Four Criteria for Evaluating HIPAA Compliant Cloud Storage

Technology research firm IDC forecasts that worldwide public IT cloud services spending will reach almost $108 billion by 2017, up from an estimated $47.4 billion in 2013. A key factor is the explosion of data which is leading CIOs to adopt cloud data storage for remote storage, archiving, and information sharing. Given the additional layers of data security, combined with stringent HIPAA compliance regulations, healthcare CIOs must carefully vet potential cloud storage providers. Following are four key criteria to use in your evaluation.

HIPAA compliant cloud storage starts with security

When evaluating cloud storage providers, be sure to understand the security measures they have in place to protect your data and mitigate risks. If possible, take a tour of the data center where your data will be located. Ask which physical security measures they have in place including biometrics, video surveillance and 24 x 7 x 365 monitoring. Also find out what key technical measures they have in place including advanced firewalls, intrusion detection systems, malware protection, managed patching and file integrity monitoring.

Data encryption is essential

In our previous blog post entitled, The High Cost of HIPAA Violations, we shared information about the U.S. Department of Health and Human Services “wall of shame” which lists data breaches that comprise unsecured protected health information (PHI) affecting 500 or more individuals. As of November, 2014, 1,170 of these incidents have been reported. Many of these incidents were the result of theft or loss of unencrypted data.

Data encryption is essential when it comes to leveraging shared storage or public cloud providers. Not all cloud providers understand the necessity of providing end-to-end data encryption capabilities.  Before signing on the dotted line, make sure your cloud storage provider offers data encryptions services while data is being transferred to their data center (data-in-transit) and once it’s located in their data center (data-at-rest).

So is availability

HIPAA compliance regulations that data not only be secure, but it must also be highly available. Ask to see your potential cloud storage provider’s disaster recovery (DR) plan. It must include testable recovery strategies to ensure that data is continuously online and accessible by authorized personnel in cases of human error, data breaches, and manmade or natural disasters. Find out how often they review and update their DR plans. And be sure that they provide round-the-clock monitoring and response backed by advanced service level agreements (SLAs).

Certifications are critical

We saved one of the most important criteria for last. While many cloud storage providers may claim to adhere to HIPAA compliance regulations, few of them possess the necessary certifications HIPAA and PCI DSS. Even fewer cloud storage providers are willing to enter into a Business Associates Agreement (BAA) with their clients. A BAA is a contractual agreement between a HIPAA covered entity (CE) and a business associate (BA) in which both parties will appropriately safeguard patient health information (PHI). Review this and the cloud provider’s SLAs carefully. Read the fine print and look for any nuances in the language. Pay attention to how they communicate their policies regarding data ownership and data access. Understanding these policies is crucial, especially when faced with the cloud provider potentially going out of business. Find out what happens to your data if the cloud provider fails to pay its bills – what happens to your data then?

Have questions about HIPAA compliant storage options? HOSTING has answers. Led by our dedicated Chief Information Officer (CISO), HOSTING’s in-house compliance team can create a custom cloud storage solution that safeguards your business-critical data while keeping you ahead of the compliance curve. Contact us today to learn more.

HIPAA Compliance Guide

Leave a Reply

Your email address will not be published. Required fields are marked *