When HIPAA is not Enough
What HIPPA does is it requires a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse to protect health information relating “to the past, present, or future physical or mental health or condition of an individual, the provision or payment of healthcare.” There is also a Security Rule that establishes a national set of security standards for protecting certain health information that is held, removed or transferred in electronic form.
Specifically, the HIPAA Security Rule requires healthcare covered entities, which include cloud service providers and employers, to follow four basic privacy rules related to required administrative, physical, and technical safeguards.
Health records hold a plethora of sensitive information that must remain private from names, birth dates, addresses and phone numbers to social security numbers, medical records, account numbers and images, so it is vital to have rules in place to keep this information protected.
Using the cloud to share electronic health records, schedules and medical images, etc., has become popular within the healthcare industry as it allows files to continually follow a patient throughout their health history. It also offers many other benefits such as enabling remote access to shared files and databases and boosts productivity and increases connectivity between workers. It also simplifies management and integration for providers with limited IT resources. However, the downside is the need for added security. Whether the healthcare provider runs its own private cloud or outsources residency and storage to a cloud service provider (CSP), the provider retains responsibility for HIPAA compliance and must ensure it is met.
BitSight, a security ratings company, analyzed the security performance of six key industry sectors: finance, federal government, retail, energy/utilities, healthcare and education, presented in the order of cybersecurity preparedness. The report concluded, “While HIPAA regulations attempt to ensure patient privacy and security of medical records, certain studies indicate a rise in incidents.” While a great first step in privacy, HIPAA may not be enough. Healthcare organizations need to add a few more 007 methods into their processes and do more than the required HIPPA functions in order to truly secure their environments. For example, the rules don’t say how one must comply and encryption is not required. HIPAA compliance is an ongoing process of reassessing conditions and technologies, not a completed process.
A cloud service provider (CSP), such as SAP HANA Cloud Platform, can help ensure the HIPAA responsibilities to help healthcare organizations stay above the curve. While the CSP may not view the files it is transporting, they store, analyze, and reformat those files which make them liable for protecting the data. When data is in transport, it should be encrypted to 256-bit AES algorithms, which limits the CSP’s liability as long as it can offer reasonable assurance that the data is properly protected. If a breach occurs while the data is stored in the cloud, the CSP must notify customers.
Other CSP responsibilities include keeping each customer’s data separated, along with separate access to servers, and firewalls between public and private server zones. IT departments should also keep departmental data separated. Any organization or CSP needs to have policies in place covering access, password management, firewalls, virus protection, encryption, retention and destruction of documents, security incident response plans and risk management. One of the benefits of cloud storage is that data is stored offsite and back-ups reside offsite reducing the risk of tragic loss of data.
HIPAA rules apply to just healthcare providers and associates to protect the privacy of data while stored in the cloud or in transit, but it is also a good policy for all businesses to follow. It is important to protect who has access to certain data, as the cloud holds and moves data across multiple databases. For example, Payroll data only needs to be shared with Human Resources and Accounting and not by Engineering. Via passwords, encryption and limiting who has access and for how long, files can be safeguarded.
So how do you enable HIPPA compliance to protect sensitive data across multiple databases while keeping it easily accessible? The best line of defense in a collaborative environment is document-level encryption as a critical security measure in addition to the HIPPA rules and CSP responsibilities. Any system or database that is connected to the data must be encrypted whether at rest or in transit, but it is also important to remember that the information should be accessible, but not changeable or able to be tampered. This means there should be no access key outside of the application layer.
One solution emerging that offers both added protection and customizable data access control and easy accessibility to needed information is federated search. Federated search works across multiple databases and returns de-duplicated results, rather than a long list of irrelevant documents or emails, across multiple applications while the existing data silos remain separate. In order to protect the security of documents and to assure the relevancy of documents, users remain in control of their content. Document indexes work in real time, so when a document changes so does the index.
The biggest gray area of the encryption rules that apply today is the perception of index being real-time. Most search providers’ indexes are outdated at the time that a user searches it. While HIPPA rules and the CSP are on step in protecting the privacy of people’s information, it is simply not enough today’s world of cloud and mobile demand.