HIPAA compliance in the cloud

October 27, 2015 By Andrew Roberts

The healthcare industry and the cloud. It sounds like a match made in heaven.

Healthcare providers can instantly access a patient's medical history, contact information and insurance status from a range of different organizations via a smart, connected, cloud-based network to provide faster and more effective treatment. Plus, payment and insurance claims are made simpler and easier with all the relevant parties sharing data.

Sounds perfect - a cost-effective, central application that enables all the relevant organizations to talk to each other and share important information in real time.

However, in reality it can be a regulatory nightmare.

Health Industry Regulation

The Health Insurance Portability and Accountability Act - or HIPAA for short - regulates the storage and processing of protected health information (PHI) which is designed to ensure the security of any personally identifiable information that healthcare organizations store on patients - both in hard copy and electronically (e-PHI).

But these regulations are put in place for good reason, especially in the digital age we live in today. With all of the valuable personal information contained within a medical file, stolen healthcare records are sold for as much as $50 each on the cyber black market for the purposes of identity theft, making them around 10 times more valuable to hackers that credit card details.

I have covered the cyber risks healthcare organizations face in detail in an article I penned for Information Security Buzz, but here is a quick snapshot of the security realities healthcare providers and insurers are facing:

The healthcare industry is the biggest offender for data breaches over the past 10 years and is three times more likely to suffer a data breach than other sectors.

Medical and healthcare sectors accounted for 42.5% of all data breaches in 2014.

81% of healthcare organizations have been compromised by cyber-attacks in the past two years.

Over 100 million healthcare patients and customers have had their personal health information comprised since January 1st, 2015.

In the past 12 months, over 18 million Americans were victims of identity theft (approximately 7% of adult population).

So, with all the cost, convenience and efficiency savings that the cloud brings to healthcare organizations, how can CSOs ensure compliance with strict industry regulations such as HIPAA and protect their customer's e-PHI whilst still providing the business benefits that CEOs and staff demand?

A Cloud Access Security Broker (CASB) like StratoKey can help answer this poignant question.

Complying with Regulation

When deployed as a CASB, StratoKey provides healthcare enterprises with a way to encrypt, protect and control the electronic personally identifiable information that they store, helping businesses to meet the strict technical guidelines outlined in the HIPAA Security Rule and keep sensitive patient data secure.

This compliance does not come at the cost of complexity however. StratoKey is designed to integrate with any cloud or SaaS application - including many internally developed custom web applications - and not only encrypt sensitive data but also control access to it.

Its unique approach of utilizing a tightly integrated combination of encryption, behavioural analytics and automatically deployed defensive countermeasures to secure cloud application data access, makes StratoKey a technical leader in the cloud data protection market.

StratoKey for Protection

By using StratoKey, healthcare organizations ensure that e-PHI is encrypted before it leaves their control and is delivered seamlessly to the cloud application. StratoKey utilizes flexible encryption, allowing admins to select from multiple high-strength encryption algorithms such as AES, with a choice of 128-bit or 256-bit keys.

There are a number of guidelines within HIPAA that detail how an organization should secure access to sensitive customer or patient data, such as user identification, group policies and automated log-outs. These are all standard features within StratoKey, but StratoKey provides a deeper level of identity aware authentication through the use of rigorous device profiling and user behavioral analysis to determine legitimate users from nefarious ones.

On top of this, StratoKey's live system monitoring and analytical engines track every action a user performs within a cloud application to provide a complete audit trail that is visible within the StratoKey User Intelligence interface.

Cloud Security Solution

StratoKey provides healthcare organizations with the tools needed to use any cloud or SaaS applications, whilst assisting with HIPAA compliance. It is a flexible cloud data protection gateway and can be deployed either on premise or in the cloud.

As a Cloud Access Security Broker, StratoKey performs a number of tasks including user and access control, in-app encryption, live system monitoring (including audit capabilities), user behavioral analysis and can deploy defensive countermeasures as required.

With multiple layers of security, StratoKey provides healthcare organizations a single security platform that not only protects cloud systems against data leaks, theft and breaches but assists with HIPAA compliance requirements.

More on StratoKey

For more information on HIPAA and how StratoKey helps organizations to meet its strict e-PHI protection requirements to ensure a secure cloud environment, please download the StratoKey HIPAA Compliance Guide.