If you’re thinking about migrating a highly sensitive application to the cloud, consider using HIPAA requirements as a way to vet potential providers.
Federal law requires organizations dealing with private health information to adhere to strict security guidelines defined by the Health Insurance Portability and Accountability Act (HIPAA). Given that HIPAA regulations are an excellent risk-management strategy, non-healthcare companies can use a HIPAA-compliant strategy to protect sensitive information like credit card numbers and private customer information.
HIPAA compliance requires businesses to “maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI (Electronic Personal Health Information),” but this could apply to any dataset. At a high level, here’s what you get with HIPAA compliance:
• Administrative safeguards include training employees on proper procedures for accessing and handling sensitive information and other onsite data access. Business Associate Agreements (BAA) are also covered under administrative safeguards, which ensure that any third parties that may host protected information do so safely.
• Technical safeguards include encrypting sensitive data, ensuring data is not transmitted over a network unless encrypted, and implementing authentication systems to ensure the right person is accessing sensitive information.
• Physical safeguards are measures such as password protecting computers containing e-PHI, proper disposal of devices that held patient records and limiting access to areas housing this data.
If those safeguards sound like they would be nice to have for the application you are thinking of moving to the cloud, look for providers that have hardware and software infrastructure and compliance certifications to meet the very strict HIPAA compliance regulations. Here are the seven key elements:
1. Business Associate Agreement — A HIPAA business associate agreement (BAA) is a required contract between a HIPAA-covered entity (your company) and a HIPAA business associate (vendor). The signed BAA contractually obligates the vendor to protect your data. This means that the vendor shares liability with your company in the event of a data breach.
2. Data Encryption — All remote access, system administration connections and data transfers should be encrypted using an SSL VPN (virtual private network) with access only allowed with dual factor authentication. All data traveling across an encrypted VPN should use very strong encryption, typically 256-bit secure sockets layer (SSL). Backups of all customer data should be encrypted, and controls should be put in place to limit and log all access to any backups.
3. Backup — There should be backup procedures to create and maintain retrievable exact copies of all data in the form of daily incremental backups and weekly full backups. Offsite backup is also a key requirement of a disaster recovery plan. To mitigate the risk of a catastrophic data loss, there should be redundant data center facilities, and further replicating backups to another data center in a different location. Backups should also be replicated to an offsite data center facility in a different location every 24 hours.
4. Physical, Logical and Network Access Controls — There should be excellent physical, logical and network access controls in place, and compliance with PCI, SSAE 16, and Safe Harbor are also important additional safeguards. There should be separation between each customer’s data, separate and defined server roles as well as logging for all access to servers, and firewalls between public and private server zones. There should also be documentation for policies and controls for access control, password management, firewalls, virus protection, data classification, encryption, retention, destruction, production change management, incident/problem management, security incident response plans and risk management.
5. Vulnerability Management and Logging — Regular assessment of application vulnerabilities is a key part of providing the highest levels of data security. There should be:
• Monthly third-party vulnerability and penetration scans, and security teams should review the scan results with a remediation of all threats found.
• Extended validation with a third party.
• Whitelists on IDS/IPS and web application firewalls to ensure vulnerability scanners have enhanced view into infrastructure along with timely infrastructure patching to ensure all security updates are applied.
• Security research for proactive notification of potential threats.
• Comprehensive logging built into the entire environment.
• File integrity monitoring used to detect changes to system files preventing back doors and root kits.
• Log offloading into external log servers to prevent attackers from “covering their tracks.”
• Enhanced retention of firewall, web app firewall, and event logs and dual factor authentication with extended logging for remote users.
6. Security, Incident, and Training Policies — HIPAA-compliant data centers should have a comprehensive set of documented policies that evolve in accordance with security standards and best practices. These security policies go beyond basic data center compliance and encompass how technology, people and processes come together to drive outcomes to protect data. The policy documents that should be available for review include Annual SOC 2 Type 2 Auditors Report, Patching and Maintenance Policy and Escalation Procedures.
7. SSAE 16 SOC 2, Type 2 Certified Facilities-Controls-Process — SSAE 16, also called Statement on Standards for Attestation Engagements 16, is a regulation created by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) for defining how data centers report on compliance controls. An SSAE 16 SOC 2 TYPE 2 certification is the most comprehensive approach. All processes are validated against a rigorous set of controls by an independent team of CPA auditors. An annual SSAE 16 SOC 2 Type 2 compliance report should be shared by the HIPAA compliant vendor. The SOC 2 framework is a comprehensive set of criteria known as the Trust Services Principles.
Type 2 SSAE certification, as opposed to the less-rigorous Type 1 SSAE certification, uses the following, more demanding criteria:
• The description of the service organization’s system was designed and implemented over the period of examination, which is typically a one-year period, as opposed to only a single specified report date.
• The control objectives stated in the description were suitably designed to achieve compliance over the period of examination which is typically a one year period, as opposed to a single report date.
In summary, the public cloud is ubiquitous, and many organizations allow at least some customer data to be accessible through the Internet. This is a very radical change from just five years ago. HIPAA compliance when implemented in non-healthcare companies can significantly increase security and decrease liability.
Avignone founded Giva in 1999 and is based in Silicon Valley, California serving customers worldwide. Giva was among the first to provide a suite of help desk and customer service/call center applications architected for the cloud.
This story, "Even if you’re not in healthcare, use HIPAA to safeguard that cloud app" was originally published by Network World.