Cloud providers whose clients work with healthcare information now face stronger security and privacy requirements due to changes in federal laws. Yet many of these vendors and suppliers are unaware of these regulations, the large fines associated with noncompliance and the protection from these risks that cloud encryption can provide, according to legal specialist Gerard Stegmaier.
Mr. Stegmaier, an attorney at Wilson Sonsini Goodrich & Rosati in Washington, D.C., explained in a recent webinar, in which I was a co-presenter, that change is being driven by the HIPAA/HITECH Omnibus Rule that takes effect in Sept. 2013, which expands who is covered by the regulations. In his view, cloud providers that "create, receive, maintain and/or transmit" protected health information likely are going to be considered "business associates" under the rule. This means the security, privacy and breach notification requirements of HIPAA/HITECH are now applied to cloud providers.
The Health Insurance Portability and Accountability Act mainly covers PHI, which is information that reasonably identifies an individual and relates to health, disease, health services or payment for health services. Since 1996, healthcare organizations have had to keep electronic health information records confidential under the policy. With the new rule taking effect in Sept. 2013, business associates are expressly subject to the provisions of the privacy rule, portions of the security rule and the breach notification rule.
The security rule requires that organizations ensure the confidentiality, integrity and availability of e-PHI through administrative, physical and technical safeguards that ensure workforce compliance and protect against any reasonably anticipated threats, unauthorized uses or disclosures.
HIPAA/HITECH is not the only concern, however, as Mr. Stegmaier pointed out. Another source of liability is that companies processing electronic health information are subject to FTC breach notification rules. This includes providers of online health data repositories and applications used directly by individuals on websites and mobile phones. So, ironically, for many companies that are not necessarily subject to the HIPAA breach notification rule, if you provide an electronic health record, you still might be subject to the FTC's rules. And that's very significant because of the high costs associated with data breach disclosures, not the least of which is damage to the company’s reputation.
Equally significant are the 46 states with regional health data laws that cover privacy and breach notification. Laws differ on specifics, but common themes are they hold data collectors responsible for protecting personally identifiable information from disclosure or misuse and provide for penalties that include fines, personal liability and public disclosure of data breaches.
In the face of these regulations and risks, one important step Mr. Stegmaier recommended for any organization involved in maintaining PHI in cloud services and for organizations collecting and handling PHI is to encrypt the information. For HIPAA/HITECH, adequately applied encryption is considered a safe harbor and is likely to be seen as "reasonable" security. In the case of the FTC and state data breach laws, encrypted data is typically exempted from breach disclosure requirements if it has been "rendered unreadable without use of a confidential key."
If you look at the legacy traditional approach to security, you build a strong perimeter. You keep the good stuff inside your perimeter. You keep the bad guys out. But, as probably most people realize now, with the proliferation of cloud applications, users are going directly to the cloud, they’re skipping your security, or they’re even coming in from external devices, where you really have no control point at all.
Cloud information protection products that provide such encryption can be deployed in many ways, but they are most commonly deployed as a gateway at the perimeter to your organization to provide a control point where you can enforce security policies. There are a number of security policies these providers can enforce, but the most common is encrypting using top-level standards – AES 256 or tokenization. With these policies, such products are able to selectively and automatically encrypt data on the fly, triggered by the content itself, whether it is a Social Security number or other PHI information.
Importantly, cloud information protection products preserve operations on cloud data, so as data comes in and out of the gateway, your authorized users won't notice anything different. They will use their applications to get their jobs done, but someone who’s unauthorized coming in without appropriate access will only see encrypted gibberish.
To conclude, as Mr. Stegmaier so aptly said, life does not begin and end with HIPAA, but there are ways to prevent breaches and reduce regulatory risks while getting the benefit of using cloud technologies and still ensuring patients’ sensitive data remains secure.
Business associates and covered entities have embraced moving to the cloud but remain concerned about maintaining control of patients’ health data. To prevent a breach, cloud data protection gateways are an effective technology. These gateways catch sensitive information on-premise and encrypt it or replace it with a random token that protects the data from being decoded no matter its location, including in the cloud. These techniques help associates and entities remain compliant with HIPAA as well as FTC rules on e-PHI and state health data laws.
Willy Leichter, global director of cloud security at CipherCloud, has over 20 years of experience helping Global 1000 companies meet security and compliance challenges within their networks and in the cloud.