The Health Insurance Portability and Accountability Act (HIPAA) has been around for many years with the main purpose of governing the use and disclosure of individuals’ health information. The recent dramatic trend of healthcare-driven companies to migrate to cloud computing requires a cloud-specific security approach for HIPAA and the cloud. In this article, I will touch on some of the major HIPAA requirements as they relate to the cloud, and will highlight points to consider when securing patient data in the cloud.
HIPAA cloud requirement #1: Access control
According to HIPAA, a covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information – this is highly relevant for HIPAA and the cloud. Once operating within the cloud, healthcare data can be potentially accessed from within the cloud by a snooping employee (one of many examples of possible breaches). To adhere to this requirement in cloud environments, address the following points:
Make sure your cloud key management system [which manages the cryptographic keys in an encryption system] can be automated so that administrators cannot access or see key values used for encrypting healthcare data.
Maintain a strict password policy. Make sure your cloud encryption system provides you with the ability to control a strong encryption policy.
Your security system is a critical element in your cloud project. If you’re implementing encryption and key management over API, make sure that API access has separately managed API keys.
HIPAA cloud requirement #2: Integrity Controls
Policies and procedures must be implemented to ensure that Protected Health Information (PHI) is not improperly altered or destroyed. For that purpose, specifically when implementing HIPAA in the cloud, data encryption is considered a best practice:
1. Deploy strong encryption for all PHI related data, and use strong encryption algorithms like AES-256 and SHA-2. Strong cloud encryption techniques provide the best assurance that data has not been tampered with.
2. Verify you protect your encryption keys as well. Cloud infrastructure and key management does not always go hand in hand, and a traditional key management system which works well in your data center will not necessarily work as well in the cloud. Make sure your key management system splits the encryption key between at least two entities, and if possible deploy homomorphic key encryption to secure your encryption keys while in use in the cloud.
HIPAA cloud requirement #3: Transmission Security
As a covered entity, you should implement technical security measures to guard against unauthorized access to PHI that is being transmitted over an electronic network. Data in Transit Encryption is again a recommended tool to use. Always enable SSL (HTTPS) and TLS; and if possible, deploy an IPSEC tunnel between your application servers and clients.
Conclusion: Safe Harbor, Encryption, HIPAA, and the Cloud
Lastly, a comment about HIPAA and cloud encryption. While data encryption is not mandatory in HIPAA today, encrypting your data provides “safe harbor.” If your data is somehow breached or lost, provided it was properly encrypted, it will not constitute a violation of HIPAA compliance. Because the data store (for example, a virtual disk in the cloud) is encrypted, it therefore does not technically contain Protected Health Information, only random bits. To protect yourself and your data, encrypt your HIPAA cloud data in any possible location.
Gilad Parann-Nissany is the founder and CEO of Porticor Cloud Security. He is a pioneer in the field of cloud computing who has built SaaS clouds, contributed to SAP products and created a cloud operating system. He has written extensively on the importance of cloud encryption and encryption key management for PCI and HIPAA compliance. Gilad can be found on his blog, Twitter, LinkedIn, and Google+ discussing cloud security.