COMMENTARY: The Health Insurance Portability and Accountability Act (HIPAA) has become one of the healthcare sector's most widely recognized compliance frameworks. Enacted in 1996, HIPAA was introduced to safeguard the privacy and security of protected health information (PHI), which includes sensitive data such as names, addresses, Social Security numbers, health records, and biometric information. As part of HIPAA compliance, organizations that collect or store this data must follow strict guidelines to ensure its proper storage, use, and sharing.
The importance of HIPAA compliance has only grown in recent years, with healthcare organizations becoming prime targets for cyberattacks. High-profile incidents at organizations like Kaiser Permanente, HealthEquity, and Concentra Health Services have leaked the data of millions of patients, demonstrating the high stakes of maintaining proper security. In the event of a breach, failing to demonstrate HIPAA compliance can lead to hefty fines, tarnished reputations, and the potential for significant financial losses. In some cases, companies may choose to pay a ransom to keep breaches quiet, underscoring the devastating impact that non-compliance can have.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Given that PHI data gets stored both on-premises and in the cloud, it's important to understand how HIPAA compliance differs in these environments. One of the important distinctions between the two lies in responsibility and control.
Understanding the shared responsibility model
When discussing HIPAA compliance in the cloud, it's crucial to acknowledge the shared responsibility model. In an on-premises environment, an organization has full control over its infrastructure, from physical security to network configuration and data protection. However, in a cloud environment that responsibility gets shared between the cloud provider and the user.
Cloud providers, such as AWS, Azure, or Google Cloud, are responsible for securing the infrastructure, including the physical hardware, basic networking, and foundational services. On the other hand, users are responsible for securing their applications, data, and any configurations that relate to how their services run in the cloud.
This model introduces complexity when it comes to PHI data. Organizations must secure their cloud configurations, identities, and data while ensuring that their cloud and software providers fulfill their own compliance obligations. With the cloud introducing new layers of abstraction, it’s easy to overlook critical security aspects, potentially creating gaps that could compromise PHI data if not properly managed.
How to keep PHI data secure in the cloud
To keep PHI data secure in the cloud, organizations must actively monitor, detect, and remediate potential vulnerabilities. Cloud environments are dynamic, requiring security configurations to adapt as applications evolve. A significant challenge in these environments is maintaining control over third-party services, which can introduce additional risks.
Many cloud-based organizations rely heavily on third-party vendors, but their security posture directly impacts an organization's HIPAA compliance status. When working with third parties, it’s critical to ensure they follow HIPAA compliance standards, as any weaknesses on their part could compromise the overall security of PHI data.
The challenge doesn’t stop there. In the cloud, organizations must continually audit and monitor their environments to ensure that they maintain compliance with HIPAA regulations. This includes leveraging cloud-native tools such as AWS CloudTrail, Azure Monitor, and Google Cloud’s Security Command Center to track activity and ensure that the team properly secures the cloud infrastructure.
Here are three important elements of a strategy that will help organizations get their cloud data in compliance with HIPAA:
- PHI data discovery: Start by discovering all the PHI-related data resources. While this might seem straightforward, it’s not uncommon for engineers to mistakenly let sensitive data migrate to new or unintended locations. Ensure that all PHI data gets accurately identified and tracked so the team can maintain control over that data.
- Data encryption: After discovering where PHI resides, organizations must encrypt that data both in transit and at rest. Encryption ensures that even in the event of a breach, sensitive information remains protected from unauthorized access. Major cloud providers typically offer robust encryption services, but it’s up to the user to enable and properly configure these features.
- Access control and identity management: Organizations should also restrict access to PHI data. This involves carefully managing both human and non-human identities (such as roles, services and applications) to ensure that only authorized entities have the necessary permissions. Teams often make the mistake of granting excessive permissions, which can lead to accidental or malicious access to sensitive data. Using the least privilege principle to reduce risk and maintain compliance.
In addition to securing PHI data, organizations must also put in place the right auditing and monitoring processes. Logging tools let organizations track and log every action taken within their cloud environments. This helps in identifying and addressing security misconfigurations or unauthorized access in real-time, ensuring that the team can promptly remediate any compliance gaps.
Make cloud-native tools the foundation of the company’s compliance monitoring strategy. Starting with these tools lets organizations take advantage of services that are already optimized for the specific cloud platform they are using. From there, the team can layer-in additional third-party security tools to deliver enhanced monitoring and auditing capabilities.
Any organization handling PHI must grapple with HIPAA compliance, and the cloud introduces new complexities to maintaining that compliance. By understanding the shared responsibility model, implementing strong security practices like encryption and access control, and continuously monitoring for vulnerabilities, organizations can ensure that their cloud environments remain compliant. Proactively securing PHI data and collaborating closely with third-party vendors will protect sensitive information, build customer trust, and help avoid costly breaches and regulatory penalties.
Shira Shamban, co-founder and CEO, Solvo
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.