tips for securing ephi in the cloud
Post on 15-Jan-2015
Embed Size (px)
DESCRIPTIONWhen it comes to entrusting your electronic protected health information (ePHI) to a third-party cloud services provider, security is arguably the biggest concern. A lot of factors must be considered when looking for qualified providers you can work with and who want to work with you. Here are some considerations.
- 1. Tips for Securing ePHI in the Cloud
2. When it comes to entrusting your electronic protected health information (ePHI) to a third-party cloud services provider, security is arguably the biggest concern. A lot of factors must be considered when looking for qualified providers you can work with and who want to work with you. Here are some considerations. 3. covered entities are required to have three plans... Under the HIPAA Security Rule, 1 4. ...for recovering access to ePHI should the organization experience an emergency or a disruption of critical business operations: data backup, disaster recovery and emergency mode operation. Evaluate cloud services providers (CSPs) for the depth of their service capabilities and commitments in each context. 1 5. Data backup, disaster recovery and emergency operation mode... The Three Plans - 2 6. ...must accurately reflect the procedures that the organization actually uses. They must be updated as procedures change in order to remain relevant and accurate.Any changes the storage provider makes must also be reflected. 2 7. top-notch cloud security, it may not be neccessary to be... Even if a CSP offers 3 8. ...HIPAA Compliant. Look for providers that boast of HIPAA compliance and have them prove it. Ask for audit documentation. 3 9. a Business Associate Agreement (BAA) is table stakes for any CSP... A willingness to sign 4 10. ...Worth doing business with so make sure the one you are considering will do so. 4 11. states that CSPs (and other third-party provers...) 5 The HIPAA Security Rule 12. ...(classified as business associates) have a framework in place to comply with HIPAA requirements. Its up to you to ensure that is the case so get documentation from anyCSP you work with that outlines this framework. 5 13. to ask a vendor to back up your data in its cloud... It may seem unnecessary 6 14. ...but dont be lulled into complacency. Discuss retention policies and backup methods upfront with prospectiveCSPs. They should be able to meet your organizations requirements and any regulatory requirements. 6 15. must be able to tell you precisely where your ePHI is... Any CSP you work with 7 16. ...Physically stored. Providers who cannot pinpoint data location or that rely on non-U.S. based storage are not HIPAA compliant. Know what the HIPAA requirements are in this regard, and make sure theCSP can meet them. 7 17. or attitudes toward data ownership and access. Dig into a vendors policy 8 18. This can be crucial for protecting your organization if your provider runs into business issues down the road. 8 19. access and attempted access to your data. HIPAA requires that you audit 9 20. Work with your provider to ensure the hardware, software and/or procedural mechanisms that record and examine ePHI-related activity are implemented. 9 21. the data backup methodology you use and be certain... Accurately document 10 22. ...that it fulfills the HIPAA requirement to create and maintain retrievable exact copies of ePHI. 10 23. If youre wondering which service provider has one of the industrys most comprehensive compliance programs for infrastructure, cloud and managed services, look no further than Peak 10 - in it with you, today and tomorrow. Call to action here.