HIPAA Compliance, Big Data and the Cloud – a Guide for Health Care Providers

HIPAA Compliance, Big Data and the Cloud – a Guide for Health Care Providers

Healthcare organizations in need of more flexible options to store and transfer mass amounts of data are increasingly adopting cloud solutions. In fact, an estimated four out of every five healthcare groups say they are making the cloud a strategic priority going forward. 

However, cloud adoption doesn’t always equate to immediate success, especially considering this is a complex and heavily regulated field. In order to effectively leverage big data and the cloud, healthcare companies need to make sure they’re adhering to HIPAA compliance rules 

Choosing the right cloud provider and ensuring the proper security measures are fundamental steps to making sure you start out on the right side of the HIPAA regulations. To stay there, you’ll need to monitor regularly and conduct constant risk assessments to know your data is safe on your chosen cloud platform.

Here’s how those in the healthcare industry can best take advantage of the cloud while staying within the law:


Choose the right cloud provider
Step one is all about doing your homework. Those in the healthcare industry need to do their due diligence and find the right business associate (or cloud partner) that will play by the HIPAA rulebook. When looking for the perfect partner, there are a number of requirements that healthcare companies need to check off the list in order to know they’re with a trusted cloud operator that will keep their patients’ data secure.

More than half of healthcare companies said in a recent survey that one of the most important factors when looking for a cloud service provider is if they follow regulatory requirements. 

Cloud providers and those who hire them are forced to follow a laundry list of HIPAA rules, including having a signed business associate agreement (BAA) in place. This contract sets out the terms and requirements for safeguarding a healthcare organization’s electronic protected health information (ePHI). 

The agreement details what aspects of the ePHI that the cloud provider can use and in which ways they can use the information, as well as how the ePHI will be handled once a task is completed. Having these written agreements will make sure your cloud provider is willing to comply with HIPAA’s Security Rule, a key provision of the law that aims to protect patients’ medical records. 

If your cloud provider doesn’t agree to these stipulations, then you should look elsewhere. But you should be able to easily find a reputable and knowledgeable cloud partner. After all, the lucrative healthcare cloud computing industry is expected to be worth $40 billion soon and there are plenty of good options to choose from.


Ensure that security measures are in place
In addition to HIPAA compliance, security and privacy on the cloud round out the top three worries for hospital leadership who are weighing the use of cloud-based applications.

When it comes to the security of the sensitive data that your healthcare organization is handling, there are cut and dry rules that an organization and its cloud provider must adhere to.

The following five security measures must be in place in order for a healthcare organization and its cloud provider to be HIPAA-compliant: 

1. Being on an encrypted cloud is 100 percent required under HIPAA. Any device or platform accessing ePHI must have end-to-end encryption so it can also decrypt all messages on the receiving end.

2. In addition, the law stipulates that the cloud platform needs to have two-factor authentication (usually a code sent via email or text message). Or in the case that it is just a single sign-on, the cloud needs to encrypt all transferred ePHI. 

3. The next step to being HIPAA compliant is having access controls in place, which further ensure the protection of patients’ medical records by clearly stating which authorized parties can log in to access and share the ePHI.

4. You’ll need data classification tools that both organize the health information and protect it. There are a number of software solutions available through any given cloud platform that can effectively group data sets into categories while keeping them secure. 

5. Make sure the cloud provider is keeping activity logs to have a record of who is accessing the ePHI and what is being done with it during each session. This is fundamental for both healthcare institutions and their cloud partners to spot suspicious activity or if an audit is needed. Any cloud platform that works with the healthcare industry should have no problem keeping tabs on the data access through logs. 


Regular checkups
Even with a trusted cloud partner in hand and the required safety measures in place, your healthcare organization still may not be completely HIPAA compliant. That’s because you need to make sure that both you and the cloud provider are actively remaining in compliance with regular checkups and routine monitoring. If not, your organization could face tens of thousands of dollars in fines if you’re found to be in violation of HIPAA. 

For starters, healthcare organizations need to request their cloud provider notify them anytime there is a data breach or security threat. This is important because, in the case of a hack, your organization is responsible for reporting it to the Department of Health, per HIPAA’s Breach Notification Rule. And unfortunately, the reality is that these hacks are becoming more common as more medical professionals adopt cloud solutions. In 2020, there were more than 640 large data breaches of the healthcare industry, up considerably from the year prior.

You and your cloud partner must also conduct regular risk assessments, as required by HIPAA’s Security Rule. The idea here is that you’ll notice any cybersecurity vulnerabilities before disaster strikes and be able to outline a bulletproof cybersecurity framework that mitigates threats. A good cloud partner will understand exactly where a hacking threat could come from and patch up any holes before patient ePHI is compromised. 

Constant account monitoring is another required step on the maintenance end of things. As mentioned above, you’ll need to work with your cloud provider to keep logs of access records to be on the lookout for suspicious behavior.  There are plenty of cloud platforms on the market that can help medical professionals keep detailed track records of the changes made to data uploads. Otherwise, if you don’t know who is looking at the ePHI on the cloud or what they’ve done to it, you could be in trouble.

And lastly, healthcare organizations should train their staff on how to spot possibly malicious activity or data breaches. There’s no doubt that the medical staff at your workplace is extremely busy, but this is an issue that requires all hands on deck to ensure the ePHI remains protected and in accordance with HIPAA. You can conduct regular training or educational sessions to give your team an idea of what they should be looking out for.

Just because cloud platforms are becoming more popular in the healthcare industry, it does not always mean that these organizations are leveraging the big data and cloud solutions correctly. In order to best protect your patients and your organization on the cloud, it is critical to building a working relationship with a cloud provider around HIPAA’s requirements.

Written by Frank Smith, CISSP, Security & Consulting at Ntiva, an MSP providing Healthcare IT services, cybersecurity services and IT consulting for today’s technology-dependent businesses.