Comparing HIPAA cloud options can be difficult. There are a few requirements teams should always consider when selecting a HIPAA compliant cloud provider.
With the growth of public cloud platforms and prominence of SaaS solutions, it is not surprising that more regulated industries such as healthcare are turning to cloud services and public cloud platforms to simplify business operations.
Cloud computing provides organizations with the ability to rapidly deploy services, scale applications and workloads, and get predictable pricing. Cloud service providers such as Amazon Web Services (AWS) now provide HIPAA supported services that make it easy for organizations to build a HIPAA security program and manage infrastructure without the dependencies of on-premise servers and data-center experts.
As with on-premise infrastructure, security and compliance is a key concern for healthcare organizations building HIPAA compliant applications and managing protected health information (PHI). Below we will discuss what makes a HIPAA compliant cloud platform and how cloud services can be utilized in a HIPAA compliant manner.
When selecting a HIPAA compliant cloud, your organization must configure and maintain all physical, technical, and administrative safeguards required by HIPAA. Utilizing public cloud platforms such as Amazon Web Services (AWS) allows organizations to take advantage of established security programs provided by the cloud provider. Benefits of configuring HIPAA compliant applications in the public cloud include:
Established cloud platforms like AWS have many security certifications and attestations organizations can leverage to jumpstart their security programs.
Public cloud platforms offer hundreds of managed services that organizations can utilize to build solutions quickly.
Public cloud platforms allow organizations to pay for only the services they need and scale out to large services when it is time to scale up.
Organizations can build applications using almost any major technology when using public cloud platform.
Cloud services are offered to customers under several different cloud service models, with the billing and deployment of services differing depending on the models.
SaaS, or Software-as-a-Service offerings are cloud services offered to customers and hosted by the SaaS company. Software solutions and productivity tools such as G Suite and Salesforce, and cloud hosted EHRs are examples of SaaS solutions that organizations can pay for on a monthly or yearly basis to fulfill specific business needs.
PaaS, or Platform-as-a-service offers provide organization with a specific cloud environment or application hosting environment for managing applications. PaaS solutions include public cloud providers such as AWS and provide teams with the flexibility to rapidly develop applications and scale up workloads in a price effective manner.
IaaS, or Infrastructure-as-a-service offerings provide organizations with storage, computing, and networking that can be utilized to build applications and store production data. IaaS solutions include cloud services such as Amazon EC2 and Amazon S3. These services can be provisioned and customized to meet specific application needs.
Organizations may utilize a mixture of cloud services in order to accomplish specific business objectives and there is typically not one solution to fit all business needs. It is up to healthcare organizations to select vendors that meet their business needs.
For a cloud solution to be HIPAA compliant, the cloud provider must meet specific compliance safeguards, and cloud customers address other security standards.
Cloud solutions must provide and execute a Business Associates’ Agreement (BAA). This agreement is entered into by the cloud provider and the covered entity and dictates how security standards are defined between both parties.
Simply entering a BAA with a cloud platform does not make an organization HIPAA compliant. In addition to providing a signed BAA, cloud solutions must restrict staff access to protected health information (PHI), and healthcare organizations must have a HIPAA security program that addresses administrative and technical standards.
Organizations planning to utilize public cloud platforms to build HIPAA compliant applications must manage certain HIPAA requirements in order to achieve HIPAA compliance in the cloud. Teams should take the following steps to building for HIPAA compliance.
Organizations handling protected health information should sign a business associates’ agreement (BAA) with all cloud vendors that may store, process, or transmit PHI. This means that teams should have a BAA in place with cloud service platforms such as AWS and SaaS services such as G Suite and productivity software solutions that store PHI.
A BAA agreement outlines security responsibilities, as well as cloud services that may be used to build HIPAA compliant solutions. For example: They G Suite BAA may cover Google Drive but not some other cloud services. AWS has specific cloud services dictated as “HIPAA-eligible services”. Organizations should ensure they only store PHI data in cloud services that are covered under the BAA.
Just signing a BAA does not make an organization or application automatically HIPAA compliant. Teams must create and manage a HIPAA security program that includes administrative policies and procedures. Policies should be written in plan-English and provide actionable steps for managing compliance requirements such as risk assessment, employee training, log review, incident response, and disaster recovery.
While cloud computing platforms provide physical safeguards and security options for cloud services, organizations must ensure that proper technical controls are implemented across cloud services. Organizations must ensure that technical security controls are implemented to address encryption, audit logging, firewall/networking, backup, intrusion detection, and vulnerability scanning.
HIPAA requires that organizations maintain security program standards on an ongoing basis. This means that teams should review administrative policies periodically, and ensure that security controls are up-to-date and implemented across cloud services and environments.
Amazon Web Services (AWS) provides healthcare organizations and software vendors with highly scalable and price effective cloud services to quickly build HIPAA compliant applications and services.
Dash ComplyOps provides teams with a compliance management solution for building custom administrative policies, setting cloud security controls, and enforcing policies via continuous compliance monitoring. Dash can be easy deployed to your cloud environment via the AWS Marketplace and utilized to build a robust AWS HIPAA security program.
Dash is built around a team of compliance and cloud experts. We provide HIPAA cloud solutions that enable organizations to easily configure and manage HIPAA in Amazon Web Services, the market-leading cloud platform.
Automate Your Organization’s Cloud Security Program