One of the biggest challenges facing organizations that work with electronic protected health information (ePHI) is keeping that information secure. You must process, transmit, and store the data so that it’s readily available without compromising your level of HIPAA compliance. Maintaining compliance also means you must be certain that any outside vendors you work with, referred to as Business Associates by HIPAA, are also compliant with HIPAA rules. One of these vendors will likely be your IT provider, offering you colocation data center space or more in depth services like cloud computing.
The rules for complying with HIPAA regulations are complex and continually evolving. If you, or a Business Associate, violate compliance, the costs can be significant and can include legal repercussions, regulatory fines and related expenses, and damage to your company’s reputation. According to the “2016 Cost of a Data Breach Study: Global Analysis” published by IBM and the Ponemon Institute, the average cost of a data breach is now $4 million dollars. This estimated cost is up 29% from the $3.79 million reported in 2015. The average cost per stolen record is $158.
“The biggest financial consequence to organizations that experienced a data breach is lost business. Following a breach, enterprises need to take steps to retain customers’ trust to reduce the long-term financial impact,” writes Chairman and Founder of the Ponemon Institute, Larry Ponemon, in a post for SecurityIntelligence.com.
But, there are actionable steps that you can take to protect yourself. You should start by partnering with an IT provider that stays abreast of compliance regulations and understands the importance of meeting those standards. With their expertise, you’ll more easily be able to develop and implement a plan to protect your sensitive data.
Recommended Hosting Options for Compliance
Most small business IT leaders see value in using a combination of colocation and cloud solutions to save costs, become more efficient and remain HIPAA compliant.
Colocation is a great option when you’re tired of operating your own facility, but don’t want someone else to manage your applications and business-critical systems. Make sure your expectations are aligned and be sure to look for these features:
Highly secure data centers built with the latest technology at a predictable, fixed price. Choose a vendor that allows for 24/7 access to your equipment, so you can come and go as issues arise. Take notes about their physical security measures, such as camera monitoring and access controls, as well as how they defend you against natural and man-made disasters. The goal is to stay online and protected, so be sure to ask about heating and cooling, where the power comes from, discuss Internet connectivity and bandwidth needs.
You’ve hired a team of IT experts and are confident that they have vetted your technology and processes to prevent and address an issue when it does arise. From data encryption to network firewalls, you know exactly what security measures are in place and don’t rely on and outside party for assistance.
Some data centers have onsite engineers that aren’t part of your colocation plan, but can be called upon to assist when you’re in dire straits. Even if it’s not an option you’ll need every day, having experts available when your IT team is occupied or unavailable can be an invaluable resource.
Why Use Private Clouds
Cloud computing offers the best combination of flexibility, availability and performance. In any discussion about the cloud, it’s important to note there are three different types of clouds: public, private, and hybrid. The public cloud consists of applications and storage that are available to the general public. Public cloud solutions can offer certain economies but are not recommended for organizations with highly sensitive data.
Private clouds are owned and used by only one organization, and, therefore, are the most effective way to remain compliant. Private cloud solutions tend to be more expensive than public cloud services, but are well worth the investment and are ultimately cheaper than the costs associated with a compliance breach. Many private cloud computing solutions, like those offered by OnRamp, are built on dedicated, compliance-critical hardware with the most advanced software features to help you meet HIPAA’s strict compliance requirements. OnRamp’s HIPAA Compliant Cloud offers storage and backup solutions with encryption at the file, application or database level to meet the highest standards of privacy and security. Furthermore, you’ll want to look for managed security services like VPN tunnels, malware protection, log management, intrusion detection and prevention, and vulnerability scanning, to name a few.
Putting It All Together: Hybrid Solutions with the Right Partner
Hybrid computing solutions built on private cloud-delivered computing capacity and colocation services are ideal for companies with high-security needs and sensitive data. The two solutions pair well together—once you’ve worked with your colocation provider for a while, and they’ve earned your trust, you know they’re capable of developing a cloud environment that suits your needs.
Although there are many hosting providers to choose from, we have a few examples of how a high security hosting company, like OnRamp, can craft a secure and HIPAA-compliant hybrid solution using a combination of data facility and secure, compliant private cloud services:
- OnRamp’s 3-step HIPAA Risk Management Tool enables clients to discover, assess, and manage risks associated with storing PHI. The tool asks you a series of questions to see what steps you’re taking to maintain patient records and analyzes your HIPAA compliance. It produces a system characterization diagram that assists you in evaluating the best way to protect PHI from malicious activity. Finally, it results in a Business Associate Agreement (BAA) spelling out what actions OnRamp will take to safeguard your protected health information.
- OnRamp provides HIPAA-compliant private cloud services built on dedicated, compliance-critical hardware to create a secure private cloud environment, which offers flexible, scalable computing resources in a compliant, high-security infrastructure with highly available configurations.
- Full7Layer Support provides support through all seven layers of the operations stack, going above and beyond routine requests. Unlike many competitors, the Full7Layer Support Program means OnRamp’s engineers are available 24 hours a day, every day of the year, to satisfy data center needs, from server reboots to handling more complex on-demand troubleshooting.
- As an SSAE 16 SOC 2 Type 2 certified, PCI and HIPAA compliant company, OnRamp provides its customers with BAAs that meet their HIPAA regulatory needs, so you can rest assured your PHI is protected in the event of a disaster. Their team stays in the know about new IT solutions to comply with ever-changing HIPAA regulations, passing along valuable knowledge and offering suggestions to improve your IT infrastructure.
- OnRamp’s engineers are trained in HIPPA Disaster Recovery Standards, enabling them to assist in disaster recovery planning and implementation.
Your company’s specific requirements will determine which approach is best for protecting ePHI. If you are considering a move to the cloud, researching your colocation options, or wondering whether a hybrid solution suits your organization’s needs, contact the engineers at OnRamp. They’ll walk you through the pros and cons of each solution—and make recommendations to help you maintain HIPAA compliance.
Additional Resources on This Topic: