Since its passage in 1996, the Health Insurance Portability and Accountability Act (HIPAA) has helped to reshape the security and efficiency of healthcare services. HIPAA contains five sections (also known as titles), each of which details specific provisions or requirements that HIPAA-covered entities must meet.
HIPAA regulations impact every facet of data protection and security, including how information is stored. If a company handles protected health information (PHI), it’s important that they are able to identify and safeguard against threats that could compromise this sensitive data.
Healthcare organizations are increasingly shifting their data storage to the cloud to facilitate better access to critical resources. HIPAA-compliant cloud storage offers several important provisions to enhance data security, such as industry-specific applications, servers, and tools.
In this article, we will detail how cloud storage can be HIPAA compliant, including the differences between public, private, and hybrid cloud solutions. We will also identify top considerations when evaluating cloud storage options for HIPAA compliance and what types of organizations must adhere to these regulations.
Who Needs HIPAA Compliant Cloud Storage?
While HIPAA rules establish important protections for PHI, this doesn’t mean that HIPAA only applies to healthcare providers. HIPAA rules identify the following as covered entities:
Healthcare providers who transmit health information in an electronic form.
Health plans such as health insurance companies, company insurance plans, and government programs that pay for healthcare (e.g., Medicare, Medicaid).
Healthcare clearinghouses, which are companies that process health information received from other businesses.
In addition, any business associate that helps a covered entity facilitate its healthcare functions and activities must also comply with HIPAA. Because a business associate could be in a position to view, handle, or transmit sensitive health data, they must follow the same rules as covered entities.
Examples of business associates that are HIPAA-covered entities include the following:
- Cloud service provider (CSP)
- Data storage companies
- Claims processors
- CPA firms
- Medical transcriptionists
Why Cloud Storage is Increasingly Popular in the Healthcare Field
HIPAA’s Security Rule requires covered entities and their business associates to provide “reasonable and appropriate safeguards” to protect PHI. However, many healthcare organizations still rely on outdated legacy systems that are vulnerable to cyberattacks.
Legacy systems run on older platforms that cannot be updated with the latest security standards. Around 83% of medical devices run on outdated, unsupported operating systems. In addition, more than half of healthcare providers rely on legacy Windows 7 systems, which stopped receiving vendor support in 2020.
Rather than leveraging the latest access and privacy controls, IT teams have to piecemeal solutions to support patches and tools. Despite their stringent security requirements, 27% of healthcare companies exclusively leverage legacy data centers with no cloud connectivity.
This reliance on outdated technologies makes healthcare organizations a popular target for ransomware attacks. According to the Department of Health and Human Services (HHS), the healthcare sector is one of the most frequently targeted industries for ransomware groups.
For example, more than 10,000 individuals were impacted when an Ohio-based mental health clinic suffered a hacking incident. Between November 2021 and January 2022, an unauthorized individual accessed and removed files from a legacy system. The files contained highly sensitive information, such as names, treatment plans, and health insurance data.
In addition to security risks, healthcare entities are increasingly turning to the cloud to offset the costs associated with legacy systems. Up to 64% of IT budgets go to maintaining legacy systems, which makes cloud storage an easy way to reduce costs while improving data security.
Thanks to the cost savings and enhanced security offered by HIPAA-compliant cloud storage, the cloud computing market is expected to grow by $25.54 billion by 2024.
How Cloud Storage Can Be HIPAA Compliant
Not all cloud storage solutions are equally secure, and the type of cloud impacts security considerations. This is because data protection practices are a shared responsibility between the covered entity and the CSP, which is considered a business associated under HIPAA.
As you evaluate various cloud storage solutions for your organization, you need to ensure that you choose one that is HIPAA compliant. In addition to compliance requirements, you also need to determine if a particular solution aligns with your unique business needs.
There are three main types of cloud solutions:
Evaluating Public Clouds
Public clouds are available via third-party providers who deliver services to multiple organizations. Highly scalable and flexible, public clouds must be properly configured to keep data safe. Otherwise, misconfigurations can lead to compliance drift, which occurs when errors or oversights compromise data security.
A public cloud allows for lower-cost subscription-based pricing. However, this affordability is countered by a lack of cost control. Your total cost of ownership (TCO) can rise quickly due to conditions like holding duplicate or unnecessary data files. Cloud storage spending accounts for about 30% of a company’s IT budget, and redundant or unneeded data can cost you thousands of dollars in storage and management fees.
