Moving some or all of your business data to the cloud can improve your business’ efficiency and productivity while decreasing costs. However, before you do move data – especially customer data – to the cloud, you need to do your research regarding compliance.
And when you're a HIPAA-covered entity, it's even more important to consult with your cloud partner.
A good cloud provider will take this issue seriously and will work with you to be sure you’re comfortable.
Beware of “HIPAA Compliant” Products
Some companies position themselves as providing HIPAA-compliant solutions or products. There's no such thing as HIPAA in-a-box. However, a company or product can help you comply with HIPAA's regulations, but you've got to work and plan for it.
First, there are a few things for you to check and one thing to remember.
Remember this – it's your obligation to ensure you are compliant. It's your data and systems. Using a third-party cloud provider doesn't relieve you of that responsibility.
On the plus side, most cloud providers have better security than your business – they have to or they'll go out of business!
Look for vendors who have passed a HIPAA audit and can explain the steps they take to protect their customers. Also, look for a partner willing to sign a business associate agreement (Final HIPAA Omnibus Rule How it Changes Cloud Computing for Healthcare) with you. If they won't, continue looking.
Also, understand your respective responsibilities vis-à-vis the security of your content. Make sure that your IT infrastructure and networks are strong enough to prevent a data breach. If you forget to apply a patch and you are hit with a ransomware attack, that's your fault – not your partner's.
Here are three more things to consider when partnering with a cloud service, especially when they're responsible for keeping your data secure.
Access to Data
Regarding access on the customer side, the same rules apply – the same people who had access to the data when the data was stored in house will have access to that same data when the data is stored in the cloud. Roles and permissions should stay the same. Depending on your compliance rules, you will have to work with your cloud service provider(s) to ensure limited access to the servers on which your data will be stored – both employee access and ensuring that your data isn’t intermingled with that of the CSP’s other customers. Many cloud providers will be able to provide this service for you, but you need to do your homework AND be sure to document your requirements and expectations in your service level agreement.
Tip: When it comes to security and access, one commonly overlooked source of a data breach is basic password-protection (The Biggest Security Mistake? It’s Probably Not What You Think). When an employee leaves your company, be sure to change their passwords and delete their access to your data (whether in the cloud or not!). And don’t forget to de-provision access from their smart phones.
If your cloud provider is co-locating your data, be sure that the data being co-located isn’t under a regulatory compliance requirement. For instance, HIPAA data must be encrypted at rest and in motion. Whether PCI-DSS, SOX, Nevada SB-227, HIPAA, or other regulations; understand the implications and talk them over with your potential cloud provider.
And, of course, sometimes it might be more trouble than benefit to move certain data to the cloud. If that’s the case – don’t do it. Keep that data onsite and be sure you are in compliance with the proper regulations. Then, focus on the data that CAN be moved to the cloud and look for efficiencies and savings there. Wasting time forcing a square peg into a round data hole isn’t worth it.
Certifications to Look For
ISO 27001, SSAE16 (the update to the SAS 70 standard; ISAE 3402 is the international version), and the MSPAlliance’s MSP/Cloud Verify are general compliance certifications for controls around financial and information security. They are a good first step to double-check that your CSP has auditing and controls in place for their services. However, they are a starting point only and regulations, business needs, and standards all evolve at different rates. Don’t assume that because a provider has a certification that it means your search is over – security, control, etc. are all moving targets and certifications take place at a snapshot in time. Be sure your potential partner has kept up-to-date with changing certification requirements.
Data compliance in the cloud is an issue, but definitely not an issue that would prevent you from moving to the cloud – so long as you do your homework. Start by understanding these three issues in the context of your data compliance needs and you’ll be well on your way to a successful move to the cloud.
Finally, Trust Markers
How can you know if your cloud partner is trustworthy? Ask for customer referrals and talk to their existing customers. Do some investigative “sleuthing” on LinkedIn and identify some of their customers who they did NOT vet for you and reach out to them for their experience of the provider’s products and services.
Ask if they can do what they say they do.
Also look for certifications.
You will see things like SSAE 16 and wonder, “What’s that?” Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization is an auditing standard from the American Institute of Certified Public Accountants. A term you may be more familiar with is SAS 70 which was the previous term for this level of certification. From your point of view, this report shows that an organization has the appropriate controls in place and details on the effectiveness of those controls. Basically, the correct processes and procedures are in place to ensure that the facility and your information work correctly, with proper access controls, etc.
A cloud facility that follows these standards is probably a safe reservoir for your data.
With proper due diligence, cloud backup and other services can meet the most stringent compliance requirements.
If you think a cloud solution could be the right fit for you, contact us today.