Cloud security demands a shared strategy for HIPAA compliance
The HIPAA Security Rule was drafted in 1998, just two years out from what most believe was the first recorded mention of the term "cloud computing" (in a 1996 internal business report from Compaq), explained healthcare attorney Adam Greene, partner at Davis Wright Tremaine LLP.
And even by the time the final security rule was published five years later in 2003, the concept of cloud hosting was still nowhere near what is today, especially in healthcare, he said. That has necessitated some creative thinking, as technologies and comfort levels around remote hosting have evolved, said Greene during his recent HIMSS20 Digital presentation, HIPAA and a Cloud Computing Shared Security Model.
Which security responsibilities belong to HIPAA-covered entities, and which should be tasked to their cloud-service-provider business associates? The situation will differ, depending on the size, shape and policies of each, said Greene. But there's an onus on both of them to work together and set the parameters of what they'll bring to the table.
While the HIPAA Security rule was finalized more than a decade before cloud computing really started to gain traction across healthcare, by 2016 the HHS Office for Civil Rights started giving more guidance on how security arrangements could be constructed.
OCR recognizes the value of a "shared security model," said Greene. It says each party should confirm their responsibilities in writing, and acknowledges that CSPs may not be responsible for compliance failures caused by their customer's actions or inactions.
In recent years, of course, health systems have come to understand how key it is to have a well-negotiated business-associate agreement in place, and cloud vendors have gotten much better at offering the security assurances providers demand.
But even with those acknowledgements in place, each is still approaching the task of cloud-hosting protected health information from a different vantage point. Each has a role to play, and Greene described it simply: The CSP may provide the vault, but it's the customer's responsibility to lock it.
"No matter how strong your cloud service provider's security is, if you set the configurations to allow for public access, or if you set the password to 'password' all those security features are not going to do you any good," he said.
The HIPAA Security Rule contains more than 50 standards and implementation specifications: administrative safeguards (training, policies and procedures), physical safeguards (who's guarding the data center?) and technical safeguards (encryption, audit controls and access logs).
Not all are created equal, Greene points out, and OCR focuses heavily on those related to risk analysis and, following that, a risk management plan.
As drafted, the HIPAA security rule more or less treats every covered entity and business associate as an "island," with independent security responsibilities – each essentially responsible for all 54 specs on their own, said Greene.
But as the cloud has gained prominence and acceptance across healthcare, it's clearly much more efficient and effective if each party splits those duties. The shape that takes is largely up to them, he said: "That's the essence of shared security."
General speaking, a CSP is going to "control physical security surrounding servers – have them in data centers that are physically secure and not just anyone can walk into," said Greene. A cloud vendor will take responsibility for "internal access controls and certain technical controls, such as encryption in transit."
The provider customer, meanwhile, "may control encryption – whether it's turned on on the server side, or whether the customer encrypts on their end," he explained. When it comes to enabling audit logs, "it may be that the default is not to have robust audit logs, but there are capabilities if the customer wants to turn those on, and may have to actually pay for the cost of storing those." The same goes for setting file permissions: "Whether a file is set to public or private, that may fall to the customer."
All of this might vary, depending on the cloud services offered. When it comes to software-as-a-service, the CSP likely has maximum security responsibility, while the customer may have minimal responsibility, said Greene. Even then, the level of customer control varies greatly.
With infrastructure-as-a-service, the CSP probably manages physical and internal security, and may provide certain security tools to the customer – but the covered entity has much greater responsibility for configuring security,
While the details may vary widely depending on the situation, at its heart these days, "cloud computing really rests on a shared security model," said Greene.
"The HIPAA Security Rule was not designed with shared security in mind. It's not a perfect fit. But it now has been recognized by OCR, and it's important that everyone knows their respective responsibilities."
Healthcare provider organizations have gotten much more comfortable with the idea of cloud hosting in recent years, and many cloud vendors have stepped up to be partners with these heavily regulated clients.
But HIPAA compliance – let alone robust security, which everyone knows requires much more than mere HIPAA compliance – is not plug-and-play, said Greene.
"It really is important to fully familiarize yourself with the capabilities, with the different risks associated with your cloud model and to make sure you're building that thoroughly into your security program."
Experience the education, innovation and collaboration of the HIMSS Global Health Conference & Exhibition… virtually.