5 HIPAA Questions to Ask Your Cloud Hosting Service Provider

Guest post by Madelyn Kearns from Medical Practice Insider

cloud hostingWhen it comes to privacy and security measures within healthcare, the government is starting to really crack down.

The Federal Trade Commission and the Securities and Exchange Commission have aligned with the Office for Civil Rights to provide stronger safeguarding for protected health information (PHI). Meanwhile, the OCR itself has been aggressively dolling out significant financial penalties to organizations that aren’t up to baseline PHI standards.

“OCR is losing patience quickly with organizations who aren’t prepared,” said Adam Greene, partner with Davis Wright Tremaine LLP, during a recent HIPAA panel discussion. “Not having a risk analysis in place, not encrypting laptops, failing to have a culture of compliance … there was a [time] when a corrective action plan would be enough to satisfy OCR in these areas, but those days are behind us.”

In the face of HIPAA and OCR oversight, providers must conduct thorough risk analyses and are advised to build organization-wide compliance awareness. Security company Catbird advises physicians to take these in-house efforts and apply them to their cloud hosts as well.

Given that 66 percent of breaches in 2013 took months to discover and over 70 percent of those breaches were identified by external parties (per Verizon’s 2013 Data Breach Investigations Report), providers need to bring hosts into their compliance efforts by asking the following questions, according to Catbird:

  1. Which specific HIPAA controls do you cover in your cloud environment? HIPAA controls are based upon NIST 800-53 security standards. Your host should be able to provide a list of 800-53 controls that are in place and include inventory management, access control, configuration management, change control, vulnerability assessment, incident response and auditing, which are all HIPAA required controls for applications residing in your cloud hosts environment.
  2. What evidence can you provide that my applications and PHI are separated from other customers on your cloud? Hosts should be able to provide a real-time virtual network diagram or other evidence that your applications are separate from other cloud tenants’ applications along with a technical explanation of their segmentation process, which should include access control and continuous monitoring for changes and violation of separation rules.
  3. Are you able to continuously monitor the efficacy of your controls and provide real-time alerts and mitigation when a control has failed? Continuous monitoring is a HIPAA requirement. Real-time alerts, active monitoring and mitigation processes are essential to maintaining control in the cloud. Malicious traffic is on 100 percent of networks and a swift, intelligent response to a control failure or attack is critical to minimizing damage and preventing future attacks.
  4. Can you provide vulnerability scans, configuration checks, and other risk assessment capabilities on a routine schedule? Hosts should be able to provide real-time reports for all of their security controls as demonstrative evidence of control and HIPAA compliance.
  5. Can you provide real-time net flow diagrams to demonstrate that my apps are connecting according to policy, and that they are indeed segmented from other clients? Automated net flow diagrams (not reconstructed net flow paths) provide immediate proof of HIPAA compliance, illustrating that access control rules are in place. Reconstruction of a net flow path takes time and could prove too late to fix a control failure or stop a breach that occurred because of a control failure. Hosts should be able to generate real-time diagrams of your application environment.

Photo source: © Nevit Dilmen


Comments Leave a Comment

Jason Aberdeen

As an information security specialist for many years, I unfortunately see the same recurring theme with healthcare businesses time and time again, and that’s the failure to implement comprehensive security policies, procedures, processes, and other fundamental initiatives. With so many free and cost-effective solutions available online, there’s really no excuses as to why businesses don’t take the necessary steps for ensuring the safety and security of one’s entire network infrastructure. What’s also frustrating is not seeing comprehensive security awareness training and other basic, fundamental programs, like annual risk assessments, that should be in place for further helping protect organizational assets. There are literally hundreds of sites offering free employee training material. It’s time companies got serious about security and not just profits because data breaches are continuing to grow at such an alarming rate. Think about it, what business do you even have if a significant data breach occurs? Kiss your profits goodbye and say hello to the onslaught of lawsuits sure to arrive.

Heather McFarland

Covered Entities and Business Associates should be focusing on the true merits of HIPAA compliance, and that’s putting in place documented HIPAA information security and operational policies, procedures, and processes. I’ve worked with so many healthcare providers that lack the basic and fundamental documentation for HIPAA compliance, therefore it’s easy to see why non-compliance issues are still a major factor with HIPAA. I also hear healthcare companies express cost concerns about developing such documents, along with implementing risk assessment and security training initiatives, but with all the free and cost-effective tools available (some of them straight from hhs.gov!), there’s really no excuse for not being HIPAA compliant. Everyone needs to be ensuring the safety and security of PHI, it’s really that simple.


Leave a Comment

* Required field.

*


Questions? Let our experts help!

Complete the form below or Call 866-932-9944 Monday through Friday from 9am to 5pm EST.

  • Connect With Us

  • Contact Us


  • Newsletter

    Get promotions and current business tips. Sign up for our newsletter today.