9 keys to having a HIPAA-compliant cloud

9 keys to having a HIPAA-compliant cloud

Health care organizations are increasingly open to the idea of using public cloud services, whether it be applications or infrastructure. But to do so requires thorough planning and vigilant execution of IT operations.

+ RELATED STORY: Why this hospital is moving to Amazon’s cloud +

Chris Bowen, founder and chief privacy and security officer for ClearDATA, a company that helps health care organizations use public cloud services, provides nine examples of controls that can be put in place.

  1. Implement audit controls: Use tools such as AWS’ Cloudtrail and S3 buckets as key components of a logging infrastructure.
  2. Review system activity: Leverage audit logs to enable the review of activity within your system.
  3. Identity and Access management controls: Keep track of every user who logs into a cloud environment and what they do; alert administrators if settings are changed. 
  4. Disaster recovery: Ensure there are backups of all data to satisfy contingency plan requirements, including emergency mode operation.
  5. Evaluate your security posture: Conduct vulnerability scans, penetration tests, and code scans on systems processing Personal Health Information (PHI).
  6. Establish a proper Business Associate Agreement: Outline key responsibilities between you and your vendors. These should address responsibilities for keeping data safe, how to provide patients with access to their data, and what to do in the case of a data breach.
  7. Access Controls: Ensure users are unique and logged. Enable auto logoff features, robust authentication features, and stateful security groups.
  8. Encrypt PHI and other sensitive data: Encrypt all data in motion and in rest using a purpose-designed approach.
  9. Ensure transmission security: Effectively enable the proper encryption of data in transit using AES 256 encryption (SSL and TLS) as well as object keys where feasible.
IDG Insider

PREVIOUS ARTICLE

«Continuous Authentication: The future of Identity and Access Management (IAM)

NEXT ARTICLE

Why this hospital is moving to Amazon’s cloud»
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

Add Your Comment

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Should companies have Bitcoins on hand in preparation for a Ransomware attack?