HIPAA and cloud computing: What you need to know


Many of my clients are in the healthcare field, so a common question is if data can be managed on IBM cloud computing solutions in compliance with the Health Insurance Portability and Accountability Act (HIPAA). The relevant part of this law, enacted by the U.S. Congress in 1996, establishes rules for the storage and transmission of electronic health information. In summary, these rules are:

• Privacy Rule: regulates the use and disclosure of protected health information

• Security Rule: sets national standards for the security of electronic protected health information

• Breach Notification Rule: requires that entities and business associates notify affected individuals (and others) following a breach of unsecured protected health information

Cloud computing HIPAAIn 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act strengthened and clarified these rules. In 2010, the Omnibus rule refined the definitions of covered entities, such as health care providers, and business associates, such as IT service providers. A cloud service provider, such as SoftLayer, an IBM company, is considered a business associate and must demonstrate compliance with relevant provisions of HIPAA-HITECH rules.

Hosting an application in compliance with HIPAA-HITECH rules is a shared responsibility between the customer and SoftLayer. A Business Associate Agreement (BAA), which clearly defines the respective responsibilities of SoftLayer and the customer, must be signed. Sensitive workloads are best hosted on SoftLayer’s bare metal or private dedicated cloud offerings. Responsibility is divided as follows:

• SoftLayer is solely responsible for the security of the physical data center hosting the SoftLayer provided infrastructure

• SoftLayer is responsible for the managing the environment and Softlayer administrators according to security best practices required by HIPAA controls

• Customer is responsible for managing the workloads, with the exception of the physical infrastructure, so as to comply with HIPAA-HITECH rules

A customer should work with subject matter experts and legal advisors to ensure that they have put in place the required controls. SoftLayer’s infrastructure as a service (IaaS) platform provides a number of offerings to help achieve HIPAA-HITECH compliance, including:

• Strict access control and physical security for data centers, including two-factor access authentication and CCTV monitoring

• Servers, labeled with a barcode only, obscure their identity and ensure only authorized and approved access

• Completely automated management of the environment: hands-on management of devices is only done when physical access is required and in response to a customer raised ticket

• A complete history of all SoftLayer actions taken on any device

• Access to SoftLayer hosted storage is through only the private network and not the Internet-accessible public network

• Servers and storage are wiped when de-provisioned; if the wipe is unsuccessful or the server/storage fails, the device is decommissioned and physically destroyed.

• Flexible portal and application programming interface (API) that allows the design of comprehensive failover, disaster recovery and high availability solutions

In addition, SoftLayer provides services to assist customers in creating security and privacy solutions, including:

• Vulnerability scanning

• Host-based intrusion protection

• Anti-virus protection

• Firewall and network-based threat protection

• Two factor authentication to the SoftLayer customer portal

• SSL certificates that enable confidentiality of data-in-transit

In summary, the security solution to achieve HIPAA-HITECH compliance is a shared responsibility. SoftLayer’s dedicated bare metal or private virtualized cloud offerings should be used for sensitive workloads. A Business Associate Agreement (BAA) needs to be signed as part of the sales agreement. Subject matter and legal experts should be consulted for expertise and guidance.

I’d be interested to hear about your experiences with hosting workloads that require HIPAA-HITECH compliance. Comment below or connect with me on Twitter @allanrtate to continue the discussion.

Comments: 6
Allan R. Tate

About Allan R. Tate

Allan R. Tate manages sales of infrastructure services for one of IBM’s business units in New England. His territory includes government, higher education, healthcare, banking and retail clients. He is responsible for all infrastructure services including mobility, resiliency, systems and networking and partners with IBM’s Cloud and Security units. Prior to this job, he was a Senior IT Architect for Global Business Services, with extensive development and DevOps experience. He is currently a member of the Organizing Team for the MIT Sloan CIO Symposium. Connect with him on Twitter @allanrtate.
This entry was posted in Managing the Cloud, SoftLayer and tagged , , . Bookmark the permalink.

6 Responses to HIPAA and cloud computing: What you need to know

  1. @ranjans says:

    Good one..I was looking for this information. Another guide for vendor making their services HIPAA compliance would be really helpful. Thx

  2. Heather says:

    As an information security specialist for many years, I unfortunately see the same recurring theme with cloud based businesses time and time again, and that’s the failure to implement comprehensive security policies, procedures, processes, and other fundamental initiatives. With so many free and cost-effective solutions available online, there’s really no excuses as to why businesses don’t take the necessary steps for ensuring the safety and security of one’s entire network infrastructure. What’s also frustrating is not seeing comprehensive security awareness training and other basic, fundamental programs, like annual risk assessments, that should be in place for further helping protect organizational assets. There are literally hundreds of sites offering free employee training material. It’s time companies got serious about security and not just profits because data breaches are continuing to grow at such an alarming rate. Think about it, what business do you even have if a significant data breach occurs? Kiss your profits goodbye and say hello to the onslaught of lawsuits sure to arrive.

  3. Covered Entities and Business Associates should be focusing on the true merits of HIPAA compliance when it comes to the cloud, and that’s putting in place documented HIPAA information security and operational policies, procedures, and processes. I’ve worked with so many healthcare providers that lack the basic and fundamental documentation for HIPAA compliance, therefore it’s easy to see why non-compliance issues are still a major factor with HIPAA. I also hear healthcare companies express cost concerns about developing such documents, along with implementing risk assessment and security training initiatives, but with all the free and cost-effective tools available (some of them straight from hhs.gov!), there’s really no excuse for not being HIPAA compliant. Everyone needs to be ensuring the safety and security of PHI in the cloud, it’s really that simple, and one of the best ways for doing that is putting in place cloud based HIPAA specific policies and procedures.

  4. I've spent years working with cloud providers and probably the biggest issue I see are the network engineers and systems administrators not having a strong understanding of virtualization and the use of such machines. From guest O/S to bare metal platforms for VM, i'm somewhat surprised that engineers lack the knowledge needed for securing such systems, removing default accounts, establishing audit and logging trails and more. Cloud computing and compliance go hand in hand today, so it's a weakness that needs to be corrected.

  5. Allan, one more thing. I think HITRUST and the other HIPAA and cloud vendors have done a really good job of illustrating controls that need to be in place for cloud based Covered Entities and Business Associates, but again, the engineers and other I.T. personnel seem to lack the knowledge and expertise needed for implementation.

  6. I’ve got to comment here because as a PCI-QSA for the last eight years, I constantly run into challenges with cloud environments for both cardholder data and Protected Health Information (PHI), and it’s a heck of a challenge in many ways. Let me say that PHI is much more important than cardholder data, so I would only hope more of an emphasis is put on ensuring the safety and security of it. As for cloud computing, the biggest issue is not physically being able to touch and feel systems that store credit card and PHI, instead just relying on blind faith at times. The cloud is hell for compliance, it really is.

Comments are closed.