How to Use HIPAA Guidelines to Keep Your Data Safe in the Cloud

By | October 21, 2015

Nowadays, more people than ever are using and benefitting from modern technology. However, until recently, data storage posed a real problem for those using technology – as did keeping information stored digitally safe.

The cloud allows storage of data on a server outside your computer instead of, or in addition to, the data being on your computer. It allows a user to access data anywhere and download a new copy of the file if something happens to the original or the user wants to use a file on multiple computers. With cloud service becoming more popular, people are also storing increasingly sensitive data in cloud storage. This isn’t a bad idea, but taking precautions to keep data stored in the cloud private is important.

One way to keep cloud data safe is by using HIPAA regulations. The Health Insurance Portability and Accountability act, also known as HIPAA, is a set of regulations put in place by the government to protect and secure individuals’ private information. However, complying with HIPAA guidelines isn’t just for the healthcare sector. Nowadays, people storing any kind of sensitive information within the cloud can vet cloud providers by seeing if their business practices are HIPAA compliant.

HIPAA requires compliance with administrative, technical, and physical safeguards for keeping electronic personal health information safe, but one could substitute any type of data and use the precautions the same way. If you would like to find cloud service providers that use these types of precautions, make sure the provider adheres to the following key elements of HIPAA guidelines.

• Business Associate Agreement – this agreement is the one that requires the aforementioned third parties that may store healthcare information to also be HIPAA compliant. Having a HIPAA business associate agreement works in much the same way with cloud storage. If your data storage has partnerships with any other businesses or uses a third party to store cloud data, it’s just as important that these businesses have a BAA holding them liable along with your provider if there is a security breech.
• Data Encryption – Any remote access of data, system administration connections, and data transfers should be encrypted using an SSL VPN. Access through this virtual private network should only be allowed after a two-step authentication process – like asking for both your birthday and your password before being able to access the information. Likewise, the VPN should use at least 256-bit SSL. Any backups of data should also be encrypted and access of those backups should be logged. Access to any backups should require the same two-step authentication process as the primary data.
• Backup – Backup procedures should be in place allowing the system to create, maintain, and retrieve exact copies of any data stored in the cloud. Backups should be done incrementally on a daily basis and in full at least on a weekly basis. Also, offsite backup is a key part of the required disaster recovery plan all HIPAA compliant businesses should have. To avoid a catastrophic data loss, more than one data facility should be used in totally separate locations. These facilities should create and store identical backup copies of data and be made accessible to you in the event of a data loss at the primary facility. Backups should be replicated to offsite centers like these every 24 hours.
• Physical, Logical, and Network Access Controls – All of the network access controls should be in compliance with PCI, SSAE 16, and Safe Harbor. There must also be separation between each user’s data. All access to any of the servers must be logged, as well. There should be firewalls in place between public and private zones. Documentation should be available and easily accessed that shows the provider’s policies on general safety, such as passwords, viruses, incident management, risk management, the access of data, and the storage and deletion of data.
• Risk Assessment – All providers should regularly look for any vulnerabilities in their program as a part of providing high levels of data security. Users should look for the following risk assessment checks: monthly third-party vulnerability scans where the risks are discussed and remediated, whitelists on IDS/IPS and firewalls on any web applications as well as regular patching and updating to ensure security updates are applied, research for proactive notification of potential threats, comprehensive logging, monitoring to detect changes in the file systems including the prevention of back doors and root kits, keeping logs on a backup, external server to keep attackers from covering their tracks by modifying access logs, and an enhanced firewall and web app firewall with dual-factor authentication and extended logging for remote users.
• Security, Incident, and Training Policies – If your provider follows HIPAA compliance, they should have comprehensive policies that change to keep up with recommended practices and security standards, and these policies should be documented and provided on request. These policies encompass how technology, processes, and people work together to work for the common outcome of protecting data. The specific document policies you’ll want to check for are Annual SOC 2 Type 2 Auditor’s Report, Patching and Maintenance Policy, and Escalation Procedures.
• SSAE 16, Type 2 – SSAE 16 is a regulation created by the Auditing Standards Board of the American Institute of Certified Public Accountants that defines how data centers must report on compliance controls, and SSAE 16 is the most comprehensive approach. When a company uses SSAE 16, all processes are validated with rigorous control processes by an independent board licensed CPA auditors. Like HIPAA guidelines in general, any third party should also be SSAE 16 compliant. Meanwhile, SOC 2, known as the Trust Service Principles has more demanding security criteria than the less rigid SOC 1. These security criteria include ensuring that the provider’s system was designed and implemented during a period of examination as opposed to being created and then examined on a single date and that the control objectives in the description were designed with compliance in mind during that creation and examination period.

While this amount of information its number of mind-boggling safety terminologies may overwhelm even experienced technology users, reading through the information, making notes, researching points you don’t understand, and then making sure your cloud provider meets HIPAA compliance is a great way to keep your secure data both accessible to you and safe from others while it’s in the cloud.