9 keys to having a HIPAA-compliant cloud

There’s no reason health care organizations can’t use the cloud

Health care organizations are increasingly open to the idea of using public cloud services, whether it be applications or infrastructure. But to do so requires thorough planning and vigilant execution of IT operations.

Chris Bowen, founder and chief privacy and security officer for ClearDATA, a company that helps health care organizations use public cloud services, provides nine examples of controls that can be put in place.

1. Implement audit controls: Use tools such as AWS’ Cloudtrail and S3 buckets as key components of a logging infrastructure.
2. Review system activity: Leverage audit logs to enable the review of activity within your system.
3. Identity and Access management controls: Keep track of every user who logs into a cloud environment and what they do; alert administrators if settings are changed.
4. Disaster recovery: Ensure there are backups of all data to satisfy contingency plan requirements, including emergency mode operation.
5. Evaluate your security posture: Conduct vulnerability scans, penetration tests, and code scans on systems processing Personal Health Information (PHI).
6. Establish a proper Business Associate Agreement: Outline key responsibilities between you and your vendors. These should address responsibilities for keeping data safe, how to provide patients with access to their data, and what to do in the case of a data breach.
7. Access Controls: Ensure users are unique and logged. Enable auto logoff features, robust authentication features, and stateful security groups.
8. Encrypt PHI and other sensitive data: Encrypt all data in motion and in rest using a purpose-designed approach.
9. Ensure transmission security: Effectively enable the proper encryption of data in transit using AES 256 encryption (SSL and TLS) as well as object keys where feasible.

About the Author

Brandon Butler — Senior Editor

Senior Editor Brandon Butler covers the cloud computing industry for Network World by focusing on the advancements of major players in the industry, tracking end user deployments and keeping tabs on the hottest new startups. He contributes to NetworkWorld.com and is the author of the Cloud Chronicles blog. Email him at bbutler@nww.com and follow him on Twitter @BButlerNWW.

Originally published September 20, 2016 by Network World.