Businesses that handle sensitive data requiring regulatory compliance often have computing needs which make them ideal candidates to benefit from the cloud. Medical practitioners covered under the Health Insurance Portability and Accountability Act (HIPAA ) and the Health Information Technology for Economic and Clinical Health (HITECH) Act must have confidence in the availability and security of their IT systems not just because they are required to by law, but because their delivery of critical services depends on it.
In previously discussing private cloud and public cloud hosting solutions and services, we defined cloud computing roughly as the use and storage of data and programs over the internet, enabled by virtualization, as a scalable and elastic service. Atlantic.Net’s HIPAA Compliant Cloud Hosting offering is an environment specifically engineered for HIPAA compliance within the Atlantic.Net Public or Private Cloud. It provides secure and compliant IT system access to internal, remote, and mobile employees to allow them to concentrate on delivery of services.
HIPAA compliance is based on satisfying a set of requirements, including the Privacy Rule, the Breach Notification Rule, and the Security Rule. Healthcare companies will also be concerned with the Health Information Technology for Economic and Clinical Health (HITECH) Act, which regulates the electronic transmission of health information. HIPAA compliance failures can result in jail time, and more frequently, result in fines of thousands or even millions of dollars for a covered entity (CE), such as a health care provider, health plan, or health data clearinghouse. What makes a solution HIPAA compliant is a series of plans, measures, and commitments underpinned by enhanced security features and services.
What is a HIPAA-compliant cloud?
HIPAA compliant hosting requires that a set of data security standards and capabilities be met, but does not specify certain technical means to meeting them. According to the U.S. Department of Health & Human Services, provisions in a Service Level Agreement (SLA) between a covered entity and a HIPAA-compliant cloud provider may address HIPAA concerns, including system availability and reliability, back-up and data recovery, how data will be returned to the customer after the services are terminated, security responsibility, and limitations of data use, data retention, and disclosure.
The main security features of Atlantic.Net HIPAA Cloud are its fully managed firewall solutions and advanced intrusion prevention service (IPS). An IPS provides real-time threat monitoring, based on a continually-revised threat database, which is used to identify threats within the system based on their patterns or “signatures.” The firewall controls and protects access to the perimeter of the cloud and tracks a variety of metrics, such as the response rate for network gateways. Network security professionals take care of the monitoring, updating, and other tasks necessary to the firewall and IPS’s management, removing a significant source of potential risk, frustration, and man-hours from healthcare organizations who engage our HIPAA compliant hosting services.
In addition to our fully managed firewall and IPS, Atlantic.Net also includes fully-encrypted Virtual Private Network (VPN) access to all of a business’ hosted servers. This helps satisfy the requirement that all data transmitted to a server with Protected Health Information (PHI) is sent over a secure and encrypted network.
While Atlantic.Net manages the firewall and other elements that combine to provide HIPAA compliance, customers can choose to manage their own host servers, and retain full visibility into their system or have Atlantic.Net’s expert engineers manage their servers, freeing up internal company resources to focus on core business directives.
Benefits of HIPAA Cloud
The potential for multi-million dollar fines and jail time for not implementing HIPAA/HITECH compliance makes it essential for all covered entities. The global market for IT services in support of healthcare is expected to grow from $134 billion in 2016 to $280 billion in 2021, with the majority of revenue in North America, according to MarketsandMarkets research.
HIPAA compliance delivered through Atlantic.Net’s HIPPA Cloud solutions provides all the benefits of the cloud, including availability, scalability, cost savings, access to expert engineers, along with a strong added security or compliance benefits.
As an Atlantic.Net HIPAA Cloud customer, ShareSafe Solutions provides software-as-a-service (SaaS) to healthcare companies for secure, HIPAA-compliant communication and information sharing. ShareSafe Solutions delivers integrated communication between office terminals and mobile devices through the cloud, protecting against breaches with biometric identity authentication and other technologies. The company required a robust cloud to maintain instant communication, without compromising on security. It chose Atlantic.Net for support from skilled engineers and was rewarded for that decision with swift mitigation of multiple DDoS attacks.
HIPAA-compliant, access-controlled hosting
Storing your files in a HIPAA-compliant manner requires careful consideration of the parameters of the law and the ways in which the organization is specifically adhering to its requirements for comprehensive safeguards. At Atlantic.Net, our infrastructure is fully audited and compliant with HIPAA and HITECH, as well as adherent with SSAE 18 (formerly SSAE 16) from the American Institute of Certified Public Accountants.
HIPAA Cloud Storage Requirements – HHS bottom-line needs for HIPAA compliant cloud storage
First know that the Cloud Computing Guidelines from the HHS state explicitly that cloud computing can be used for HIPAA compliant platforms: “[W]hile a covered entity or business associate may use cloud-based services of any configuration (public, hybrid, private, etc.), provided it enters into a BAA [(business associate agreement)] with the CSP [(cloud service provider)], the type of cloud configuration to be used may affect the risk analysis and risk management plans of all parties and the resultant provisions of the BAA.”
Along with its reference to the need for a prudent BAA, the HIPAA rules also point to the importance of the service level agreement (SLA) to focus on data backup and disaster recovery; reliability and availability; limitations related to use or disclosure; how data will be transferred back to the customer if they depart; and adherence to required security precautions. Guidelines for the last element are within the Security Rule (part of HIPAA Title II, the Administrative Simplification Provisions).
If you want to abide by the Security Rule and properly protect the data, the cloud platform you choose should encrypt data whether it is in-transit or at-rest.
HIPAA Compliant Encryption: Advanced Encryption Standard 256-bit (AES-256)
The HIPAA compliant cloud storage service provider’s system should also encrypt all data for backup, both during transmission and once stored. Each HIPAA compliant backup should be encrypted with yet another set of keys for the best possible compliance solution. The best HIPAA compliant cloud storage specifically approaches encryption with a 512-bit key determined with a sha256 hash algorithm delivered in XTS-plain64 cipher mode that abides by the AES-256 standard. Related to the 512 bits, 256 of them (half) are used for each of two keys (cipher and XTS).
Managing HIPAA data storage encryption keys
A key management service (KMS) should be used that utilizes peer-to-peer replication. The KMS is a chief issue because, at a large scale, it can become unmanageable to rapidly encrypt, store, and decrypt data. The KMS that is implemented for the best HIPAA compliant cloud storage serves as a centralized access control while providing simple monitoring and logging. The key encryption key should be changed routinely, every 3 months. Multiple sets of keys should be stored. The best HIPAA compliant cloud storage uses an active KEK for encryption and formerly active KEK sets for decryption. Access to the KEK sets should be at the level of each individual key, via a control list. The ability to access keys should be limited to users and services that are authenticated. All requests should be logged.
What Makes Atlantic.Net HIPAA Online Cloud Storage Your Top Choice?
Whether you need HIPAA storage scalability, geographic redundancy, reliable backup/data mirroring, or deduplication services to reduce your data footprint and costs, Atlantic.Net delivers all this plus the stability and security of working with an expert provider able to deliver advanced HIPAA storage solutions.
- We are audited and certified to be HIPAA and HITECH compliant.
- We sign Business Associate Agreements.
- We ensure high availability, high performance, scalability, flexibility, and simplistic pricing.
- We provide a full line of Managed Security Services.
- We operate a world-class data center infrastructure.
- We are tested and trusted since 1994.
- We were named as the Best HIPAA Platform Provider in 2018.
- We were awarded Best Patient Data Security Solution award in 2019.
For more information about our HIPAA Compliant Storage Solutions, please contact us today!