But in order for the environment to be more secure, it must not be shared by or accessible to others. 

• Anti-malware protection is necessary to keep malware, spyware, and viruses out of your infrastructure. Ransomware attacks on entities in the healthcare field are increasing, making it more important than ever to protect computing resources. It is a HIPAA requirement that organizations use a reliable anti-malware solution.¹ 

• Intrusion prevention monitors all inbound and outbound traffic for activity and scans for policy violations or potential threats. This includes early detection prevention, and blocking or suspicious traffic, packet logging and reporting, and real-time traffic analysis.¹ 

• Encrypted virtual private networks (VPNs) are necessary to protect PHI as it is transmitted through your infrastructure. Unencrypted transmission on public networks opens the door for unauthorized access and potential data breaches involving ePHI.² 

• Strong encryption of all data is necessary to properly safeguard protected information. Ideally, data is encrypted when in use, during transmission, and at rest. The goal is to ensure that in the event of a data breach, the privacy of PHI is maintained by rendering the information unreadable by hackers.³

• A managed firewall helps control network traffic and limits access to systems that store ePHI. Maintaining a firewall without the proper technical resource is a recipe for disaster. A reliable cloud provider will manage your firewall based on policies that make sense for your HIPAA compliance.² 

• HIPAA compliant cloud storage is essential and ties back to the encryption and VPNs implemented in your infrastructure. HIPAA cloud storage needs to meet the encryption and data protection standards outlined in the guidelines. Access to stored PHI needs to be restricted to authorized personnel.⁴ 

• Encrypted onsite and offsite backups of HIPAA-compliant data storage resources are an essential part of a cloud solution. The backups need to be encrypted to guard against data breaches. Backup sets need to be stored onsite and offsite to allow for prompt recovery on system issues and large-scale disaster recovery if necessary.⁴ 

Additional questions to ask

Are high levels of system availability guaranteed?

Highly available infrastructure is a requirement for the majority of companies in the healthcare field. Providers should be willing to sign service level agreements (SLAs) that protect the customer against unplanned outages. 

Is the provider certified? 

A cloud provider should be able to provide proof of SOC 2 TYPE II and SOC 3 TYPE II certification that demonstrates their ability to provide HIPAA compliant services. 

Will the provider sign a BAA?

A Business Associate Agreement (BAA) defines the MSP’s role in protecting the Covered Entity’s PHI. Providers not willing to sign an agreement outlining their responsibilities regarding the secure storage of data should be avoided. 

Are in-house resources available?

The cloud provider is expected to handle issues such as keeping up with industry standards, employing best practices, and ensuring all infrastructure components are patched and updated regularly to maintain HIPAA compliance. These items will need to be addressed by in-house technical resources if you opt to go without a cloud provider. 

Conclusion

Public cloud HIPAA compliance is possible when engaging a capable provider. The MSP you choose needs to be able to answer all of your questions regarding their capacity to address HIPAA regulations. Seek out a vendor with a proven track record of implementing HIPAA compliant hosting. Taking risks with HIPAA compliance puts an organization at risk for financial penalties. It also puts sensitive data in your care at risk. Make sure you choose the right provider so you can avoid those potential perils. 

Contributed by Atlantic.Net, Inc.

Atlantic.Net provides HIPAA-compliant hosting. Our state-of-the-art infrastructure is SOC2, SOC3, HIPAA, and HITECH compliant and housed in secure, climate-controlled facilities with constant monitoring and multiple direct connections to the Internet backbone to ensure availability and data safety.

Brett Haines, Vice President

As Vice President, Brett continues to use new and creative ways to increase quality, efficiency, and customer satisfaction. With over 15 years of sales, networking, technology, and management experience, Brett is directly responsible for overseeing the Sales, Sales Engineering, and Product Management teams.

Have you performed a Risk Assessment in the past year? Do you have updated HIPAA Policies and Procedures in place? Our HIPAA Prime™ program does all this and more! We create customized compliance documents and provide your staff with easy online training, ensuring compliance for your business.

Want to know more about how you can become HIPAA compliant?

Email us at info@totalhipaa.com to learn more about how we can help your organization become (and stay!) HIPAA compliant. Or, get started here.

1. §164.308(5)(B)
2. §164.312(e)(1) 
3. §164.312(e)(2)(ii) 
4. § 164.314(a)(1)

Sharing is caring!