HIPAA is a strange beast, in that it has very few specific requirements but holds the Covered Entity and/or its associates responsible for using best practices to secure data. If a breach occurs, an examiner will determine responsibility based on how complete the Covered Entity and its business associates followed best practices. Unfortunately, best practices are a “cultural” as well as technical philosophy that evolves over time. The current set of expected best practices for Technical Safeguards of hosted applications is generally accepted to be storage encryption, external security scanning for externally visible applications, encrypted communications (HTTPS/VPN), Web Application Firewalls for externally visible applications, secure backups, and potentially IDS (intrustion detection systems). Additionally for Administrative Safeguards, automated file system change monitoring, log file monitoring, and automated change management with approvals are best practices to ensure that the application is administered securely. Certainly, specific applications may not have a threat vulnerability surface that requires all of them, but HIPAA requires that decisions not to follow best practices be documented and explained as part of the security plan.
So will a certification, such as HYTRUST, help you achieve HIPAA compliance with your hosted application?
Unfortunately, if you look at what HIPAA “requires” – which is control over PHI (protected/private health information) at all stages of its management by the Covered Entity – there is no certification that will ensure that a Covered Entity is HIPAA compliant other than a full audit, because every process, program, server, application, job, person, and vendor that touches the data must be compliant. Essentially, an entity’s HIPAA responsibility is tied to the amount of control the entity has, so your typical infrastructure service provider – such as Amazon for example, which gives the clients full control over their infrastructure – cannot take much responsibility at all, no matter what certificate may be proffered.
Because of this, any certification on Infrastructure-as-a-Service is almost meaningless since anything the infrastructure service provider does to ensure data safety can only be necessary but not sufficient to ensure compliance. There is a certification called HYTRUST that some infrastructure providers are starting to offer, however from a practical standpoint since the clients of such providers have control over the servers and the application, it offers no additional assurance of compliance. Instead what ENKI has chosen to offer for clients who want assurance of compliance, is a full suite of automated security controls coupled with application management that complies with the HIPAA Security Rule’s best practices including full change management. This service offering allows us to guarantee compliance – only of the hosting of course – backed with up to $2M of liability coverage.
Since what your clients ultimately want is data security – so that HIPAA issues never come up – one of the best options for assuring them that their data is secure is the report of an external security scanning service. ENKI offers the well-respected AlertLogic scanning which also includes intrusion detection – satisfying both the clients’ desire to know their data is secure and systems compliant, plus should a breach occur, the HIPAA security rule’s notification requirements are handled by the IDS.
For an overview of ENKI's HIPAA compliant hosting, please go to our HIPAA intro page.
Detailed qualitative comparisons between ENKI and other cloud computing vendors.
CLOUD BUYERS GUIDE
Our informative guide is full of best practices to help you choose the right Cloud vendor for your business and to make your cloud application deployment easy and successful.
CONTROLLING CLOUD COSTS
A practical guide offering detailed advice on infrastructure cloud performance tuning, cost reduction, and best practices to help you get the most from your cloud deployments.
Our informative White Paper explains how a true cloud VPDC can offer all the benefits of your own private datacenter including fully regulation-compliant security and total application compatibility.
SELF SERVICE PORTALS