Compliance in the Cloud
There are a lot of amazing things about moving your business to the cloud. You can scale rapidly. You generally have additional redundancy, and a higher level of security than you would enjoy with your servers hosted locally. You can reduce your Capex costs. Best of all you can access your data anywhere and from any device. Compliance in the cloud however, can be a challenge.
We love the flexibility the cloud gives users. However, if you’re a business that handles sensitive data like a lot of our healthcare clients and must be HIPAA compliant it presents an interesting set of security challenges. Now instead of having one data set on your servers that is centralized and can easily be locked down, you have data in multiple places on the cloud that all must be secured and backed up.
In addition to the fractured nature that data can have you now also have no control over what device or network the data is being accessed from. If you’re an IT guy looking at those types of challenges how do you ensure that your network is compliant?
Pick Providers Carefully
Let’s start by being careful about the cloud partners we choose to work with. Not all are created equal in terms of the security they offer. Granted, the majority will have all their servers located in a data centers which will offer superior physical security and redundancy than you may have enjoyed when housing servers at your office. However, not all providers guarantee they will be compliant, and not all providers will sign an agreement such as a BAA saying they will do so.
The good news is that at this point most major players all have HIPAA compliant solutions and are willing to sign a BAA. So, check before you start with a new provider or migrate data, but know there are lots of high-quality compliant solutions out there. The guys at Datica compiled a list of 50 HIPAA compliant cloud providers.
Here are a few of the most common:
- Microsoft 365 – One Drive and SharePoint
- Gsuite – Google Drive
- Amazon Cloud Services, Elastic File System, Glacier
- Dropbox Business
- Box
- Sharefile
- Datto
- Crashplan
- Carbonite
Find a quality partner that understands the special needs for security that HIPAA requires, and ensure they will sign a BAA.
Compliance in the Cloud – Data in Multiple Places
I talked with a business owner this week that owns a mobile healthcare practice. They have around 40 employees and no physical office. They go to their clients, and all their users connect to their systems via cloud-based platforms. They have multiple that are currently in use. Their mobility requires them to have access from anywhere, so the cloud is a good fit.
In this scenario, how do you ensure compliance? What happens if a laptop gets stolen? How do you ensure that all communication that has PHI is encrypted?
One solution that looks like a good fit is Virtru. There are several other similar competing products, but they seem to be one of the leaders in the space. Essentially you can plug Virtru into all the various cloud-based applications that your organization uses and it will automatically encrypt all email and communications sent by those applications. If we know that the data is secured with a quality partner and that all outbound communications are encrypted that’s half the battle.
Compliance in the Cloud – Securing Laptops and Desktops
The next challenge that IT must tackle in this situation is securing the laptops and desktops used to access PHI. HIPAA gives us a few requirements for these devices. They must be secured with encryption, they must have policy enforced on them such as screen lock timeouts, and they must be up to data on security patches and updates. In addition, if PHI is stored on these devices they must be backed up.
Encryption is a lot simpler than it used to be for laptops and desktops. Windows 10 Pro has a built-in full drive encryption service called Bitlocker. Apple users can take advantage of their built-in encryption service called FileVault. If enabled these should satisfy the HIPAA requirement for encryption.
Patches and updates as well as policy enforcement require a solution for remote monitoring and management. The best RMM solutions like the one that i.t.NOW provides for its clients allow you to centrally manage all patches and updates. This allows you to test patches before deployment as well as know exactly which have been applied on what machines.
In addition to patches the RMM solution allows us to deploy policy similar to what you would get on a local domain controller across desktops and laptops regardless of their physical location. (They do have to have internet access) This allows us to enforce screen timeouts, password requirements and additional policies needed for HIPAA compliance.
If storing PHI on these machines (which we don’t recommend) you will also need offsite backup. There are numerous on the market that will serve this purpose. Just make sure that the one you choose is compliant as mentioned above.
Compliance in the Cloud – Mobile Device Management
If your organization also accesses PHI on mobile devices you will need a solution to manage that as well. The most common application here is email, however sometimes charts or other files are reviews on a phone or a tablet as well. A mobile device management solution allows IT to better silo and protect data on mobile devices. It also allows for important functions such as remote wipe and policy management.
There are several solutions out there for MDM. If you already use Microsoft and Office 365 their InTune product for MDM might be a great fit. There are other solutions out there as well such as Maas360, SOTI, and AirWatch by VMware.
Cloud Backups
One significant misconception that a lot of business owners I talk with have about the cloud is the idea that backups are always included. This is frequently NOT the case, or they are sold as an additional feature rather than an included one.
One great solution we’ve found for backing up office 365 and G Suite is Dropsuite. It’s a slick solution for cloud to cloud backup of your critical data stored in Sharepoint, OneDrive, Exchange Online, and G Suite.
If you have PHI stored elsewhere like a web based EMR or CRM solution you should ensure that there is a proper backup of that data as well. Many web based EMRs will include backups of your data as part of your service, but make sure to confirm this with your provider.
Evolving Compliance Needs
As your business evolves and moves to the cloud the solutions you’re using to secure PHI and sensitive data need to evolve with it. An effective compliance strategy will give you peace of mind. There is a lot to it however. If you find yourself overwhelmed at designing a solution for your business know that we’re here to help. i.t.NOW has been assisting healthcare providers and other businesses at securing their data for over 20 years. We would love to talk about how we can help your business with the security solutions you need.