The explosion of data generated within the healthcare, retail and financial services industries has led to a tightening of regulations designed to safeguard personally identifiable information (PII) including Social Security numbers, credit card information, birthdates and more. In the latest installment of the HOSTING Cloud 360 Podcast Series, we sat down with Johan Hybinette, Chief Information Security Officer for HOSTING. Johan commented on the “myth of cloud compliance” as well as what companies need to know before engaging with compliant cloud hosting providers. You can listen to the entire podcast on-demand. In the meantime, we’ve listed some highlights.
Companies can achieve cloud compliance
Companies that haven’t invested in cloud-based solutions often cite compliance and security as reasons for remaining on the sidelines. However, Johan emphasizes that compliance in the cloud is attainable. As a compliant cloud hosting provider, HOSTING offers a secure, compliant cloud environment for organizations to store their sensitive information. And while companies are responsible for the security and compliance of their applications, HOSTING offers managed services to alleviate their compliance burdens.
Key compliance questions companies should ask potential cloud providers
“There is no true HIPAA certification,” emphasizes Johan. Therefore, organizations should be wary of any cloud provider that promotes themselves as being “HIPAA-certified.” During the podcast, Johan listed some key compliance questions companies should ask when evaluating cloud providers, including:
Have your data centers been audited for compliance by an independent, third-party?
Any cloud provider that claims to offer compliance hosting services for HIPAA or PCI should readily produce a copy of their audit reports. A PCI compliance report should be based on the results of an audit conducted by a qualified security assessor (QSA) approved by PCI DSS. A HIPPA compliance report should be based on OCR (Office of Civil Rights) HIPAA Audit Protocol.
Read our blog post on PCI Compliant Hosting Data Center Requirements
Are your employees trained in HIPAA/HITECH and PCI security and compliance standards?
We can’t emphasize this enough – technology is only part of the compliance and security equation – people and processes play crucial roles as well. Johan recommends that organizations understand how potential cloud providers train their staff on security and compliance standards. For example, HIPAA requires all employees to be trained in security policies, physical security, risk response and reporting, password use, data protection and so forth.
View our on-demand webinar, How to Spend Your Cloud Security Dollar.
Do you have a thorough Business Associate Agreement (BAA)
Having a well-documented BAA in place is essential for companies that are responsible for safeguarding protected health information (PHI). Under HIPAA’s standards for penalties, the lack of a BAA implies negligence, which may fall under Willful Neglect. This can result in fines ranging from $10,000 – $50,000 for each incident, along with potential criminal charges.
View our on-demand webinar, Understanding Your Cloud Service Provider’s BAA
Achieving compliance in the cloud can be complicated. HOSTING can help. Our team of certified information security and compliance experts create custom compliant cloud solutions that meet HIPAA/HITECH, PCI and SOX requirements. Contact us anytime to discuss your specific needs. And view our on-demand webinar, Using Data Security to Address HIPAA and HITECH Requirements.