Share this article on:
When it comes to Cloud Security adoption, the healthcare and pharmaceutical industries lead the way according to a recent survey by CipherCloud, an industry leading provider of secure cloud services.
Both industries are required to implement safeguards – under the Health Insurance Portability and Accountability Act (HIPAA) – to ensure that Protected Health Information is kept private and confidential, which according to the report is the reason why cloud security adoption is so important and uptake has been so high in these industries.
Healthcare and pharmaceuticals have been grouped together in the report, and account for 38% of companies which have chosen to store data securely in the cloud. The banking and finance industry is second, accounting for 25% of companies, with telecommunications third (16%) and the Government in fourth spot (9%).
HIPAA does not demand that PHI is encrypted while at rest, although data encryption is an addressable area. If covered-organizations decide not to encrypt data, they must document the reasons why, along with the alternative safeguards that are being used in its place to keep PHI secure.
For cloud storage however, data encryption is important. 49% of companies surveyed claimed that this is the primary method used to secure PHI in the cloud, although alongside data encryption, administrative controls must be put in place, which according to the report “include the organization’s ability to control access to the encryption keys and preserve search, sort and filtering functions.”
The authors of the report explain that state and federal regulations covering cloud storage are varied, but “the common theme is to ensure both the data at rest within the cloud application and associated data workflows are protected, which enables these organizations to launch new service portals and provide improved methods for sharing information.”
The report identifies a number of different challenges when it comes to cloud security: Compliance with industry regulations, maintaining privacy and being able to conduct audits are the main problem areas, accounting for around 2/3 of security challenges that have so far been identified.
The Cloud and HIPAA Compliance
The healthcare industry may lead the way in cloud security adoption, but many organizations are concerned about the security of data stored in the cloud, and whether it is possible to use cloud platforms and remain HIPAA-compliance.
Provided care is taken to protect data and HIPAA-compliant cloud platforms are used, the cloud can be a highly convenient solution. Use of cloud services can reduce operational costs and improve efficiency, while the physical space that needs to be dedicated to secure on-site data storage can instead be used for revenue generating purposes.
A number of cloud providers have now developed products – Software as a service (SaaS), Platform as a service (PaaS) and Infrastructure as a service (IaaS) – that incorporate all the required safeguards to protect sensitive data as required under HIPAA.
However, any organization looking to take advantage of the cloud must ensure that their provider understands HIPAA requirements. The provision of services to HIPAA-covered entities makes the provider a Business Associate, and as such they too will be covered by HIPAA Rules. A comprehensive Business Associate Agreement must therefore be signed with the provider of the services.
The Omnibus Rule, which was introduced in 2013, makes Business Associates accountable for their actions – or lack of them – and financial penalties can be issued for non-compliance, especially if it leads to a breach of protected data. Business Associates can also be audited by the OCR and assessed for HIPAA-compliance.
It is therefore not enough to get a BAA signed. Efforts must also be made to ensure the cloud service provider understands everything that is required of them, the importance of keeping PHI secure at all times and that they agree to implement the appropriate access controls to restrict who is able to view the data. It does not matter if the organization is required to view or accesses PHI. The controls must be put in place regardless.