The best HIPAA-compliant cloud storage is within an infrastructure that encrypts all at-rest data across-the-board, avoiding the costs of data breaches by meeting standards and proving adherence through third-party certifications.
Settlements for the violation of healthcare privacy and security laws outlined within the Health Insurance Portability and Accountability Act of 1996 (HIPAA) were at an all-time high in 2016. A total of $22.9 million was submitted to the HIPAA enforcement agency, the Office for Civil Rights (OCR) of the federal Health and Human Services Department (HHS). The largest settlement ever under the HIPAA law, $5.55 million, was announced in August. There were 6 fines in 2016 that were $2.14 million or more. This trend continued in the new year, with a $5.5 million fine, nearly reaching the record settlement, announced in February 2017.
As you can see, HIPAA compliance is a multi-million-dollar proposition – and it is not just the fines. When you calculate in reputational, legal, operational, and other expenses, the cost is an average $700 per healthcare data record breached. If 5,000 records are compromised, the expense to a company will typically be about $3.5 million.
To avoid these costs, it is important to know that your HIPAA cloud storage is meeting the requirements of the federal government related to this technology.
HHS bottom-line needs for cloud
First know that the Cloud Computing Guidelines from the HHS state explicitly that cloud computing can be used for HIPAA compliant platforms: “[W]hile a covered entity or business associate may use cloud-based services of any configuration (public, hybrid, private, etc.), provided it enters into a BAA [(business associate agreement)] with the CSP [(cloud service provider)], the type of cloud configuration to be used may affect the risk analysis and risk management plans of all parties and the resultant provisions of the BAA.”
Along with its reference to the need for a prudent BAA, the HIPAA rules also point to the importance of the service level agreement (SLA) to focus on data backup and disaster recovery; reliability and availability; limitations related to use or disclosure; how data will be transferred back to the customer if they depart; and adherence to required security precautions. Guidelines for the last element are within the Security Rule (part of HIPAA Title II, the Administrative Simplification Provisions).
If you want to abide by the Security Rule and properly protect the data, the cloud platform you choose should encrypt data whether it is in-transit or at-rest. Encryption uses a standardized algorithm to encode data so that it cannot be viewed by unauthorized parties. Industry best practices support the implementation of publicly available algorithms, in conjunction with private keys. The private key decrypts the information and makes it readable. While the protection of in-transit data is also crucial to HIPAA cloud storage, this piece focuses on the treatment of at-rest data.
At-rest encryption: centerpiece of HIPAA cloud storage
With no need for anything from the customer, HIPAA compliant cloud storage automatically encrypts at-rest data. Protocols that abide by industry standards should automatically encrypt data before it is stored on the disk. Specifically, the data should be encrypted via Advanced Encryption Standard 256-bit (AES-256), which is notably the only cipher for encryption that is publicly available and can be used for the transfer of top-secret files, according to the National Security Agency (NSA).
HIPAA Compliant Encryption: Advanced Encryption Standard 256-bit (AES-256)
Before data is saved and written to the storage system, it should be broken up into pieces and spread throughout the system. That way a malicious party would need to gather all those pieces, along with applicable private keys, in order to access the data.
Only users that are authorized, and during permissible times, should be able to access data per controls on the encryption key.
The best HIPAA compliant cloud storage specifically approaches encryption with a 512-bit key determined with a sha256 hash algorithm delivered in XTS-plain64 cipher mode that abides by the AES-256 standard. Related to the 512 bits, 256 of them (half) are used for each of two keys (cipher and XTS).
Beyond the encryption that is achieved at the level of the storage software, it should also be encrypted comprehensively at the level of the hardware. Strong HIPAA cloud storage will again use the National Security Administration’s approved encryption protocol, AES-256, delivered through a different key specific to the hardware, to encrypt solid state drives.
The cloud service provider’s system should also encrypt all data for backup, both during transmission and once stored. Each backup should be encrypted with yet another set of keys for the best possible compliance solution.
Managing HIPAA encryption keys
Management of the keys is another primary concern. A key management service (KMS) should be used that utilizes peer-to-peer replication. The KMS is a chief issue because, at a large scale, it can become unmanageable to rapidly encrypt, store, and decrypt data. The KMS that is implemented for the best HIPAA compliant cloud storage serves as a centralized access control while providing simple monitoring and logging.
The KMS will typically have a data encryption key (DEK). These keys are created within the storage system, transmitted to the key management service for encryption using the key encryption key (KEK) of the recipient, and returned to the original system for storage.
In order to decrypt data and make it legible, the HIPAA cloud storage platform takes the DEK and sends it to the key management service. The KMS performs authorization of the service related to the key; the key encryption key decrypts the key and sends it back to the service; and the service can then utilize the key for decryption.
The keys themselves are encrypted using AES-256. The best HIPAA compliant cloud storage conducts all encrypting and decrypting within its KMS, which bolsters security while streamlining audits through organized tracking.
The key encryption key should be changed routinely, every 3 months. Multiple sets of keys should be stored. The best HIPAA compliant cloud storage uses an active KEK for encryption and formerly active KEK sets for decryption.
Access to the KEK sets should be at the level of each individual key, via a control list. The ability to access keys should be limited to users and services that are authenticated. All requests should be logged.
In order to encrypt and decrypt the KEKs, there should be a master overarching key for the key management service. This master key should occur in RAM. When an instance of the KMS needs to restart, it should get the master key from a peer.
The master key is a top priority for disaster recovery. A HIPAA cloud storage provider should encrypt the key with AES-256 and keep it within a master key management system that is kept off-line in a space with numerous physical security mechanisms in place. No one should have to access the off-line system unless you have to restart all instances of the KMS at once. Physical access to the off-line KMS should be tightly restricted to just a few individuals.
Getting Started with HIPAA Cloud Storage
Do you need HIPAA cloud storage for your organization? At Atlantic.Net, we have adopted the model described above. All our HIPAA cloud hosting plans offer 100% encrypted storage, audited to meet HIPAA and HITECH, and certified to meet the SSAE 18 (SOC 1 and SOC 2) standard. See our HIPAA Cloud Hosting Prices.