Shooting from the HIPAA… compliance in the cloud

As an IT professional, what visuals are conjured when you hear the phrase “HIPAA compliance;” Is it Sisyphus having to push a heavy boulder up a mountain only to have it roll back down? Is it some hapless character from a Kafka novel caught in some endless bureaucratic labyrinth of requirements? Or is it just a giant hippopotamus sitting on your lap?

Compliance is the necessary evil of any IT strategy. It has the best of intentions, and in many cases, it ensures the right steps are followed to protect sensitive data like patient records. However, that doesn’t mean the multiple levels of auditing and reporting isn’t a drain on resources. And it doesn’t mean approving wheel recreation just to satisfy one area of administration.

Even HIPAA says it can be complex: “While the general concept of HIPAA Compliance is very simple—protecting the privacy of each individual—creating standard operating procedures that follow HIPAA requirements can be rather complex and implementation of compliance procedures can vary greatly from one covered entity to the next depending on the type of business conducted at each entity.”

But the issue of whether or not to comply is moot. In fact we know that you are dedicated to ensuring the privacy of patient records (PHI) and to safeguard the integrity of your enterprise’s IT assets. The issue is how to best comply. And with all the drags on your time and resources, the cloud makes a sensible case to support the compliance efforts of the enterprise.

I’m not going to cover generalities such as what is required and what is a covered entity… I figure you already know that. Let’s spend time on how the cloud can make compliance a lesser burden while ensuring the privacy of patients, customers, their transactions and personal data.

For this entry, let’s focus only on the technical assets (not the administrative or physical control policies and procedures). In that respect, HIPAA focuses on three areas: Access Control, Audit Control and Transmission Security.

The greatest benefit of managing identity and access from the cloud is the ease of administration of EPHI (Electronic Protected Health Information). And with HIPAA, this means sharing and securing information with other user repositories (such as referral networks, insurance, payment processors and the patients/customers) as well as maintaining safeguards across various applications, devices and systems. In most cases in the health industry security breaches comes from roles and their cross hierarchical access. Valid users usually get access to data that shouldn’t and that just opens the door for data leakage. The key the cloud provides is not just the ability to provision and deprovision on demand or the ability to create enterprise-wide access rules based on roles or responsibilities, but the capacity to enforce those rights across an entire enterprise and beyond in real time.

What the cloud truly brings to the party is the ability to scale up and down as needs dictate and the cost-efficiencies built in to the fast deployment, and lack of hardware and software to maintain. But most important is the best-of-breed enterprise-class solutions you can use to track process and improve performance across all the compliance requirements. Just the savings alone towards password management self-service saves hundreds of man hours per year.

There are several cloud-based solutions that can manage your identity security, but HIPAA compliance is more than just IAM/IDM. There is the matter of data correlation: the ability to determine when and whether any event is a potential threat or simply authorized access. But today, even authorized access is not so simple. What happens if a correct password is applied against a dormant account? Are you notified? Is the account immediately frozen? Certainly it could be a friendly error, but if the IP address is traced back to Bulgaria are you concerned? What if it happens in the middle of the night…or tries multiple times to modify records that go beyond its original rights? How or when are you alerted? This is something typically beyond the scope of IDM and the call for a SIEM and Log Monitoring solution is needed. HIPAA requires this and the cloud delivers.

Between audits, access, transmission and breach prevention, the cloud integrates a risk mitigation program designed to meet not just HIPAA, but Sarbanes Oxley, PCI and others. But the cloud is simply the platform. It is the solutions that work on that cloud that create conditions for easier compliance. It is the great equalizer in terms of affordability and functionality. Ten years ago there were those that said a cloud-based ERP application was foolhardy. Tell that to They created a big picture solution that allowed modest companies an opportunity to use enterprise-class tools. The cloud has now evolved to the point where security-as-a-service offers proven solutions that meet the strictest federal and industry requirements.

To those on the fence, let’s say that the cloud-based solution has an equivalent level of security features and control as those of any on premise solution. Let’s also concede that those features meet or exceed HIPAA requirements as well. What is left? Why go cloud? Benefits like scalability, cost efficiencies, federated interoperability make for a perfectly rational ROI argument and look good to those paying the bills. However, the usage of a virtual security environment it makes a complex process simpler. There are solutions in which the administration is done for you and for others the cloud creates a consistent, concentrated platform to control all aspects of compliance security.

HIPAA requirements are only going to become stricter as the evolution of data access and transmission evolves. In the past two years, we have already seen amendments and additions to the law making compliance account for a larger percentage of your valuable time. The cloud allows for you to safely divest some of the tasks through a combination of risk intelligence correlation, automations, integrated processes, proven self-service protocols and centralized management tools.

Kevin Nikkhoo

Tags: , , , , , , , , , , , ,