Evaluating Private Clouds
A private cloud is dedicated to the needs of a single organization. This is a single-tenancy environment, which means that the resources hosted and managed in a private cloud are not shared with other users. The increased security comes at the cost of increased maintenance requirements for the healthcare organization.
Because a private cloud is dedicated to your company’s use, it has the benefit of greater visibility and control over sensitive data. On the other hand, the nature of a private cloud means that its reliability depends on the staff, software, and hardware running it. These operating and managerial costs can greatly impact your overall cloud spend.
Evaluating Hybrid Clouds
Often, the security features available in public cloud environments are not enough to safeguard sensitive data. Private clouds, however, have additional levels of security and access controls, but are not always ideal for mobile or offsite access.
Hybrid clouds pull from the best characteristics of third-party public cloud services and on-premises private cloud models. This enables healthcare entities to base security parameters on their specific compliance requirements.
In a hybrid cloud, healthcare entities can secure PHI on an on-premises private cloud and host non-critical data on the public cloud infrastructure. According to the Cloud Index Report, more than half of healthcare organizations have increased their hybrid cloud adoption, which was the preferred choice for 83% of respondents.
Top Considerations for HIPAA Compliant Cloud Storage Solutions
HIPAA compliant cloud storage providers offer the following features and services to enhance data security:
Business Associate Agreement (BAA). As a business associate of a covered entity, cloud storage providers must have a BAA in place with the healthcare entity. This agreement is required by HIPAA and specifies each party’s responsibilities relating to the protection of PHI.
Strong data encryption. Encrypting data keeps it safe from unauthorized access and compromise. HIPAA requires PHI to be encrypted at rest and in transit, and unencrypted data can lead to costly noncompliance penalties if the information is compromised in a data breach.
Long-term data retention. Each state sets its own requirements for the retention of medical records. In addition, HIPAA requires that HIPAA-related documents are maintained for at least six years, such as risk assessments, BAAs, access logs, and security system reviews, among others.
System and Organization Controls (SOC) certification. SOC audits ensure that data storage providers have the correct controls in place to securely manage your data. If a cloud provider does not have proof of SOC 2 Type II certification, then they should be avoided.
The Importance of Secure, HIPAA Compliant Storage
Healthcare data breaches have increased sharply in 2022, in large part due to the fact that PHI is more valuable than other types of information. For example, credit cards sell for about $5 a piece on the dark web, but a medical record PDF could go for around $250.
Theft and exploitation of PHI data has costly ramifications. On average, a healthcare data breach costs around $10.1 million. If the organization is found to be at fault for violating HIPAA requirements, they could be faced with monetary penalties exceeding $1.7 million in addition to other corrective actions, as well as the costs incurred from class action lawsuits, attack investigation, and remediation.
According to HHS data, 2021 saw more data breaches than any other year since it first started publishing summaries of healthcare data breaches in 2009. The healthcare sector has also seen the highest increase in volume in cyberattacks—69% year over year. In 2021, 66% of organizations in the industry experienced a ransomware attack compared to 34% the year prior.
When it comes to evaluating cloud storage solutions for HIPAA compliance, organizations must conduct risk assessments to ensure that the solution meets HIPAA’s administrative, physical, and technical safeguards. This is why it’s important to look for service providers who will not only implement these safeguards, but who will also sign BAAs with HIPAA covered entities.
For example, Apple iCloud does not constitute a HIPAA compliant cloud storage solution because it doesn’t offer a BAA for covered entities. In cases where the provider has signed a BAA, misconfigurations can render the agreement useless. For example, if access controls and permissions are not set correctly, PHI data can be left unprotected.
How WinZip Enterprise Enhances Cloud Security
WinZip® Enterprise is a highly customizable solution that helps healthcare organizations meet the requirements of HIPAA’s data security standards. Using FIPS 140-2 validated AES encryption, WinZip Enterprise protects data at rest in the cloud and in transit between the cloud and your various devices, networks, and servers.
File-level encryption gives you additional levels of control over key security considerations, such as access controls and system monitoring. This ensures that users cannot access more than what they need for their job role and helps you identify suspicious or negligent behaviors that can leave data vulnerable to theft or tampering.
WinZip Enterprise offers native integration with top-rated HIPAA-compliant cloud storage services, including G Suite, OneDrive, Box, and AWS. In addition, its data compression capabilities help minimize your cloud storage costs.