A HIPAA Compliance Checklist for the Cloud Era

This article was originally published on the Virtru blog. To find out how you can keep your organization secure, join Virtru founder and CTO Will Ackerly at his upcoming Cloud IT Live session on email security and compliance.

If you’re a healthcare provider moving to the cloud, security is likely your number one concern. Strict HIPAA rules demand that you protect nearly all your data having to do with patients. That means everything from a detailed medical history to an email confirming a doctor’s appointment needs to be secured. For a complex enterprise, the only way to do this is to build a secure system from day one by using a HIPAA compliance checklist.

Of course, building a checklist can be hard. After all, HIPAA, or the Health Insurance Portability and Accountability Act, is a complicated piece of legislation. Not sure where to start? Our complete HIPAA compliance checklist can get you started.

HIPAA and the Cloud

HIPAA protects patient privacy by setting standards for when medical records can be shared, and how they must be safeguarded. HIPAA applies to nearly anyone dealing with Protected Health Information (PHI), from doctors to the technicians who fix hospital computers.

The cloud has permanently raised the stakes. If an organization leaves a stack of PHI printouts lying around, they might expose a couple dozen medical records to the first person that finds them. If an organization fails to secure electronic PHI (ePHI), however, they could expose 1.5 million medical records to the entire Internet. With the high cost of a violation—both in fines and in damage to reputations—your organization can’t afford to take HIPAA cloud compliance lightly.

HIPAA Compliance Basics

HIPAA rules cover privacy, security, and breach notification. The HIPAA privacy rule explains patients’ rights, what PHI needs to be protected, and when it can be disclosed. PHI is “any individually identifiable health information,” including:

• Mental health history
• Healthcare services
• Payments for healthcare
• Other identifiable information, such as name, address, or social security number

The security rule governs how organizations protect their data, and it should form the bulk of your HIPAA compliance checklist. It has three main sections:

• Physical safeguards—protecting the computer systems and facilities
• Technical safeguards—protecting electronic access
• Administrative safeguards—security training and auditing

Each of these sections is important, and if your organization is serious about protecting PHI, you need to make sure that your protocols are up to par in each category.

The Guide to HIPAA Compliance in the Cloud

Physical Safeguards

Protect your facility. Use locked doors, access badges, and other physical safeguards (surveillance cameras, guards, alarms, etc.) to secure your building. Keep in mind that medical conversations are also considered PHI, so you need to make sure patients can’t be seen or overheard talking to their doctors.

Control physical access based on function. Make sure that each person in your building only has access to information and locations appropriate for them. Workstations should face away from patients, and separation between public and private areas needs to be strictly enforced.

For a small clinic, having a separate patient waiting room might be good enough. A big hospital, on the other hand, would have to account for the movements of doctors, staff, technicians, patients, visitors, and others. You HIPAA compliance checklist should include screening methods to control access throughout the building.

Technical Safeguards

Implement access control. Whether you’re running medical billing or EHR software, the HIPAA security rule imposes strict safeguards on patient data. IT security best practices apply; each user needs a unique ID—such as a login name—and a password to lockout unauthorized users.

Ideally, your organization should use multi-factor identification—a system that requires multiple pieces of data to sign in such as a password and separate pin number that can be sent to a device like a phone. That way, even if a malicious third party guesses a user’s password, they still can’t access ePHI.

The system should also be designed to automatically log off after several minutes of inactivity. This will prevent unauthorized users from gaining access to ePHI if a user forgets to sign out, and leaves a computer unattended.

Finally, you need to encrypt everything. Encryption scrambles ePHI, so that it can only be accessed by people with a special piece of code, called an encryption key. Your system should use multiple encryption keys, and only grant employees access to the data they need to do their job.

Since some employees will be accessing PHI in the cloud, you’ll also need to encrypt data in motion. At minimum, you should use a TLS-secured connection to access records in the cloud, but ideally, you should use an end-to-end encryption solution.

Register for Virtru’s session at Cloud IT Live today to learn more about encryption, access control, and data loss prevention.

Implement a secure communication system. Patients need to communicate with doctors, and medical professionals need to communicate with each other. Unless their email is encrypted, anyone with access to a server it travels through can read their messages.

Some email systems, such as Gmail, use TLS to protect messages. The email is encrypted from your computer to Gmail’s server, from Gmail’s server to the recipient’s server, and from the recipient’s server to their computer. If a server doesn’t support TLS along the way, however, the email will be decrypted, making it readable by anyone. Additionally, TLS encryption is vulnerable to certain kinds of attacks.

