By Frank Krieger, Director of Compliance, iland
As industries mature, it is quite common for regulatory, compliance and frameworks to advance as well. The HIPAA Act when first conceived in 1996 did not envision a world where patient information could be stored and processed in a cloud environment. In 1996, backups were tape and servers holding ePHI were in the basement; server rooms were being built, but the internet was still just coming of age. Flash forward to 2017, HIPAA has been maturing, Business Associates Agreements (BAA) were introduced allowing for both liability and regulatory third party processing. The BAA is the lynchpin between a cloud provider and a healthcare entity; it outlines the liabilities and who owns which pieces.
Wonderful, you are now legally compliant! What remains is how to validate that compliance after the agreement has been signed? Vendor management is critical not just for ensuring that your IaaS or DRaaS solutions meet SLA’s; it’s also imperative that you ensure that data, access and other controls are and have been maintained.
Be it under ISO 27001, HITRUST CSF, ITIL, or SSAE 16/18 there is often guidance given on expectations for managing and evaluating vendors. Some are prescriptive and some are descriptive. As an example, ITIL has a wonderful interlinking system of processes, one of which is Vendor Management, although –non-prescriptive. ISO 27001 has elements of Vendor Management but they are not aligned to healthcare. How do you validate and ensure that the data you are giving to a cloud provider will be managed to the BAA? The short answer – audits.
Being in the compliance industry, I would never lightly advise someone to go out and perform an audit. Audits are evasive for the organizations under scrutiny as well as auditing entity. It means allocating staff to review documentation, policies, processes and then checking that the outputs stated are performed. It might mean traveling to the cloud providers data centers or NOC to evaluate if documentation is being executed as stated. Is all this necessary? Yes.
Your cloud provider should absolutely have no reservations with site visits and documentation review. It’s a healthy relationship for both parties as it ensures that what the healthcare provider agreed to under the BAA is executed and that HIPAA/HITRUST is being followed. For the cloud provider, it offers a customer-centric view of what risks are important and validates that the controls used and audited are aligned with the customer’s expectation. Again, isn’t this a bit more than needed? No.
HIPAA breaches are expensive and create a public release of the breach maintained by HHS that will gain attention. It’s already a very challenging time for IT within healthcare with the uptick in ransomware, managing embedded systems, the never-ending patching…it just never ends. However, one thing that is totally in your control is managing your cloud provider and ensuring they are following your rules. Vendor management will reduce your chances for breaches by ensuring that standards are met and terms are executed.
At the end of the day, don’t rely on the BAA to perform something that should be watched.
[clickToTweet tweet=”Making sense of Healthcare, Audits and the BAA” quote=”Making sense of Healthcare, Audits and the BAA” theme=”style3″]