One place for hosting & domains


      Are Private Clouds HIPAA Compliant?

      HIPAA compliant practices are in place to protect the privacy and security of protected health information (PHI). With the rise in popularity of cloud infrastructure solutions, more health providers are moving their IT infrastructure off premise. But before a move can happen, providers must ensure their practices, the cloud provider and the solution itself follows HIPAA’s rules and guidelines. Here, we’ll explore whether private clouds meet these guidelines.

      So, are hosted private clouds a HIPAA compliant option? The short answer is, “Yes!” But that doesn’t mean all private cloud environments are ready out of the gate. For more nuance, let’s first discuss some HIPAA basics.

      HIPAA Privacy and Security Rules

      Where does third-party IT infrastructure and HIPAA compliance intersect?

      There are numerous rules around HIPAA, including privacy, security and breach notifications that establish protections around PHI that covered entities (healthcare providers, insurance providers, etc.) and business associates (those performing functions or activities for, or providing services to a covered entity involving PHI) must follow. Cloud service providers are considered business associates.

      PHI includes any identifiable information about a patient, such as last name, first name and date of birth. And today’s electronic health record (EHR) systems store much more identifiable information, such as social security numbers, addresses and phone numbers, insurance cards and driver licenses, which can be used to identify a person or build a more complete patient profile.

      The HIPAA Privacy Rule relates to the covered entities and business associates and defines and limits when a person’s PHI may be used or disclosed.

      The HIPAA Security Rule establishes the security standards for protecting PHI stored or transferred in electronic form. This rule, in conjunction with the Privacy Rule, is critical to keep in mind as consumers research cloud providers, as covered entities must have technical and non-technical safeguards to secure PHI.

      According to U.S. Department of Health & Human Services, the general rules around security are:

      • Ensure the confidentiality, integrity and availability of all e-PHI they create, receive, maintain or transmit;
      • Identify and protect against reasonably anticipated threats to the security or integrity of the information;
      • Protect against reasonably anticipated, impermissible uses or disclosures; and
      • Ensure compliance by their workforce.

      Compliance is a shared effort between the covered entity and the business associate. With that in mind, how do cloud providers address these rules?

      HIPAA: Private vs. Public Cloud

      A cloud can be most simply defined as remote servers providing compute and storage resources, which are available through the internet or other communication channels. Cloud resources can be consumed and billed per minute or hour or by flat monthly fees. The main difference between private and public clouds is that private cloud compute resources are fully dedicated to one client (single-tenant) while public cloud resources are shared between two or more clients (multi-tenant). Storage resources can also be single or multi-tenant in private clouds while still complying with HIPAA policies.

      HIPAA compliancy can be achieved in both private and public clouds by effectively securing, monitoring and tracking access to patient data. Private clouds, however, allow more granular control and visibility into the underlying layers of the infrastructure such as servers, switches, firewalls and storage. This extra visibility into a private cloud, combined with the assurance the environment is physically isolated , is very helpful when auditing your cloud environment against HIPAA requirements.

      Customers and vendors will normally have control and responsibility for PHI protection clearly divided between the parties. For example, a cloud provider may draw the line of responsibility at the physical, hypervisor or operating system layer, while the customer’s responsibility would start from the application layer.

      Other Benefits of Private Clouds for HIPAA Compliance

      As noted, HIPAA has many provisions, but keeping PHI secured from breaches and unauthorized access is the main objective. PHI is worth major money on the black market. While credit card information is sold for about $5 to $10 per record, PHI is being sold at $300+ per single record.

      Private cloud providers ensure that a customer’s environment is protected from unauthorized access at breach points controlled by the cloud provider. Breach points could be described as physical access to building/data center, external threats and attacks over the internet against the core infrastructure, internal threats by malicious actors, viruses, spyware and ransomware. Private cloud providers also make sure that the data is protected from accidental edits, deletions or corruption via backup and DRaaS services. These same breach points apply to on-premise (customer-owned) infrastructure, too.

      A HIPAA compliant private cloud environment will make sure that their security, technology, tools, training, policies and procedures which relate to protection of PHI are used and followed every step of the way throughout this business association with the customer.

      What a HIPAA Compliant Cloud Supports

      Let’s take a closer look at what a HIPAA compliant private cloud needs to have in place and support.

