Despite new HIPAA Business Associate Agreement (BAA) regulations going into effect in 2013, many healthcare organizations are still encountering the occasional cloud service provider who refuses to sign a BAA. Although they may have a logical explanation, any refusal to sign a BAA should be seen as a red flag.
Here’s the logic from their angle. There are still many cloud vendors who view themselves more as conduits of Personal Health Information (PHI). They feel their role is more akin to that of a mailman. They’re merely transporting data to others and have no real access to the actual contents.
If the data is encrypted and cannot be read, or If they don’t touch the actual PHI data at all, the cloud service vendor will argue that HIPAA regulations do not apply to them and possibly refuse to sign a BAA.
Fair enough, right? If the data is encrypted and the vendor doesn’t hold the encryption key, what’s the problem? Well, here’s the problem.
File this in the unlikely yet not improbable category. Let’s say that the PHI data wasn’t properly encrypted before it was sent into the cloud or unencrypted data was mistakenly transferred over to the cloud service provider. If the cloud provider has refused to sign a BAA, this jeopardizes your HIPAA compliance and could potentially result in a fine anywhere from $50,000 to $1.5 million.
This is why those in the healthcare sector must move on from any cloud provider that is reluctant to sign a BAA. They are basically refusing to be complaint since the new HIPAA Omnibus Rule clearly defines a business associate as anyone who creates, receives, maintains, or transmits PHI on behalf of a covered entity. By refusing to share accountability for HIPAA compliance, they’re a liability to your organization that you just can’t afford.
https://www.cognoscape.com/wp-content/uploads/2014/05/68.gif126223Cognoscape/wp-content/uploads/2014/06/Cognoscape-300x137.pngCognoscape2014-09-05 11:30:282019-12-12 14:48:51Why it's Time to Move on if Your Cloud Provider Won't Sign a HIPAA BAA
In 2013, major companies like Google, Amazon, and Microsoft experienced outages. Not only were these big name outages disruptive to users, but they also made headlines and proved to be costly to each brand. Google’s hiccup footed an estimated bill of $500,000 while Amazon’s 30-40 minute blackout contributed to roughly $3 million in losses.
2013 was also the year the healthcare industry embraced cloud computing thanks to modifications to the HIPAA Privacy, Security, Enforcement and Breach Rules. With these modifications extending the definition of a Business Associated (BA) to cloud service providers, many of the data breach concerns that had previously kept the healthcare sector from taking to the cloud have been quieted.
But as more patient health data is electronic and residing in a virtual environment, the availability of this data is just as important, if not more important, than securing it. Unlike Google, Amazon, and Microsoft, the disastrous effects of data outages in the healthcare sector can have potentially deadly consequences.
Not only is high uptime mandatory in a healthcare cloud, business continuity and disaster recovery (BCDR) plans are also crucial. The good news is the cloud’s virtualized infrastructure, coupled with the expertise and cloud monitoring of a trusted Managed Service Provider (MSP) can help healthcare organizations maintain uptime and reliability. Here are two helpful steps:
Risk Assessments Are Absolutely Necessary
While risk assessments are critical to protecting patient health information, a 2012 audit conducted by the Office of Civil Rights revealed that many healthcare entities and contracted service providers fail to perform them. These evaluations must be conducted regularly and require an honest assessment of probable risks ranging from malicious cybercrime attacks to acts of nature such as natural disasters, flood, earthquakes and power outages. Analyze both the architectural vulnerabilities relative to data availability and security as well as the effectiveness of the counteractive measures in place. The goal is to minimize the plausible impact of such an event and prevent service disruption.
Proactively Monitor for Cybercrime
It is often months before a security breach is detected. By this time, hackers have had ample time to infiltrate your system and feast on its data. Since cybercriminals use an unpredictable array of methods to strike, such as viruses, malware and phishing schemes to steal credentials, the strength of your detection system is key. Alerts should be set up to identify anomalies such as unusual application requests, forced entry attempts, suspicious spikes in traffic, and abnormal data patterns that suggest a breach. The proactive monitoring tools available through a MSP can help scan, pinpoint, and remediate such attacks.
Any BCDR plan must be built upon your organization’s recovery time objective (RTO) and recovery point objective (RPO). Your RTO is the duration of time in which your service level must be restored to avoid dire consequences. Your RPO is the maximum age of the recoverable files in storage to resume normal operations. A MSP can help determine the optimal scenario for your healthcare organization and prioritize the most critical health care information with near real-time replication.
Through this preparation and foresight, your organization can lay the groundwork to not only protect healthcare information in the cloud but potentially save patients’ lives in the event of an unforeseen outage.
https://www.cognoscape.com/wp-content/uploads/2014/05/661.png449474Cognoscape/wp-content/uploads/2014/06/Cognoscape-300x137.pngCognoscape2014-09-01 11:30:262016-06-23 19:29:472 Steps to Ensure Healthcare Data Availability in the Cloud
For years, the healthcare industry was thought to be the very last sector to embrace cloud computing. With HIPAA compliance, storing private patient data in the cloud seemed much too risky from a security and legal standpoint. However, with a government issued mandate to migrate patient data to electronic heath records by 2015, the cost-effectiveness of the cloud was simply too logical to not entice independent practitioners and small healthcare entities now burdened by the need to invest technology and tech-savvy personnel. If only there was a way around the security and privacy concerns.
Wish granted. In January of 2013, the U.S. Department of Health and Human Services introduced a few revisions to the regulations administered under the Health Insurance Portability and Accountability Act of 1996. Labeled the “Final Omnibus Rule,” this update spelled out the legal framework to be used by healthcare organizations working with cloud service providers.
With a signed Business Associate (BA) agreement, a cloud service provider accepts the responsibility to protect patient data under HIPAA law. This expanded definition of BA means that the government can now penalize cloud service providers accountable for data breaches.
Although many healthcare organizations had already entrusted certain cloud service providers with their data, only the HIPAA covered entity (the healthcare organization) was penalized in the event of a breach prior to this ruling. While the HIPAA covered entity is still responsible for oversight, this shared accountability with the cloud service provider has expanded responsibility and has led to an influx of healthcare organizations and cloud service providers working together, worry-free, in perfect harmony.
https://www.cognoscape.com/wp-content/uploads/2014/05/65.jpg342300Cognoscape/wp-content/uploads/2014/06/Cognoscape-300x137.pngCognoscape2014-08-29 11:30:482016-06-23 19:29:47Healthcare and Cloud Computing Together at Last