Healthcare portals also have problems. They’re usually clunky and unintuitive, and each one requires a new ID and password. Worst of all, they aren’t interoperable, meaning a patient might need to use several different portals to communicate with doctors at different facilities.

To solve this problem, find a security solution that integrates easily into your existing email service. Doctors can communicate with patients, lab techs, billing, and anyone else securely, using a single system.

Create a data backup and an alternate site. If something happens to your facilities or records, you’ll need a backup copy of your medical records. You should use a remote site or separate cloud service, so that if a disaster damages your facility or primary cloud service, it won’t damage your backup.

An organization that can’t afford to lose access to data should set up a hot site. Hot sites mirror your software and data; if your primary system goes down, you can have the alternate site up and running almost immediately. Warm sites (hardware, but no mirroring) and cold sites (infrastructure without computer hardware such as servers and storage) are cheaper, but will cost more money and time to configure in an emergency.

Make a Disaster Recovery Plan (DRP). This plan is a detailed set of instructions to get your system up and running again if disaster strikes, separate from your main HIPAA compliance checklist. It should include a:

• Disaster declaration, which spells out who decides that it’s a disaster, and how the decision should be made.
• Disaster list, including events like fires, hurricanes, or computer thefts that are likely to require the DRP.
• Data backup guide, which has all the information required to access the backup copy, including contact names and numbers for backup site.
• Alternate site guide, with all the steps required to get the alternate site running, along with contact and location information.
• ePHI recovery guide, explaining who should recover the data (including contact info), what order they should restore it in, and all the steps required.

Administrative Safeguards

Sign BAAs with your partners. When you pass on ePHI, you’re responsible for making sure your partners follow HIPAA compliance rules. You need to sign a Business Associate Agreement (BAA) with anyone who transports, stores, or processes this info.

Your HIPAA compliance checklist should list each business partner and set out rules for what data they have access to, how they should protect it, under what circumstances they can disclose it, and what they should do in case of accidental disclosure.

Educate your staff and partners. To be HIPAA compliant, you need to go beyond BAAs, and make sure everyone in your facility understands data security. Some of the ways employees compromise enterprise data security are:
Creating weak passwords, or storing passwords in their browsers
Inadvertently downloading malicious software
Accessing or saving files on unsecured, personal devices
Sending sensitive data in unsecured email

Of course, that’s just the tip of the iceberg. You’ll need qualified security experts to train and retrain your employees in order to prevent accidents from leaking PHI.

Create a process for auditing data. Large organizations can easily lose track of data, with disastrous results. Your HIPAA compliance checklist should include a method to control how data is preserved, changed, and destroyed.

You’ll need procedures for backing up data regularly, erasing it from old computers when they’re disposed of, and auditing access to make sure no one is accessing data who shouldn’t be.
Create a system to prevent leaks. You can’t always prevent data breaches, but you can minimize their likelihood with a HIPAA security risk analysis. Your HIPAA compliance checklist should have procedures for documenting any changes in hardware, software, organization structure, and employees. Your HIPAA compliance officer should also note any security issues that happen over the year.

Review all changes at least once a year, making sure that data loss prevention policies such as encryption and strong passwords are being followed, and that there are no gaps in your security. You should also audit training and accountability programs to make sure employees are getting refresher courses on data safety, and are actually carrying out your IT security policies.

An email data loss prevention program will decrease the likelihood of a breach. Look for solutions that automatically encrypt messages with attachments, CC your security officer on important messages, and take other measures to monitor employee security, and prevent costly mistakes.

Report breaches immediately. When HIPAA data breaches do happen, reporting them quickly can minimize data loss and decrease fines. Make sure everyone knows to contact your sysadmin or compliance officer immediately if they suspect a breach. Make sure they feel comfortable admitting mistakes; if your employees are scared they’ll lose their job, they might not report security issues.

Even with a thorough HIPAA compliance checklist, it can be hard to get everyone in an organization onboard. If your staff need to switch between clunky, inconvenient portals and encryption programs to communicate securely, they’re not likely to follow the rules. Still, good security solutions don’t force you to compromise.

You should never have to choose between an easy-to-use experience and air-tight security. After all, it doesn’t matter how secure your system is if no one uses it properly.

To find out how you can keep your organization secure, join Virtru founder and CTO Will Ackerly at his upcoming Cloud IT Live session on email security and compliance.