Cloud computing provides undeniable benefits for storing and accessing electronic health records. Files stored in the cloud are accessible anytime and anywhere from any device, which makes it easy to share critical medical information between healthcare workers. But is cloud storage secure enough to store, access and transfer sensitive personal and medical information?
For clinics, hospitals and other healthcare organizations, ensuring that patients’ medical information stays private isn’t just an ethical issue, it’s a legal one as well. The Health Insurance Portability and Accountability Act (HIPAA) provides clear rules about the storage and sharing of medical data. Any organization that handles health records is required to be in compliance.
Therefore, before moving health-related data to cloud storage, healthcare organizations need to make sure that the software they plan to use is HIPAA compliant.
The article covers HIPAA-compliant storages and explains your responsibility in making your cloud storage compliant:
- What is HIPAA?
- HIPAA Compliance and Cloud Storage
- The Most Popular Cloud Storage Services that Support HIPAA and HITECH
- Essential Security Features for HIPAA Compliance
- Key Takeaways
HIPAA is a set of rules that establish the allowable uses and disclosures of health and medical information. It places restrictions on who may access health information and when, and also sets standards for protecting health data from individuals who do not have the right to view it.
The key provisions of HIPAA include:
- HIPAA Privacy Rules — Regulate how an individual’s health information may be disclosed or used
- HIPAA Security Rules — Specify standards for safeguarding and protecting electronically created, processed, accessed or stored healthcare information
- The HIPAA Breach Notification Rule — Requires organizations to notify individuals whose personal health information has been exposed and regulates the process of notification
- The HIPAA Omnibus Rule — Clarifies definitions, procedures and policies; provides a checklist for Business Associates; and implements the requirements of the Health Education Technology for Economic and Clinical Health (HITECH) Act
- The HIPAA Enforcement Rule — Governs investigations following a data breach and states the penalties imposed on the responsible party
Healthcare entities must develop specific safeguards, procedures and policies to comply with these rules.
Protected Information Types
HIPAA calls for the protection of “individually identifiable health information,” which is defined as information regarding:
- An individual’s past, present, or future physical or mental health
- The provision of health care to the individual
- Past, present or future payment for the provision of health care to the individual
- The identity of the individual, or data which there is a reasonable basis to believe could be used to identify the individual
Types of Security Safeguards
The HIPAA Security Rule covers three types of safeguards for protected health information:
- Physical safeguards — HIPAA requires developing policies for the use and positioning of workstations and procedures for use of mobile devices, as well as implementing facility access controls, if applicable.
- Technical safeguards — HIPAA requires implementing activity logs and controls, as well as a means of access control. Compliance might require mechanisms for authenticating information and tools for encryption.
- Administrative safeguards — HIPAA requires conducting risk assessments, implementing risk management policies, developing a contingency plan and restricting third-party access to information.
HIPAA Key Terms
Here are the most important terms used in HIPAA:
- PHI: Protected health information
- ePHI: Protected health information that is stored or transmitted electronically
- Covered entity — A healthcare provider, a health plan provider (such as an insurer or employer) or a healthcare clearinghouse
- Business associate — A person or business that provides a service to or performs a particular function or activity for a covered entity
- Business Associate Agreement — A legal contract stating what PHI the business associate may access, how the PHI is to be used, and requirements for returning or destroying the PHI once the task for which it is needed is complete. A covered entity must obtain a Business Associate Agreement before allowing a business associate to access
No cloud server is HIPAA-compliant right out of the box, but there are ways that IT experts can step in and make the cloud compliant for the needs of covered entities.
Organizations should keep in mind that there is no official HIPAA or HITECH certification, and no government or industry certifies HIPAA compliance for cloud services. That means it’s up to the covered entity and the cloud service provider to ensure adherence to the law’s requirements. The cloud service must review HIPAA regulations and possibly update its products, policies and procedures to support a covered entity’s HIPAA compliance goals.
How does HIPAA apply to cloud storage?
When a covered entity store PHI in the cloud, the cloud storage service is considered by law to be a business associate of the covered entity. To be HIPAA compliant, therefore, a Business Associate Agreement has to be in place. That agreement needs to state that the cloud service provider shall:
- Secure the data transmitted to the cloud
- Store the data securely
- Provide a system that allows careful control of data access
- Record logs of all activity, including both successful and failed attempts at access
A HIPAA-compliant cloud storage incorporates all the required controls to ensure the confidentiality, integrity and availability of ePHI. The covered entity is responsible for developing policies and procedures covering the use of HIPAA secure cloud storage for this information.
Which cloud services are not considered HIPAA-compliant?
Some cloud services cannot be made HIPAA-compliant for various reasons. Apple and iCloud, for example, cannot be HIPAA-compliant because they don’t offer a BAA for covered entities. Other services, like SugarSync, Acronis and BackBlaze, do not mention a willingness to sign a BAA on their websites.
Other services fail to provide essential integrated security capabilities, such as data classification, and therefore cannot be used to store ePHI.
Why is data classification essential?
Data classification is required to inventory ePHI and group it according to sensitivity level, so that the organization can ensure its confidentiality, integrity and availability as required by the HIPAA Security Rule. By distinguishing between regulated and non-regulated data, classification enables organizations to:
- Prioritize security controls
- Protect critical assets
- Improve risk management by helping to assess the value of the data and the impact of data loss, misuse or compromise
- Streamline legal discovery
- Improve user productivity
Data protected by HIPAA typically follows a three-level data classification scheme:
- Restricted or confidential data— Information that could cause significant damage if disclosed, altered or destroyed. This data requires the highest level of security using controlled access according to the principle of least privilege.
