HIPAA and cloud computing: What you need to know

Share this post:

Screen Shot 2015-03-31 at 11.07.01 PM

Many of my clients are in the healthcare field, so a common question is if data can be managed on IBM cloud computing solutions in compliance with the Health Insurance Portability and Accountability Act (HIPAA). The relevant part of this law, enacted by the U.S. Congress in 1996, establishes rules for the storage and transmission of electronic health information. In summary, these rules are:

  • Privacy Rule: regulates the use and disclosure of protected health information
  • Security Rule: sets national standards for the security of electronic protected health information
  • Breach Notification Rule: requires that entities and business associates notify affected individuals (and others) following a breach of unsecured protected health information

In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act strengthened and clarified these rules. In 2010, the Omnibus rule refined the definitions of covered entities, such as health care providers, and business associates, such as IT service providers. A cloud service provider, such as SoftLayer, an IBM company, is considered a business associate and must demonstrate compliance with relevant provisions of HIPAA-HITECH rules.

Hosting an application in compliance with HIPAA-HITECH rules is a shared responsibility between the customer and SoftLayer. A Business Associate Agreement (BAA), which clearly defines the respective responsibilities of SoftLayer and the customer, must be signed. Sensitive workloads are best hosted on SoftLayer’s bare metal or private dedicated cloud offerings. Responsibility is divided as follows:

  • SoftLayer is solely responsible for the security of the physical data center hosting the SoftLayer provided infrastructure
  • SoftLayer is responsible for the managing the environment and Softlayer administrators according to security best practices required by HIPAA controls
  • Customer is responsible for managing the workloads, with the exception of the physical infrastructure, so as to comply with HIPAA-HITECH rules

A customer should work with subject matter experts and legal advisors to ensure that they have put in place the required controls. SoftLayer’s infrastructure as a service (IaaS) platform provides a number of offerings to help achieve HIPAA-HITECH compliance, including:

  • Strict access control and physical security for data centers, including two-factor access authentication and CCTV monitoring
  • Servers, labeled with a barcode only, obscure their identity and ensure only authorized and approved access
  • Completely automated management of the environment: hands-on management of devices is only done when physical access is required and in response to a customer raised ticket
  • A complete history of all SoftLayer actions taken on any device
  • Access to SoftLayer hosted storage is through only the private network and not the Internet-accessible public network
  • Servers and storage are wiped when de-provisioned; if the wipe is unsuccessful or the server/storage fails, the device is decommissioned and physically destroyed.
  • Flexible portal and application programming interface (API) that allows the design of comprehensive failover, disaster recovery and high availability solutions

In addition, SoftLayer provides services to assist customers in creating security and privacy solutions, including:

  • Vulnerability scanning
  • Host-based intrusion protection
  • Anti-virus protection
  • Firewall and network-based threat protection
  • Two factor authentication to the SoftLayer customer portal
  • SSL certificates that enable confidentiality of data-in-transit

In summary, the security solution to achieve HIPAA-HITECH compliance is a shared responsibility. SoftLayer’s dedicated bare metal or private virtualized cloud offerings should be used for sensitive workloads. A Business Associate Agreement (BAA) needs to be signed as part of the sales agreement. Subject matter and legal experts should be consulted for expertise and guidance.

I’d be interested to hear about your experiences with hosting workloads that require HIPAA-HITECH compliance. Comment below or connect with me on Twitter @allanrtate to continue the discussion.

Add Comment
No Comments

Leave a Reply

Your email address will not be published.Required fields are marked *

More Security stories

Extending security and performance from the cloud to the network edge with IBM and Cloudflare

The rate and sophistication of cyber security threats are growing daily, but security should not be a barrier to entry for enterprises on their cloud journey. More importantly, enterprises shouldn’t have to sacrifice application performance to enhance security. IBM and Cloudflare are working together to launch IBM Cloud Internet Services, a set of edge network […]

Continue reading

Accelerating continuous security for apps on IBM Cloud

The rapid rise of cloud native applications is challenging convention up and down the stack. More importantly, it is forcing enterprises to take a hard look at how security is integrated into application development and delivery at every level. For example, 37 percent of IT decision makers cite surveyed security as a roadblock they face […]

Continue reading

Less than 100 days out: How to accelerate GDPR readiness with the cloud

With the European Union’s General Data Protection Regulation (GDPR) coming into effect in less than 100 days, chances are you know your business needs to rapidly transform how it manages the personal information and data of EU subjects. According to research conducted by Vanson Bourne and IBM, 47 percent of organizational leaders surveyed in the […]

Continue reading