November 10, 2021

How to Meet HIPAA Compliance in the Public Cloud

Where do your responsibilities start and end when it comes to HIPAA Compliance? What does HIPAA even mean in a cloud context? This is a federal law not to be trifled with.

Image Source: Sezeryadigar

The public cloud service market is expected to reach $623 billion by 2023 worldwide, according to Gartner. And according to a recent IDG survey, 39 percent of enterprises struggle with cloud compliance. So it’s important that we talk about HIPAA compliance specifically as it relates to cloud environments, and how you can achieve HIPAA compliance in the public cloud.

HIPAA: A Brief Overview

First, let’s quickly review what HIPAA is. The Healthcare Insurance Portability and Accountability Act is a federal law passed in 1996 that specifies security, privacy, and enforcement rules to protect Personal Health Information (PHI). A similar law called HITECH was passed in 2009 that updated HIPAA standards for security and privacy to account for medical records now being stored digitally rather than on paper.

HIPAA and HITECH apply to health plans, healthcare clearinghouses, and to any healthcare provider who transmits PHI electronically (known as Covered Entities). They also apply to organizations that process electronic healthcare transactions, including private sector vendors and third-party administrators.

In 2013, the HIPAA Final Omnibus Rule was passed that again updated requirements for Covered Entities and their Business Associates (BA’s). While there are many examples of a Business Associate, we’ll focus on Managed Service Providers that organize and store PHI on behalf of healthcare organizations.

Meeting HIPAA Compliance

The main parts of HIPAA that most organizations focus on are the HIPAA Privacy and Security Rules. Architecting a compliant infrastructure (at a high level) includes redundant internet, HA networking, proactive monitoring, and OS patch management. (Check out this white paper for more on HIPAA compliant cloud infrastructure.) While not required, it’s best pPractice to put in place security tools like vulnerability scanning, web application firewalls and, of course, encryption.

You’ll also need to consider some not-so-technical parts of your environment: HIPAA-trained staff, change management policies and procedures, and third-party audit reports. And of course, any disaster recovery or backup environments you have will also need to be HIPAA compliant.

HIPAA Compliance in Public Cloud

Planning to move your applications to a public cloud such as Azure or AWS and need to meet HIPAA compliance? Great! There are many good reasons to move to the public cloud. Most of the architecture will already be in place for you, at least from an infrastructure perspective. You’ll need to focus on maintaining compliance when you layer your OS, software, and applications on top, and ensure that any data transfers that occur in and out of your cloud are compliant.

Each customer is still responsible for ensuring their applications, networking, and OS are also compliant. This is a federal law we’re talking about, and the fines and penalties for breaching compliance have ranged in the millions to even jail time.

That got your attention – and it should. Especially since a business associate like AWS is only required to keep up their end of the bargain, so as a CE, you need to ensure you’re also holding up your end.

Whether you’re a hospital using AWS to store and manage patient data or an MSP who’s managing a hospital’s medical records stored in AWS, you’ll need to treat hyperscale providers like any other business associate. The Shared Responsibility Model outlines exactly what the provider is responsible for and what the customer is responsible for. But don’t just take their word for it. It’s wise to run your own audits and check with outside compliance experts to ensure you’re really doing everything correctly on your end. A vendor like AWS with its teams of compliance experts will require less management/oversight than perhaps a smaller MSP, but it is not their job to ensure your stack layers meet HIPAA compliance (or any other compliance, for that matter).

Third Party Tools to Maintain HIPAA Compliance

Because you’re basically on your own when it comes to Public Cloud management, investing in outside resources to keep your environment in check is critical to maintaining cloud compliance. Rules and regulations change constantly, and while HIPAA has remained relatively intact since 2013, your environment is hopefully growing and changing by leaps and bounds each year. You’ll need to watch those changes and updates carefully to ensure you haven’t gone lax on your HIPAA compliance.

A tool like Tenacity can help identify vulnerabilities and misconfigurations in your environment in near real-time and gives you a simple yes/no response to whether your environment meets HIPAA compliance. From there, you can enlist the help you need to bring your systems up to date (or breathe a sigh of relief if you’re compliant!)

What Have We Learned?

HIPAA is a federal law that details specific rules around privacy and security for healthcare providers, their vendors and anyone who handles PHI. Meeting HIPAA compliance is therefore critical for these groups and there are stiff penalties for those who do not comply. To meet the HIPAA privacy and security rules, you’ll need to consider every angle of your environment - storage, networking, software, applications, access control, policies, disaster recovery, and so much more.

For public cloud users, some of this is taken care of, but not all. Review the shared responsibility matrices your provider offers and enlist outside help as needed. If you’re struggling to figure it out on your own, a tool like Tenacity can scan your environment and identify any missing pieces - and that can help you properly configure a HIPAA compliant public cloud.

Even if you think you’re HIPPA compliant, you know how important it is to get a second opinion. Like good healthcare, early diagnosis is key. Check out Tenacity to learn how we can help lower your stress and your blood pressure when it comes to getting and staying HIPPA compliant.

Latest articles

Browse all