What does it mean to be a HIPAA Compliant Datacenters?


HIPAA Compliant DataCenters

HIPAA Compliant Datacenters are an essential part of the Healthcare Industry. With the increasing amount of regulations and penalties imposed by the Department of Health & Human Services and the Office of Civil Rights for PHI breaches, there is now a growing trend of outsourcing services to Datacenter and Hosting service providers in the industry.

Since Datacenters directly deal with ePHI i.e. store, process and transmit PHI on behalf of healthcare institutes, they fall in the scope of HIPAA Regulation. The HIPAA Omnibus Rule holds all third-party including contractors and sub-contractors accountable for a data breach that may occur. This does not just include Business Associates but also subcontractors, entities who transmit or deal with protected health information (PHI).

Earlier all the liability was assumed by the covered entity and not the business associates who directly or indirectly entered into a service agreement with the covered entity. So, Datacenters engage or deal with ePHI they are required to comply with the HIPAA Regulation and establish the same level of administrative safeguards, physical safeguards, technical safeguards, and conduct ongoing due diligence as the Covered Entity (Healthcare Institutes).

The Health Insurance Portability and Accountability Act which is also known as HIPAA was established as a security standard for protecting the privacy and confidentiality of electronic Protected Health Information (ePHI) in the Healthcare industry. As per this HIPAA Rule, covered entities who store, transmit or process electronically protected health information (ePHI) are required to implement administrative, physical, and technical safeguards as stated in the regulation. 

This is to ensure that the safeguards implemented preserves the confidentiality, availability, and integrity of ePHI while preventing the possibility of unauthorized access to ePHI. So, explaining this in detail, we have covered an article elaborating what HIPAA compliant Datacenters mean and what are the various HIPAA Datacenter requirements that the service providers need to adhere to.

What Does HIPAA Compliant Datacenter mean?  

Protecting the Confidentiality, Integrity, and Availability of ePHI is an integral part of the HIPAA Security & Privacy Rule. Since Datacenters deal with ePHI data, they must comply with HIPAA regulations.  They need to adhere to the industry best practices and implement preventative security measures.

This is then evaluated by the auditors against the HIPAA rules and requirements. Datacenters must meet all requirements and follow all the necessary policies and procedures before claiming to be HIPAA-compliant. Datacenters are required to provide adequate data security measures to protect the data of their clients.

This does not just offer the security of the PHI data and but provides confidence to healthcare institutes that their patients’ sensitive PHI data is well protected and secured. But to achieve compliance, let us take a closer look at HIPAA Compliance Requirements for Datacenters.

What are the HIPAA Compliance Requirements for Datacenters?  

SSL Certificates & HTTPS 

The Datacenters must ensure that all web-based access to the patient’s PHI is encrypted and secured to prevent unauthorized access.

AES Encryption

The Third-party Datacenter Service providers must adopt Advanced Encryption Standard to encrypt PHI stored on the servers.

Firewalls 

Installing a secure firewall can prevent cyber attackers and prevent malicious software from accessing ePHI Data via the internet. 

Remote VPN Access 

establishing remote VPN Access controls is essential to ensure authorized and secure access to networks and systems comprising sensitive ePHI data using a remote computer.

Dedicated Private IP Address 

IP address isolation is the key to protecting health information. Separating the network from the publicly accessible internet will ensure no unauthorized external access or malicious traffic to networks comprising sensitive ePHI. 

Disaster Recovery Plan

The Datacenter should not just have a contingency plan in place in case of an incident or major failure but also have documented backup recovery plan in case of lost PHI or server malfunction. The document must comprise procedures and protocols to be followed in the event of a security breach or incident. 

Security Awareness Training Program

There should be a comprehensive Security Awareness and Training established for Datacenter managers and all the relevant employees directly or indirectly dealing with PHI data or active in ensuring its security. This helps employees minimize and respond to threats better. 

Periodic Security & Risk Evaluation-

Periodically there must be a security and risk analysis to stay updated and secured against the evolving security threats. The audits confirm and verify whether or not the security controls are protecting data appropriately.

Business Associate Contracts/Agreements-

Have an official Business Associate Contracts/Agreements in place detailing your responsibilities and the responsibility of Healthcare Institutes with whom you collaborate.  

Security Policies and Procedures- Establish

Appropriate security policies and procedures that guide employees and also assign security responsibilities for implementation. 

Note: All the points mentioned above is dependent on what services the Datacenters is providing. Datacenters traditionally have been a place where basically Environmental controls were managed effectively such as physical access, clean electricity, Heating Ventilation and Air Conditioning (HVAC). Over the years, we have Audited and Attested multiple Datacenters for standards such as SOC2, HIPAA, GDPR and PCI DSS where most datacenters have moved beyond this traditional model and provide a plethora of managed services too such as taking backups, system administration, database management, Patching, Vulnerability Management, Access Provisioning, Managed Firewall, Managed VPN, etc. The above set of controls would mostly apply to this NexGen Datacenters. For traditional datacenters, just the controls concerned with Physical Security and HVAC would be applicable of HIPAA.

Conclusion 

HIPAA security implementation varies based on the applications in use. But that said, all Datacenters must follow the industry best practices outlined in the HIPAA Security & Privacy Rule. Implementation of these security controls and requirements will help Datacenters overcome evolving threats to PHI accessed through systems, facilities, and networks that may comprise or have access to the PHI data.

 Lastly, parties or entities that fail to comply with HIPAA Rules may incur severe fines and penalties. Furthermore, entities may even face imprisonment for mishandling of data resulting in incidents of the breach. While outsourcing services to Datacenters is a viable option for the healthcare industry to speed up processes, but it is important for Datacenters to understand not just to protect the sensitive PHI data, but also how to respond in the event of a breach or compliance failure. For these reasons we strongly recommend consulting compliance experts who can guide businesses accordingly. 

 

 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.

Leave a Reply

Your email address will not be published. Required fields are marked *