- HIPAA is the primary healthcare regulation in the US, with strict privacy and security requirements for handling patient data.
- As healthcare organizations digitalize, they must ensure they meet compliance regulations – particularly when it comes to cloud usage.
- It’s not enough for organizations to rely on their cloud providers for security. Human error, malicious actors and misconfigurations are potent compliance risks that leave healthcare organizations liable to fines.
- Cloud-based data loss prevention is an invaluable tool for organizations looking to protect patient data and meet regulations like HIPAA.
Healthcare organizations process a wealth of sensitive and private data that comes under government regulation. The Health Insurance Portability and Accountability Act (HIPAA) is the central healthcare regulation in the United States. HIPAA has strict rules around how protected patient health information is processed and stored. To be compliant, healthcare organizations must meet these rules.
In theory, protecting healthcare data should be straightforward – but the history books show us that it’s something companies struggle with today. There’s been more than 186,000 privacy rules compliance since 2003, according to HHS.Gov. It’s clear that, while there are strict rules in place for patient data, following them isn’t so easy.
One of the main reasons for this is the proliferation of cloud computing and SaaS applications. With the pandemic, healthcare organizations accelerated their adoption of tools for telemedicine and remote collaboration. In line with this, a key challenge for healthcare organizations today is ensuring that medical data is stored, processed and transferred compliantly when employees and patients are communicating across digital channels.
What’s a covered entity?
In HIPAA, covered entities are healthcare providers and organizations that process electronic patient data. Doctors, pharmacies, healthcare insurance companies, healthcare clearinghouses, and health maintenance organizations are all considered covered entities.
By law, covered entities must comply with HIPAA – and there are steep consequences if they fail to do so. When it comes to patient data, there are strict security rules, which organizations must demonstrate compliance with through various controls.
The HIPAA Security Rule
The HIPAA Security Rule contains the standards that govern how patient data should be created, accessed, processed and stored. There are three safeguards that must be put in place:
Administrative: Focuses on the policies and procedures that safeguard against a data breach, including documentation process, roles and responsibilities, training and data practices.
Physical: Ensures that data is physically secure using measures such as CCTV, secure computer locations and manual measures like locked doors and windows.
Technical: Focuses on the technology solutions that prevent data from being maliciously or improperly accessed. Standard solutions for this include encryption, data loss prevention and multi-factor authentication.
What does HIPAA say about Cloud Workflows
Covered entities are allowed to use cloud service providers for storing e-PHI but, to do so, they’ll first need to enter a formal, HIPAA-compliant Business Associate Agreement (BAA). BAA’s are super important to put in place before engaging with any CSPs. They’re a safeguard that mandates your CSP to have the proper security requirements in place for HIPAA compliance. Please note, HIPAA itself doesn’t advocate any particular vendors or technology providers.
Here are the key features of BAAs:
Privacy Rule: The CSP must ensure it only stores and discloses PHI as allowed by the BAA and HIPAA Privacy Rule.
Security Rule: PHI must be correctly protected from a data breach – both when data is at rest or in transit.
The Breach Notification Rule: If there is a breach, this must be reported to the HHS.
As well as signing a BAA, you’ll want to conduct a risk assessment to ensure that your provider has adequate processes and safeguards in place to protect your ePHI. In turn, they may conduct a risk analysis on your organization before starting the arrangement.
What about SaaS Applications and HIPAA?
Here’s where things get very interesting. With the rise of telemedicine and remote working, many healthcare organizations have embraced apps like Teams, Zoom and Slack to get work done at a distance.
Under HIPAA, it is your responsibility to make sure that these applications comply before you use them for storing or transferring patient health data.
So, before using a SaaS application, be sure to check your vendor and the controls they offer – and perform a risk assessment. Some companies, like Slack, for example, do provide HIPAA-enhanced versions of their software. However, this support is not guaranteed with enrollment to the Slack Enterprise Grid plan or even through the enactment of a BAA with Slack.
HIPAA compliance activation in Slack – and applications like it – relies on careful configurations that can be complex to implement and even more complex to maintain – particularly when we look at the challenges of securing data in collaboration tools.
Common challenges of securing PHI in SaaS applications
Here’s the thing – even when you have a BAA in place, and you’ve conducted a risk assessment of your chosen vendor, a data breach could still happen.
Gartner’s cloud security report states that, by 2025, 99% of cloud security failures will be the customer’s fault. The big guys like Slack, Google, and Microsoft are responsible for protecting their infrastructure from data breaches. Still, it’s up to you to ensure the correct configurations, policies and access controls are in place.
Picture this – if you don’t have a good password policy in place, a cybercriminal could steal one of your admin’s passwords, log in to their Slack and download a host of PHI. In this situation, the cloud provider isn’t to blame. You would be.
That’s not the only risk of using SaaS tools – take a look below.
The human factor
Humans are inherently flawed, and mistakes are always going to happen. But HIPAA doesn’t have a clause that allows for errors. If an employee sends PHI to the wrong person, accidentally leaks a sensitive file or uploads it to a public Google Drive, your company is at risk of a substantial compliance fine.
The Edward Snowden saga of 2013 highlights the real-world risk of employees that could leak or steal sensitive data. You need a way to ensure that employees – authorized or not – are not carrying out suspicious activities.
As the Gartner stat highlights, it’s way too easy for well-intentioned employees to leak sensitive data in cloud applications accidentally.
Let’s not forget that PHI is a lucrative target for cybercriminals. In fact, CISA and the FBI released a warning, stating that malicious actors are actively targeting healthcare organizations and the public sector through tactics such as phishing, ransomware and brute force attacks.
What’s a healthcare organization to do?
While the stakes are high, healthcare organizations need to innovate to stay competitive. Cloud infrastructure and SaaS tools are the future. In order to use them – without breaching HIPAA compliance – healthcare organizations must think strategically and look beyond just encryption.
Organizations need a real-time, intelligent solution to keep PHI data safe no matter where it travels – be it cloud applications or email. This is where DLP comes in.
With the right solution, you can share sensitive information and remain HIPAA compliant at the same time.
Polymer’s data governance and DLP solution for 3rd party SaaS apps allow you to keep the patient’s data secure while meeting HIPAA compliance standards even if you’re a non-covered identity. The Virtual Compliance Officer feature works to help keep teams secure, whether in the office or working remotely, by monitoring SaS channels to shield and mitigate sensitive data vulnerabilities.
The solution installs in a few clicks and is customizable as per your organization’s requirements.