Moving to a cloud-based or cloud hybrid solution for your software and storage offers numerous benefits. More and more industries are adopting these options. However, if you’re in an industry that faces strict regulations and privacy concerns you may hesitate longer to make the shift. Your concerns are understandable. Healthcare and finance are two examples of industries that must navigate carefully.
Fear not, as cloud providers are taking the burden of liability and security very seriously. However, as a covered entity, you should investigate cloud solutions providers thoroughly.
The cloud service provider (CSP) becomes a legal business associate under HIPAA, once they have engaged in transmitting ePHI. Therefore, the CSP and the covered entity must enter into a HIPAA-compliant business associate agreement (BAA). The agreement puts contractual liability upon both parties to comply with HIPAA Rules.
HIPAA-covered entities can use cloud services to store and transmit ePHI. The most crucial factor to consider is the contract. Also, ensure that your chosen cloud service provider agrees to safeguard the ePHI within the agreement, which means following the Security Rule.
Both parties must conduct a risk analysis to identify security vulnerabilities and threats. It’s acceptable to use any form of the cloud: public, hybrid, or private, as long as there is an appropriate HIPAA contract in place.
It’s also wise to have a Service Level Agreement (SLA) for specific business requirements. An SLA can cover issues such as system availability and reliability, back-ups of data, security responsibility, and more. Just be sure that the terms don’t inadvertently prevent you from accessing your ePHI!
Also, just because a CSP says they are HIPAA compliant, it doesn’t make you automatically covered. The CSP must be willing to sign your Business Associate Agreements (BAA).
Although you have entered into a contractual agreement that your chosen CSP will abide by the HIPAA Rules, this isn’t a fool-proof scenario. For example, the CSP is not liable for misconduct by one of your employees or users of the cloud service; that will always fall back on you. So take steps to ensure that users of the cloud receive adequate training and act responsibly.
Consider restricting user access based on roles. Also, beyond purposeful or accidental malicious users, there is always malware lurking about the web that can somehow find a way into your cloud infrastructure.
It is perfectly fine for users to use mobile access to the CSP, and remain HIPAA compliant. It’s up to individual healthcare organizations to decide if they’d like to prohibit mobile device use in regard to cloud services and ePHI.
Keep all data be encrypted, from end-to-end, when using cloud services. This means data should be encrypted at rest and in transit, which can be a challenge for some CSPs.
Somewhat similar to HIPAA, the Financial Industry Regulatory Authority (FINRA) sets expectations, standards, and rules for handling data. Broker-dealers are certainly using cloud computing, and everything should stay within their guidelines to avoid penalty. Typically, clearing firms are required to operate within the FINRA rules as “Operations Professionals,” which has them liable for that portion of data in their cloud apps.
Responsibility of complying with FINRA goes beyond the clearing firms to third parties. Regulatory rules are still being developed surrounding FINRA and broker-dealers. It’s essential to choose a CSP that is in tune with these changes.
It would be naive to say that the financial industry has fewer hoops to jump through than healthcare, but at face value, it does appear that way. FINRA is one of AWS most important case studies. So long as you’re following FINRA and SEC rules, you’re in good company with cloud computing.
Whether you are dealing with HIPAA or FINRA, the point of contention is avoiding a data breach. Choose a CSP that has a verifiable record of the least amount of data breaches in their history.
If you’re not following FINRA and SEC rules, there are hundreds of professionally trained financial examiners busy investigating brokers and their operations. Violations can yield millions upon millions of dollars in fines for compliance failures. Not to mention permanently barring individuals from the industry.
Cloud computing has more advantages than any perceived disadvantages. First and foremost is scalability, that is, regarding using additional storage capacity without requiring investment in additional hardware.
By eliminating compact discs, USB drives, and storing data on laptops, etc., organizations can avoid a widespread vulnerability by loss or theft of these devices. Remote accessibility is another big perk to a cloud infrastructure. CSPs offer a secure remote access point for authorized individuals. Then, there’s speed! By using a CSP, the overall speed of the infrastructure will outpace any legacy system with strides by reducing latency and speeding up data access.
If you operate a business that is governed by strict regulations, don’t avoid the cloud. It’s better to switch sooner than later for improved security and speed. Work with an IT consultant and cloud services provider that knows your industry, call Emerge ITs at 859-746-1030 for compliance questions and guidance.