Ounce of prevention: Questions you must ask cloud storage vendors to stay HIPAA compliant

The proliferation of cloud-powered storage and applications has been slow, yet sure, as far as health-care industry is concerned. Health-care firms, both private and public, are becoming increasingly aligned with the idea of using the cloud to accelerate the demand and quality of their services. However, none of these organizations is comfortable with keeping patients’ data in the public cloud.

Personal cloud storage solutions such as Google Drive, Box, and Dropbox, along with other cloud storage options have led to an emergence of massive shadow storage in global health care. The ease of access for doctors and nurses, who use such services to quickly access, share, and collaborate on patients’ data, often comes at the cost of scrambled IT practices, with little control over data security.

This is where HIPAA compliant cloud storage becomes a norm for health care. The Health Insurance Portability and Accountability Act is a globally recognized and relevant regulatory act that aims at issuing guidelines and directives for data security and privacy in health-care data. If you operate in the health-care market, and are looking to ramp up IT beginning with cloud storage, you need to look for cloud storage solutions that are HIPAA compliant. To do so, we’ll arm you with top questions to ask vendors.

Who encrypts the data, when, and how?

HIPAA compliant cloud storage

Data encryption is at the core of HIPAA compliance. As a health-care service provider, the control over encryption needs to rest with you. Data will flow out of your on-premises storage devices, as well the cloud storage space. This data will be encrypted at rest or in flight, so that unauthorized access by a third party doesn’t reveal any sensitive information. However, the cloud storage solution provider must have mechanisms in place to ensure that even it is not able to decipher and read the data in any way, even if the encryption capabilities are resulting from its systems. The key is to thoroughly understand who generates encryption keys, and how are they retained and accessed.

Does the vendor require you to change your existing access control mechanisms?

HIPAA compliant
Shutterstock

Health-care organizations rely on on-premises Active Directory, authentication protocols, and password requirements in place to enable controls over patients’ data. Now, when you on-board a cloud storage provider, they should not require you to enable any kinds of backdoor access to the data, bypassing your access management protocols. HIPAA compliant vendors recognize the need to integrate seamlessly with all kinds of access management protocols, and are able to deliver the service accordingly. Any compromise on access control to implement cloud storage is probably not going to sit well on a HIPAA compliance front. Apart from this, ensure that there is a complete audit trail of all access files in the cloud, just like it’s done for locally stored data.

What support mechanism of data backup, disaster recovery, and business continuity does the vendor have in place?

If your on-premises file servers were to be disrupted for some reason, how will you ensure access to patients’ data? To provide for such situations, HIPAA mandates that health-care organizations ensure regular backups of data. For this, you will need to understand data backup mechanisms in place by your cloud storage provider. Also, HIPAA mandates that health-care organizations should be able to restore the backed-up data, if need be, in a reasonable amount of time. This, in turn, becomes your follow-up question to your cloud storage vendor: What means and methods exist to enable access to your cloud-hosted files if the connection were to be disrupted in any way? Also, if the geographical region where the hosting datacenter is located is hit by a natural disaster, what alternate storage means exist to enable business continuity?

Will the vendor sign a Business Associate Agreement?

A key component of HIPAA is the signing of Business Associate Agreement between all parties involved in the creation, transformation, maintenance, transfer, storage, and protection of data. This agreement helps transfer the responsibility of data privacy and security breaches on the cloud storage service provider. This brings out the best from the vendors as a matter of necessity. Also, willingness of the vendor to sign the agreement showcases its confidence of providing highly secure and reliable storage service.

Does the vendor have on-premises, full-time employees to ensure you remain HIPAA compliant?

HIPAA regulations advocate that all cloud storage service providers have full-time employees working on-premises to ensure that all HIPAA compliant requirements are met. This makes health-care data security much more reliable, and gives health-care organizations much needed peace of mind, understanding that the service provider has means and mechanisms of round-the-clock monitoring and quick response in place.

What encryption process is used to encode the data before transfer?

cloud storage vendor

All data exchanges between the cloud storage space and your organizations other cloud-based applications, on-premises applications, and any other systems, must be encrypted. HIPAA mandates that FIPS-14-2 encryption is provided for all ePHI (electronic-protected health information) in transit. Also, there must be encryption for data at rest in SANs (storage area networks), local hard drives, and hard drive backups. Be very sure that your cloud storage vendor provides the precise encryption mechanism as dictated by regulations to ensure you remain HIPAA compliant.

What kind of security awareness and improvement processes do they have in place?

Data security and privacy is not a one-time effort. The dynamics of cybersecurity require that any cloud storage vendor remains committed to continuous mentoring and improvement of security mechanisms. HIPAA requires cloud storage providers to regularly asses existing security mechanisms and ensure they remain HIPAA complaint with the act’s guidelines. Vendors also need to implement structured and ongoing training programs to make their employees sensitized to the idea of data security. As HIPAA regulations are updated, vendors must also be committed to aligning their operations with the updated guidelines.

Ounce of prevention

Everyone knows the adage “prevention is better than cure.” Well, it turns out that this adage holds true for medical care in general, and health-care data security as well. So, make sure you get the answers to these questions from your shortlisted cloud storage vendors.

Photo credit: Shutterstock

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top