HIPAA Compliance in the Cloud

HIPAA rules very specifically define cloud service providers (CSPs) as business associates and they must adhere to the rules governing HIPAA compliance in the cloud.

Cloud Computing Definition (source: NIST)

Cloud Computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Cloud Computing Service Models (source: ENISA)

  • Software as a service (SaaS): Software offered by a third party provider, available on demand, usually via the internet configurable remotely. Examples include online word processing and spreadsheet tools, CRM services and web content delivery services.
  • Platform as a service (PaaS): Allows customers to develop new applications using APIs deployed and configurable remotely.  The platforms offered include development tools, configuration management, and deployment platforms.
  • Infrastructure as a service (IaaS): Provides virtual machines and other abstracted hardware and operating systems which may be controlled through a service API.

Cloud Deployment Models Definition (source: NIST)

  • Community Cloud: The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g. mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.
  • Hybrid Cloud: The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g. cloud bursting for load balancing between clouds).
  • Private Cloud: The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.

HIPAA Compliance Before the Public Cloud

  • At MedVantage, before the public cloud, built and operated a private cloud infrastructure for the claims and episodes treatment groups data from Blue Cross Blue Shield plans.  This was a lot of work and cost a lot of $.
    • Physical and Environmental Security – Pick the co-location
    • Communication and Operation Management – Server hardening, management of test environments, configuration of network and firewall, network security – NIDS e.g. Snort, log management, encryption of data at rest
    • Access Control – access control configuration via LDAP e.g. Active Directory including password management, VPN configuration,
    • Incident Management – SSIM, Arcsight
    • Security – DDoS and data loss prevention

HIPAA Compliance During the Public Cloud

  • With the advent of the Public Cloud HIPAA solutions, you can now stand on top of these vendors for Software Development by having them sign a Business Associate Agreement (BAA)
    • TrueVault – Cloud that provides a REST API to create entities in the Cloud, e.g. Users, Groups, Schemas, Emails
    • Aptible – IaaS – HIPAA Compliant Docker Container – Heroku for HIPAA
    • ClearDATA –  IaaS – Different BAA from AWS on notifications of breaches. Continuous Security and Compliance monitoring, Assist with meaningful use.
    • Amazon Web Services – Do it yourself with existing Amazon components.
    • There are others, e.g. FireHost\Armor – Provision and manage dedicated servers in the Cloud
  • Best to use a cloud solution that is focused on healthcare security. Solutions that are not focused on security may be reluctant to provide the information that you need, e.g. audit reports.
  • Each of these vendors provide differing offers, but you’re effectively looking for a way to not have to implement some of the onerous tasks associated with protecting PHI and providing a secure private cloud platform.
  • Only store the PHI in the the HIPAA compliant container. If you’re solution has components that don’t need to touch PHI, run these components elsewhere with communication going through SSL.
  • Things to look for when picking a vendor:
    • A Virtual Private Cloud (VPC) sitting on top of AWS enabling our internal services to run a private subnet that is inaccessible from the Internet
    • All communication runs through SSL/TLS endpoints or SFTP.
    • Database traffic is encrypted at transit and rest using FIPS 140-2 approved modules and managed keys. Nightly backups are encrypted and stored in a separate geographic region.
    • Ease of use – A solution that has a real simple web services or has a command line interface similar to Heroku that makes it easy to deploy code to machine images that are designed for isolation and privacy.
    • Centralized Access Control system – Every command line access that you use is logged. DBTunnel – ssh wrapped tunnel to your db.
    • Automated Risk Management – Server patching is done by the vendor.
  • Remember HIPAA is More than Technology – Incidence Response, Risk Assessment, Operations, Policies & Procedures, Security & Compliance Training are all priorities. To help with these issues there are compliance cloud platforms, which enable you to manage all of the audit reports to prepare for external audits and certifications.
    • QIXpress – QIPSolutions
    • Gridiron – Aptible
    • ClearData
    • ZenGRC – Reciprocity Labs

Questions to consider

Are cloud computing resources utilized to deliver the service? If YES state the type of services utilized (IaaS, SaaS, PaaS, or other cloud services)

Specify the cloud deployment method utilized to deliver the service

Can we perform independent vulnerability assessments of your environment?

Will data be logically isolated such that data may be recovered, in the case of failure/data loss or securely destroyed without inadvertently accessing another customers data?

Do you allow to define acceptable geographical locations for data routing or service hosting and presentation?

Are customers allowed to specify which of your geographic locations data is allowed to traverse into/out of (to address legal jurisdictional considerations based on where data is stored vs. accessed)?