The Critical Layers of HIPAA Compliance Life Sciences Must Meet—and How to Exceed Them in the Cloud

The Life Sciences industry is increasingly tasked with housing and protecting patients’ medical records. It’s a responsibility that requires—by law—vigilant security and privacy safeguards. While these are outlined in the HIPAA Security Rule, at last count this piece of legislation was hundreds of pages long. For brevity’s sake, a very simplified summary follows: wherever protected health information resides, “covered entities” are required to put in place administrative, physical, technology and physical safeguards. To make sure these safeguards are really working, covered entities are further required to perform periodic risk assessments.

Judging by the frequency of data breaches, meeting even minimum HIPAA compliance hasn’t been easy for a multitude of industries—most notoriously, the healthcare space. Prior to the HITECH Act, many providers and medical practices weren’t even encrypting healthcare data. Still today, many are working with aging and fragmented legacy IT infrastructure; a recipe for holes to go undetected for months or longer until the breach occurs.

IT staff availability is another consideration. IT professionals are in great demand across the enterprise—and there aren’t enough of them to upgrade systems, develop applications, collect data for multiple department reports or a host of other ongoing duties, all while keeping a continuous eye out for a data breach attempt. And so, the hacker pounces on the unprepared.

By contrast, in a top tier vendor’s hosting environment, there are multiple layers of compliance internal departments simply don’t have the resources to replicate. Such a partner will have the required expertise—indeed, daily familiarity with—HIPAA compliance and health data security in the following four critical areas:

Physical Security Compliance
The HIPAA Security Rule requires covered entities to develop policies around facility access and device security. Reputable cloud vendors will be able to demonstrate their own policies for an impenetrable data center which at a minimum should include:

• Controlled Secure Facility, Staffed 24/7/365
• 24/7/365 Physical Security Monitoring
• 90-Day Video Surveillance & Retention
• Cabinet/Cage Perimeter Security
• Badge and Biometrics
• Compliance Based Audit Reports
• Security Incident Response Notification

Cloud Infrastructure Compliance

The HIPAA rule requires covered entities to put technical safeguards in place to protect data housed in technology infrastructure. And no doubt, a proven healthcare cloud services provider will have the latest innovations available to safeguard protected health information from digital intrusion and theft. However, it is vitally important to note that security products are but one component. The reality is that successful hackers often use old techniques to successfully break into networks that may have all the latest bells and whistles in security products—but aren’t being properly utilized by overextended IT staff.

To that end, an experienced cloud services vendor is hyperfocused on securing and managing valuable data, and will pair strong products with even stronger human vigilance. A sample blend of these strengths includes:

• Encryption of data at rest and in transit
• Multiple layers of hardened enterprise-grade hardware
• Advanced firewall configurations
• Real-time intrusion detection and prevention
• Private cloud environment
• Multi-tier authentication
• SSL/VPN Secure Access

Managed Services Compliance

Take note of this list—these are the data security management tasks that hackers count on internal IT staff being unable to keep up with. Often they can’t. In a cloud environment, however, there is consistent focus on these activities.

• Integrity monitoring
• Intrusion detection and prevention
• Comprehensive patch management
• Security and compliance audits
• Malware protection
• Log management

Policies, Procedures and Certifications
Policies and procedures must also exceed the requirements of the HIPAA Security Rule. At a minimum, seek a cloud vendor with these credentials and credentialed professionals in place.

• HITRUST-Certified
• Onsite Chief Privacy Officer (CIPP/US, CIPP/IT Certified)
• Documented security policies and procedures
• Documented third party security audits
• Mandatory HIPAA training for all employees twice a year
• Comprehensive Business Associates Agreement to provide maximum protection

Moving to the cloud

One of the arguments against moving to the cloud is the desire to protect and maintain control over data. Many CIOs feel safer when data is managed in an internal data center. Yet in today’s world, it is becoming clear that the opposite is true. A HIPAA-compliant cloud provider will already have created the multi-layered approach required to secure protected health information, which CIOs can inspect and test. They will have the capabilities to secure this data at rest and in-transit, with availability that is as good as or better than keeping the data in-house.