Health care organizations are increasingly open to the idea of using public cloud services, whether it be applications or infrastructure. But to do so requires thorough planning and vigilant execution of IT operations.
+ RELATED STORY: Why this hospital is moving to Amazon’s cloud +
Chris Bowen, founder and chief privacy and security officer for ClearDATA, a company that helps health care organizations use public cloud services, provides nine examples of controls that can be put in place.
- Implement audit controls: Use tools such as AWS’ Cloudtrail and S3 buckets as key components of a logging infrastructure.
- Review system activity: Leverage audit logs to enable the review of activity within your system.
- Identity and Access management controls: Keep track of every user who logs into a cloud environment and what they do; alert administrators if settings are changed.
- Disaster recovery: Ensure there are backups of all data to satisfy contingency plan requirements, including emergency mode operation.
- Evaluate your security posture: Conduct vulnerability scans, penetration tests, and code scans on systems processing Personal Health Information (PHI).
- Establish a proper Business Associate Agreement: Outline key responsibilities between you and your vendors. These should address responsibilities for keeping data safe, how to provide patients with access to their data, and what to do in the case of a data breach.
- Access Controls: Ensure users are unique and logged. Enable auto logoff features, robust authentication features, and stateful security groups.
- Encrypt PHI and other sensitive data: Encrypt all data in motion and in rest using a purpose-designed approach.
- Ensure transmission security: Effectively enable the proper encryption of data in transit using AES 256 encryption (SSL and TLS) as well as object keys where feasible.
This story, "9 keys to having a HIPAA-compliant cloud " was originally published by Network World.