You guessed it one of the challenges of implementing data at rest encryption is that the most popular SaaS application and megacloud providers do not encrypt your data while at rest. One essential element of encryption is the lack of existing CSPs that adhere to security best practices, not to mention the regulations that call for data at rest to be encrypted no matter where it resides. Encrypting your ePHI DataĮncrypting your cloud data is not just to prevent hackers from gaining unauthorized access to the data, but depending on the data in question, it is likely a requirement to comply with privacy laws such as HIPPA, PCI-DSS, FINRA, and soon GDPR. Does your provider offer a detailed assessment of compliance gaps? Are they willing to customize SLAs in addition to signing the BAA? Also review the service provider’s HIPAA-HITECH compliance record as well as their availability, security, and performance metrics. If the CSP is only willing to sign their boilerplate BAA, that may not be enough for your needs. The Covered Entity (that would be you) and Business Associate (that would be your cloud provider) sign Business Associate Agreements (BAA) that align your partnership with HIPAA requirements. Nonetheless, compliance goes beyond compliant infrastructure and encryption. If they say, they are HIPAA-HITECH compliant, which primarily means their data center complies with facility and digital security regulations. However, watch out-many cloud service providers (CSP) will say that they are HIPAA compliant, but does that mean they automatically meet your compliance needs? Maybe, maybe not. (It doesn’t hurt that organizations can also save money on capital purchases and high operational expenses.) Many of them choose to invest in HIPAA-compliant backup as a service (BaaS) and disaster recovery as a service (DraaS) to simplify and improve HIPAA compliance. These requirements can be a significant burden on backup admins and disaster recovery managers. HIPAA requires specific physical safeguards for HIPAA compliance including buildings that are hardened against natural and environmental disasters, and protection against physical and digital intrusion.ĭocument all policies and procedures related to your backup, recovery, and disaster recovery, and periodically test them. Secure data-in-transit during backup and restore, and encrypt data-at-rest.īacking up data to a secure remote data center.
However, you should set aggressive RPOs for applications where data loss is a significant event.īacked up data must be recoverable, the pivotal phrase being "restore any loss of data." Excuses will not fly with HIPAA regulators and can lead to steep fines. Frequency is proportional: no one expects you to backup aging Word documents every hour on the hour. Secure backup "retrievable exact copies of electronic protected health information.”įrequent date backup.HIPAA places additional requirements on protecting electronic PHI (ePHI), specifically the Security Final Rule’s Data Backup and Disaster Recovery Specifications that require: For healthcare organizations, compliance can be a major concern when deciding what to look for in a cloud-storage service provider. It is evident that HIPAA-HITECH firmly regulates how the healthcare industry collects, stores, communicates and transmits protected health information. It is interesting to note that declaring bankruptcy does not let organizations skirt non-compliance fees as 21st Century Oncology had declared bankruptcy earlier that year. Moreover, in late 2017, 21st Century Oncology settled for $2.3 million to HSS. HHS reported that in early 2018, Fresenius Medical Care North America agreed to pay $3.5 million to settle potential HIPAA violations.
Department of Health & Human Services ( enforces HIPAA. This regulation covers any service provider who has access to protected health information (PHI) including subcontractors who create, receive, maintain or transmit PHI on behalf of a business associate, including cloud providers. While the cloud makes file storage and sharing comfortable and convenient, its security risks are significant enough to have pushed for the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.
Unfortunately for patients and providers, technology and the many advantages of the cloud, including its scalability, cost-efficiency, and flexibility have continued to outpace legislation. Since the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, there have been notable advances in protecting the privacy of patient information handled by healthcare plans, health care clearinghouses and certain types of healthcare providers.
0 kommentar(er)
