Scott Williams

Avoid HIPAA ViolationsThe Health Insurance Portability and Accountability Act of 1996 (HIPAA) has a massive impact on how companies in the healthcare industry operate. HIPAA sets forth a number of national standards for protecting personal health information (PHI) from disclosure.

Avoiding HIPAA violations is a constant concern. The U.S. Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR) can impose monetary penalties for violations—not to mention the potential for lawsuits from affected patients.
With more and more healthcare organizations moving their records onto the cloud for faster processing and easier access, it’s not just important to know how to avoid HIPAA violations in the cloud—this knowledge is a necessity.

Know the Rules

The HIPAA security rule has a few broad-strokes general rules that healthcare providers must follow to avoid a violation. As stated on the HHS.gov website, these rules are that “covered entities must:

  1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, maintain, or transmit;
  2. Identify and protect against reasonably anticipated threats to the security or integrity of the information
  3. Protect against reasonably anticipated, impermissible uses or disclosures; and
  4. Ensure compliance by their workforce.”

These rules cover any health plans, healthcare clearinghouses, and healthcare providers who handle health information in electronic form covered under HIPAA’s standards.

You may have noticed that these rules are broadly worded. The term “reasonably anticipated threats” could cover any number of cyber-attacks, accidental disclosures, and even random glitches in a healthcare system’s computer network. As such, it can be hard to ensure compliance with HIPAA.

A good starting point is to consider each rule individually and establish some strategies for meeting them one by one.

Ensuring Confidentiality, Integrity, and Availability on the Cloud

To ensure confidentiality and integrity on the cloud, businesses need to use strong protective measures such as perimeter firewall, antivirus, intrusion detection & prevention systems, and constant vigilance against cyber threats.

To ensure availability of data on the cloud, businesses need to have a comprehensive disaster recovery (DR) plan in place that features strong system redundancy to eliminate single points of failure.

This way, if an attack takes down the healthcare company’s primary data environment, a second failsafe environment will be ready to take over the needs of the company at a moment’s notice to keep data available when it’s needed.

Remaining Vigilant: Identifying and Protecting Against Foreseeable Threats

The second rule for HIPAA security has a lot of overlap with the first. By placing strong security such as data encryption, firewall, etc. on your cloud infrastructure, you’re already taking some steps to protect against “reasonably anticipated threats.”

However, this rule also requires you to take steps to identify threats. Here, intrusion detection and event-logging systems are a must.

Programs such as WHOA.com’s Threat Observation Platform™  give you the ability to easily identify, classify, and trace attacks back to their source—enabling you to take better protective measures against them.

Combined with expert support from WHOA’s experienced team of IT security professionals, the Threat Observation Platform™ can be the ultimate platform for protecting healthcare companies on the cloud.

Convenience Can Be a Double-Edged Sword: Creating Security Policies for Your Workforce

Every employee with access to your systems needs to follow a strict set of security rules to ensure HIPAA compliance.One of the biggest selling points of the cloud is that it can make sharing and distributing information across multiple practices quick and easy.

Many healthcare organizations use the cloud for the purpose of creating convenient access to patient data so every specialist at every clinic the patient goes to will have the patient’s whole treatment history at their fingertips.

However, this convenience can be a double-edged sword for organizations that don’t put in enough protections to balance it out.

To keep data on the cloud safe, it’s important to use strong account security for user logins, including (but not limited to):

  • Complex passwords with uppercase & lowercase letters, numbers, and symbols
  • Multi-factor authentication to back up passwords (authentication keys, biometrics, etc.)
  • Tight access restrictions based on user role
  • Routine “cleaning up” of old or unused user accounts

You probably want the doctors in your healthcare network to have easy access to the data they need to safely and efficiently treat patients—but there have to be some controls and restrictions on data access to protect it from being shared with unauthorized persons.

Creating some basic rules for accessing data and enforcing them can go a long way towards preventing HIPAA violations.

Need help setting up a HIPAA-compliant cloud that blends ease of management with powerful security & compliance? Get started with a WHOA.com Secure Cloud now!

WHOA.com - Cloud Data Risk Assessment