- Internal data — Information whose disclosure, alteration or destruction can cause moderate or low-level damage. This data is not released to the public and requires reasonable security controls.
- Public data — Public data doesn’t need protection against unauthorized access, but still requires protection from unauthorized alteration or destruction.
How does the HIPAA Privacy Rule affect cloud services?
The HIPAA Privacy Rule requires covered entities and business associates to establish the integrity of ePHI and protect it from unauthorized destruction or alteration. Organizations must identify where ePHI is stored, received, maintained and transmitted. That task requires special care in the case of cloud storage services.
The safest bet when using cloud storage for ePHI is to use a service that’s known to be compatible with HIPAA and HITECH requirements.
There are a number of popular cloud storage services that support HIPAA and the HITECH Act.
Keep in mind that not all versions of these services will be compliant — usually only a particular version or license supports HIPAA-compliant use. All of the following platforms, however, have at least one version with the appropriate security capabilities to be made compliant, and all are willing to sign a Business Associate Agreement.
1. Dropbox Business
Dropbox Business offers a BAA for covered entities and can be configured to offer HIPAA-compliant cloud storage. The service provides a variety of administrative controls, including user access review and user activity reports. It also allows for the review and removal of linked devices and enables two-step authentication for additional security.
2. G Suite and Google Drive
Google offers a BAA as an addendum to the standard G Suite Agreement. While not all G Suite products can be made HIPAA compliant, a number of useful Google apps do follow legal requirements for the storage and sharing of ePHI.
Google Drive and related applications like Docs, Sheets, Slide and Forms can all be configured for HIPAA compliance, as can services like Gmail and Calendar. However, Google Contacts, as well as non-core Google sites like YouTube and Blogger, cannot be made HIPAA compliant and therefore can’t be included in a BAA.
3. Microsoft OneDrive and E5
Microsoft’s Online Service Terms automatically provide a Business Associate Agreement. The agreement is available for OneDrive for Business, Azure, Azure Government, Cloud App Security and Office 365, among others. Covered services include email, file storage and calendars. Microsoft also provides data loss prevention tools.
Microsoft’s Enterprise E5 license offers the most robust security features the company has available. The package also includes advanced security management for assessing risk.
4. Box Enterprise and Elite
Box Enterprise and Elite accounts include access monitoring, reporting and audit trails for users and content. The service also provides granular permissions or authorizations. Box can securely share data through a direct messaging protocol and allows secure viewing of DICOM files, including X-rays, CT scans and ultrasounds.
HIPAA requires a number of security features from services that work with covered entities. The cloud storage services mentioned all allow for a combination of the following security configurations:
- A HIPAA-compliant cloud storage must offer two-step authentication or single sign-on and encryption of transferred ePHI.
- All devices used to access or send ePHI must be able to encrypt messages to be sent outside the firewall and decrypt the messages received. All encryption must meet NIST standards.
- Configuration of file sharing permissions allows covered entities to implement a permission-based system that limits unauthorized user access. The controls must be configured correctly to be effective, including two-step authentication, secure passwords and secure file-sharing procedures to protect data from unauthorized access.
- Account activity monitoring requires you to review access logs regularly to ensure you can spot improper activity promptly. Solutions like Netwrix Auditor help you gain visibility into business activities in the cloud. Netwrix Auditor reports on both access events and changes, including changes to content, security settings and mailbox settings.
- Data classification is essential for grouping and protecting information based on sensitivity level. Netwrix Data Classification provides predefined taxonomies that are easy to customize, classifies data accurately and automates critical workflows to improve data security.
- A cloud drive cannot be made HIPAA compliant unless you properly configure security controls and monitor activity around data stored in the system. To ensure your organization’s cloud storage service stays compliant, be sure to regularly perform risk assessments and develop strict cybersecurity policies and procedures.
Using a trusted cloud provider is critical but does not guarantee compliant cloud storage. Even when a cloud service signs a Business Associate Agreement and offers administrative security controls, encryption and other security tools, that doesn’t automatically make your organization HIPAA compliant.
In order to make sure your cloud storage services are HIPAA compliant, be sure to:
- Properly configure the settings
- Check third-party app access to the cloud
- Use specialized tools for log audits to ensure file security and privacy
Health organizations and patients alike rely on strong cybersecurity protocols to keep ePHI safe from damage, destruction, alteration and unauthorized access. Using one of these services can help keep your data safe and your healthcare organization compliant with the law.
Which security features make cloud storage HIPAA-compliant?
HIPAA-compliant cloud storage services all offer:
- Data classification
- Permission restrictions for access and file-sharing
- Encryption and decryption of data
- Two-step authentication or single sign-on
- Activity logs and audit controls to register attempted access and record what is done with the data once accessed
What is the purpose of a Business Associate Agreement (BAA)?
Before a covered entity can use a cloud storage service, they must sign a BAA agreement with the service. This agreement:
- Specifies which PHI the business associate can access
- States how the PHI may be used
- Establishes how the PHI will be returned or destroyed once the task for which it was needed is complete
Does having a BAA ensure my organization’s compliance with HIPAA and the HITECH Act?
No. It is up to you, the healthcare entity, to establish appropriate configurations, create necessary policies and perform due diligence to achieve and maintain HIPAA compliance.