Are you concerned that the data in a cloud data warehouse is not as secure as data stored on-premise? I agree that data stored on the cloud is prone to cyber-attacks even though they offer many features for ensuring data security. This is a significant concern, especially with the increasing volume of patient data and rising initiatives toward digital transformation in healthcare.
In the case of Public clouds, they face similar security issues as traditional IT systems. Therefore, many don’t prefer that. Private clouds provide protocols and systems for secure access. However, many organizations in the healthcare industry are still apprehensive about the data security of a private cloud. Being HIPAA compliant helps to address all these concerns through its rules and regulations for protecting the privacy and security of patient data.
Requirements for HIPAA Compliant Cloud
We discussed the main rules under HIPAA in the previous blog. We will dive deep into the security rule in this section, as it is highly important.
Within the security rule, the Department of Health and Human Services (HHS) provides four specific HIPAA storage requirements that you must meet to comply with HIPAA regulations. When we were in the process of achieving HIPAA compliance, we went one by one through each of these and achieved compliance. These include:
- Ensuring the confidentiality, integrity, and availability of all e-PHI through encryption, password protection, and other protection measures.
- Identifying and protecting against reasonably anticipated threats through regular monitoring and risk analysis.
- Protecting against reasonably anticipated impermissible uses or disclosures with safeguards such as IT security protocols, IAM, restricting physical access, and regular audits of internal processes.
- Ensuring compliance by the workforce through regular training and adherence to rules set by HIPAA enforcement officers.
Safeguards Under Security Rule
- Technical safeguards (includes secure data transmission): Technical safeguards include measures (firewalls, encryption, data backup) to keep ePHI secure which are:
- Access Controls: Limit the access to ePHI only to authorized roles by putting in place technical policies and procedures.
- Audit Controls: Execute hardware, software, and/or procedural methods to record and examine access in information systems that use or include ePHI.
- Integrity Controls: Implement policies and procedures to make sure that ePHI won’t be improperly altered or destroyed.
- Transmission Security: Implement technical security measures that prevent unauthorized access to ePHI that is transmitted through an electronic network.
- Physical safeguards (focuses on controlling hardware): Physical safeguards protect the physical security of your offices where ePHI may be stored or maintained, which include:
- Facility Access and Control Measures: You must limit physical access to facilities while enabling authorized access to ePHI.
- Workstation and Device Security: Implement policies and procedures that outline proper use of and access to workstations and electronic media. And implement policies and procedures to safely transfer, remove, and re-use electronic media.
- Administrative safeguards (includes cloud assessment): The security rule’s administrative safeguard provisions require you to conduct a risk analysis. Performing a risk analysis helps you to understand which security measures are reasonable and a good fit for your organization. This includes assessing the risk to ePHI, implementing appropriate measures to address identified risks, documenting the rationale for adopting the measures and maintaining reasonable and appropriate security protections.
HIPAA Concerns in Cloud Data Warehouse
In this section, let’s address the HIPAA Concerns in Cloud Data Warehouse.
- Can a healthcare organization or a third-party platform that helps a covered entity use a cloud data warehouse to store or process ePHI?
Yes, you can enter into a HIPAA-compliant business associate contract or agreement (BAA) with the Cloud Service Provider (CSP) that will be creating, receiving, maintaining, or transmitting electronic protected health information (ePHI) on its behalf and otherwise complies with the HIPAA Rules. BAA governs the permitted and required uses and disclosures of ePHI by any third party platform you use.
- What if you use a cloud data warehouse to maintain ePHI without first executing a business associate agreement with the cloud service provider of the warehouse?
This will be considered as a violation of HIPAA rules. There have been instances where companies had to reach a settlement because of this. An example is Oregon Health & Science University (OHSU), where it was alleged that OHSU failed to secure adequate BAAs with their service providers.
- Which cloud data warehouses offer HIPAA-compliant cloud services?
- Snowflake: Snowflake allows you to share sensitive data securely with its built-in security and governance that supports HIPAA.
- Redshift: Redshift uses hardware-accelerated Advanced Encryption Standard (AES)-256 symmetric keys to ensure a HIPAA-compliant cloud server. Users can then use AWS Key Management Service or AWS Cloud HSM (Hardware Security Module) for managing the encrypted cluster keys for the Amazon Redshift cluster. AWS then promotes the usage of connections containing PHI to use transport encryption and evaluate the configuration for consistency.
- Azure Synapse: Azure Synapse maps to HIPAA/HITRUST compliance domains and controls to ensure HIPAA server compliance. Microsoft offers audit results for any controls it is responsible for. It also provides a compliance dashboard for evaluating compliance for any resources stored on or used by Azure cloud servers.
- Bigquery: Google has a HIPAA-compliant server across BigQuery. Signing a BAA will cover the full Google Cloud Platform infrastructure. Google undergoes several annual audits to achieve HIPAA compliance. This includes PCI-DSS v3.2.1, ISO 27001, SSAE16 / ISAE 3402 Type II.
- If a cloud data warehouse service provider experiences a security incident involving a HIPAA-covered entity’s or business associate’s ePHI, must it report the incident to them?
Yes, you need to identify and respond to security incidents, mitigate to the extent possible the harmful effects of security incidents that are known to you, and document security incidents and their outcomes.
- What happens upon termination of your agreement with the cloud data warehouse service provider?
The Privacy Rule provides that a business associate agreement (BAA) must require you to return or destroy all PHI at the termination of the BAA where feasible. If this is not feasible, the BAA must extend the privacy and security protections of the BAA to the ePHI. You also need to limit further uses and disclosures to those purposes that make this not practical.
- Can you use a CSP that stores ePHI on servers outside the United States?
Yes, provided that you enter into a business associate agreement (BAA) with the CSP and otherwise comply with the applicable requirements of the HIPAA Rules. Though, outsourcing storage or other services for ePHI overseas may increase the risks and vulnerabilities to the information.
While the cloud offers numerous advantages, the security of patient data remains a significant worry, particularly with the growing volume of healthcare data and digital transformation initiatives. HIPAA compliance addresses these concerns by establishing stringent rules and regulations for safeguarding patient data privacy and security. Security rule is one of these requirements that encompass technical, physical, and administrative safeguards, such as encryption, access controls, risk analysis, and staff training.
Healthcare organizations can use cloud data warehouses while maintaining HIPAA compliance by entering into business associate agreements (BAAs) with cloud service providers (CSPs). Failing to establish such agreements could result in HIPAA violations, as exemplified by past cases. Several cloud data warehouse services, including Snowflake, Redshift, Azure Synapse, and Bigquery, offer HIPAA-compliant solutions, enhancing data security and compliance.
Overall, HIPAA-compliant cloud data warehousing is achievable when organizations and practitioners adhere to the regulations and take proactive steps to protect sensitive patient information in the digital age.