We started the HIPAA discussion with a brief intro back in late 2015. Late in the following month, we continued the discussion with a deeper dive into HIPAA. Now let's test the bounds of the “P” in HIPAA by looking at HIPAA data cloud requirements!
Keep ePCR, general ePHI or any other HIPAA data secure and accessible only by authorized parties.
PHI should be secure, recoverable, and readily available. This can commonly be compared to the CIA triangle (Confidentiality, Integrity, Availability) for data.
More specifically, keep data confidential and only shown to authorized individuals, maintain data integrity and protect against unauthorized changes, and allow data to be available for authorized use.
- Uses both Hardware and software firewalls.
- Logs system events and applications.
- Maintains personnel accountability.
- Multi-factor authentication, video surveillance, building/server access logging, etc.
- Data in transit and at rest is encrypted.
- At all times.
- Maintains data redundancy and makes nightly file backups.
- Databases to be backed up, preferably mirrored with a witness.
- Rapid restore capability for both physical and virtual servers.
- Ensures backup processes are working as intended and backed up data is recoverable.
- Has an incident response and a disaster recovery plan.
- Utilizes load balancing servers to handle normal business demand.
- Has scalable, expandable infrastructure.
- As cloud provider grows and evolves, clients shouldn't bear the load.
- Has accessible server monitoring, and is able to interpret and react to data.
- Data center has multiple internet connections.
- Employs redundant power generators.
- Maintains appropriate environmental controls.
- Temperature, humidity, anti-disaster measures, etc.
- The software can only be accessed with a valid user id and password.
- These login details must be encrypted (not sent in clear text).
- Transmitted data to file storage or the central database shall be encrypted.
- Data pushed or downloaded to portable or field devices must be encrypted.
- stolen laptops, smartphones, and tablets with unencrypted data count as a breach.
- The software has assignable security groups or roles.
- Users are automatically logged off after a period of inactivity.
- This activity should be settable or at least flexible to comply with standards.
- Accounts will lock out for a period of time after a predetermined failed logon threshold.
- These settings should be settable individually.
- Software, SFTP details, email addresses, and fax numbers should be assigned in such a way to enable consistent delivery to the intended source.
- Prevent accidental record exposure.
- Hospital administrators needing access to PHI (PCR) shall only have access to patient information when the patient is admitted to their hospital.
- Given accounts to use software, granular control.
- At no time shall one client have access to another client's data.
- Prevent customers from accidentally seeing each other's data.
What other cloud requirements do you follow?