Guest post by Madelyn Kearns from Medical Practice Insider
When it comes to privacy and security measures within healthcare, the government is starting to really crack down.
The Federal Trade Commission and the Securities and Exchange Commission have aligned with the Office for Civil Rights to provide stronger safeguarding for protected health information (PHI). Meanwhile, the OCR itself has been aggressively dolling out significant financial penalties to organizations that aren’t up to baseline PHI standards.
“OCR is losing patience quickly with organizations who aren’t prepared,” said Adam Greene, partner with Davis Wright Tremaine LLP, during a recent HIPAA panel discussion. “Not having a risk analysis in place, not encrypting laptops, failing to have a culture of compliance … there was a [time] when a corrective action plan would be enough to satisfy OCR in these areas, but those days are behind us.”
In the face of HIPAA and OCR oversight, providers must conduct thorough risk analyses and are advised to build organization-wide compliance awareness. Security company Catbird advises physicians to take these in-house efforts and apply them to their cloud hosts as well.
Given that 66 percent of breaches in 2013 took months to discover and over 70 percent of those breaches were identified by external parties (per Verizon’s 2013 Data Breach Investigations Report), providers need to bring hosts into their compliance efforts by asking the following questions, according to Catbird:
- Which specific HIPAA controls do you cover in your cloud environment? HIPAA controls are based upon NIST 800-53 security standards. Your host should be able to provide a list of 800-53 controls that are in place and include inventory management, access control, configuration management, change control, vulnerability assessment, incident response and auditing, which are all HIPAA required controls for applications residing in your cloud hosts environment.
- What evidence can you provide that my applications and PHI are separated from other customers on your cloud? Hosts should be able to provide a real-time virtual network diagram or other evidence that your applications are separate from other cloud tenants’ applications along with a technical explanation of their segmentation process, which should include access control and continuous monitoring for changes and violation of separation rules.
- Are you able to continuously monitor the efficacy of your controls and provide real-time alerts and mitigation when a control has failed? Continuous monitoring is a HIPAA requirement. Real-time alerts, active monitoring and mitigation processes are essential to maintaining control in the cloud. Malicious traffic is on 100 percent of networks and a swift, intelligent response to a control failure or attack is critical to minimizing damage and preventing future attacks.
- Can you provide vulnerability scans, configuration checks, and other risk assessment capabilities on a routine schedule? Hosts should be able to provide real-time reports for all of their security controls as demonstrative evidence of control and HIPAA compliance.
- Can you provide real-time net flow diagrams to demonstrate that my apps are connecting according to policy, and that they are indeed segmented from other clients? Automated net flow diagrams (not reconstructed net flow paths) provide immediate proof of HIPAA compliance, illustrating that access control rules are in place. Reconstruction of a net flow path takes time and could prove too late to fix a control failure or stop a breach that occurred because of a control failure. Hosts should be able to generate real-time diagrams of your application environment.
Photo source: © Nevit Dilmen