      • BAA: A provider of a HIPAA compliant private cloud will start their relationship with a signed Business Associate Agreement (BAA). The BAA agreement is required between customer and vendor if the customer is planning to have PHI stored or accessed in the private cloud. If a prospective provider hesitates to sign any type of BAA, it’s probably good idea to walk away.
      • Training: Annual HIPAA training must be provided to every staff member of the private cloud vendor.
      • Physical Security: A Tier III data center with SSAE certifications will provide the physical security and uptime guarantees for your private cloud’s basic needs such as power and cooling.
      • External Threats and Attacks: Your private cloud will need to be secured with industry best practice security measures to defend against viruses, spyware, ransomware and hacking attacks. The measures include firewalls, intrusion detection with log management, monitoring, anti-virus software, patch management, frequent backups with off-site storage, disaster recovery with testing.
      • Internal Threats: A private cloud for PHI needs to be able to be secured against internal attacks by malicious actors. Cloud vendors are required to have policies and procedures to perform background checks and regular audit staff member security profiles to make sure proper level of access is provided based on access requirements and thorough on-boarding and termination processes.
      • Data Protection and Security: A private cloud must be able to protect your data from theft, deletions/corruptions (malicious or accidental). Physical theft of data is not common in secured datacenters, however, encrypting your data at rest should be a standard in today’s solutions. In order to protect private clouds from disasters, a well-executed backup and disaster recovery plan is required. Backups and DR plans must be tested regularly to make sure they will work when needed. I recommend twice a year testing for DR and once a week testing for backup restores.

      Private cloud customers also have a responsibility to continue protection of PHI from the point where they take over management duties. This line of responsibility is often drawn at the application level. Customers must ensure that any application that stores and manages PHI has gone through all the necessary audits and certifications.

      Closing Thoughts

      Well-defined policies and procedures, best practice uses of tools and technologies, proper security footprint and regular auditing and testing yields a HIPAA compliant private cloud. Doing the work on the front end to vet a strong partner for your private cloud or putting in the time to review processes with your current provider will go a long way in meeting HIPAA compliance requirements.

      Explore INAP Private Cloud.


      Rob Lerner


      Source link

      What is the GDPR and How Do I Ensure My Business is Compliant?

      The General Protection Data Regulation (GDPR) is a new European privacy law that goes into effect on May 25, 2018. It replaces the existing EU Data Protection Directive, also known as Directive 95/46/EC, and integrates data protection laws from across the European Union by applying a single, binding data protection law for all member states.

      The new regulation represents a significant expansion of the existing directive. The changes were designed to strengthen individual rights around the consent of submitting personal data, as well as individuals’ ability to control their data after submission. This includes a section on data erasure called the “Right to be Forgotten.”

      GDPR also spells out new policies and procedures for Controllers and Processors of EU data subjects. In that vein, here are some important questions that will help you determine the law’s applicability to your business, some tips for gaining compliance, and a look at how SingleHop is approaching the sweeping new regulation. If you want to delve further, take a look at GDPR at the official website.

      How do I know if GDPR will apply to me?

      If you’re wondering why there seems to be so much coverage of GDPR in U.S. media, here’s the reason: The regulation applies not just to EU entities or those with operations in the EU, but to all organizations that hold or process an EU citizen’s personal data.

      In light of that critical point, ask yourself these questions:

      • Does my organization process, transmit, store EU client data?
      • What type of personal data does my organization collect/store?
      • Does my organization ensure it does not hold such data longer than is necessary?
      • Does my organization keep such data safe and secure, using a level of security appropriate to the risk?
      • Is encryption necessary to protect the data stored by my organization?
      • Does my organization limit access to ensure such data is only being used for its intended purpose?
      • Does my organization transfer such data outside the EU, and if so, does my organization have the necessary technologies and processes in place to protect such data?

      If GDPR applies to me, what can I do to become compliant under the new law?

      The following tips can be used as a guide to comply with GDPR. These recommendations should in no way be considered legal advice. If GDPR applies to your organization, you should consult with an attorney to guide you through the many complexities of the regulation and its applicability to your use case.

      1. Understand the law – Know your obligations as it relates to collecting, processing, and storing data, including the law’s many special categories.

      2. Create a roadmap – Perform data discovery and document everything – research, findings, decisions, actions and the risks to data.

      3. Know which data is regulated – First, determine if data falls under a GDPR special category. Then, classify who has access to different types of data, who shares the data, and what applications process that data.

      4. Begin with critical data and procedures – Assess the risks to all private data, and review policies and procedures. Apply security measures to production data, and then extend those measures to backups and other repositories.

      5. Assess and document other risks – Investigate any other risks to data not included in previous assessments.

      SingleHop’s Commitment to GDPR Compliance

      The security of our global infrastructure is SingleHop’s number one priority. Since the law’s passage in 2016, our security and compliance team has been diligently preparing for implementation.

      In addition to a thorough review and update to our customer privacy and security policies, SingleHop maintains EU-US Privacy Shield Compliance, enters into data processing agreements with its customers if GDPR applies to the processing of their data, and enters into sub-processing agreements with vendors when necessary. We’re also committed to offering first-rate, best-practice security services across all of our products.

      For a full breakdown of our processing roles and responsibilities, as well as our commitment to customers as a data controller, please visit our GDPR page.

      Source link