Security Checklist for Choosing a HIPAA Cloud Provider
What to Look for in a HIPAA Hosting Provider
When considering a new HIPAA hosting provider, healthcare entities need to ask key questions to ensure they receive the top level ePHI storage security. OnRamp compiled key questions to ask potential cloud storage providers that will address your HIPAA compliant hosting needs.
OFFICIAL HIPAA COMPLIANCE PROCESSES
- Is the customer’s infrastructure auditable?
One of the most critical requirements for a HIPAA compliant hosting provider is the ability to facilitate an auditor’s risk assessment of the environment that houses ePHI. Because auditing requires physical inspection, an ideal data center will allow auditors to enter the facility to inspect the individual components that make up the IT environment and the critical systems that are in place to ensure the confidentiality, availability, and uptime of the data that resides on this system.
- Will the provider sign a business associate agreement (BAA)?
To adhere to HIPAA standards, a BAA must be signed. A BAA, or a business associate agreement, must be validated between a HIPAA covered entity and a HIPAA business associate. The required BAA will clearly define the responsibilities of each party in order to maintain compliance.
- How many of the provider’s customers are in healthcare, and how do they facilitate HIPAA compliance with those customers?
When trying to find the best HIPAA compliant cloud hosting provider, it is best that your provider has experience with healthcare customers. Navigating HIPAA compliance is tricky and a cloud hosting provider should be well-versed in addressing the dynamic needs of healthcare businesses. For example, cloud storage providers should be able to define responsibilities for each party in an effort to maintain compliance.
- Does the provider have a HIPAA compliance officer or a designated official that leads the responsibility for HIPAA? As HIPAA Business Associates, cloud storage providers must have a designated HIPAA compliance officer or official who can be responsible for maintaining HIPAA compliance.
- Does the service provider offer private clouds?
When handling sensitive data like ePHI, a safe cloud environment is paramount. In some cases, this is best achieved through a private cloud. This should include highly secure, highly available, dedicated servers with additional hardware and software that can offer protection from security threats, such as hyperjacking and DDoS attacks.
SECURITY AWARENESS TRAINING
- Does the provider have a structured security awareness program?
A strong HIPAA compliant cloud storage provider will have in place a structured, well-documented program to conduct security awareness training. In compliance with the HIPAA Security Rule, the policies surrounding this program should be reviewed on a regular basis. As HIPAA requirements evolve and are updated, so too should the security awareness program be adjusted. This should all be part of an effort to continually meet HIPAA’s guidelines.
- Do they educate staff on its security awareness program?
HIPAA compliance isn’t a one-and-done process; it requires attentive maintenance and attention to detail. Cloud providers should have a formal program in place to educate staff on security procedures and offer ongoing training. Training should be conducted based on the individual’s level of interaction with ePHI or the systems in place to store this sensitive information.
- What is the vendor’s incident response process?
Any quality cloud provider will have an incident response process available for customers. The process should be well-documented, readily available to staff, and have an established timeframe.
- Does it provide FIPS 140-2 Encryption for data in transit?
Cloud providers need to be able to ensure FIPS 140-2 Encryption is applied to all ePHI in transit for unauthorized users, as dictated by HIPAA. Data should be rendered unusable, unreadable and indecipherable to any unauthorized users who may try and locate or access the data in transit. Any HIPAA compliant cloud provider should be able to facilitate this requirement.
- Does the provider do encryption at rest for SANs or local drives?
Cloud providers should also be able to offer encryption for ePHI at rest for SANs and local drives. Level of encryption for data at rest must meet certain requirements under HIPAA ex. AES 256-Bit Encryption. Confirm with any potential cloud provider that this can be maintained.
- Does the provider offer secure offsite backups?
Much like the safeguards around infrastructure, HIPAA requires that healthcare organizations develop secure, offsite backups. Designed to assist with data preservation in the case of a breach or disaster, cloud providers should offer offsite backups for those who need a cloud-based HIPAA solution to solidify data security.
- Does the provider offer disaster recovery or business continuity solutions?
Ideally, the provider will offer disaster recovery and business continuity solutions to help mitigate the threat of downtime in the event of a disaster. A cloud service provider with multiple data centers that are geographically dispersed and on different power grids can help maintain high availability should such an event occur.
To learn more about HIPAA compliant cloud, consider OnRamp’s dynamic and multilayered security capabilities in private cloud storage, a dedicated private cloud, or virtual private cloud.