While already a challenging task for the DBA, the growing adoption of cloud-based databases is making things even more difficult. Let’s learn why.
HIPAA and Protected Health Information (PHI)
The Health Insurance Portability and Accountability Act (HIPAA) has been in effect for more than a decade, with dozens of mega-companies already paying the price for not meeting the requirements. For example, Tennessee Medical Imaging recently paid a 3 Million USD fine to settle a HIPAA breach.
HIPAA’s main goal is to safeguard patients’ health information, which is deemed to be extremely private and sensitive. This is expected to be accomplished without harming the flow of health information required to maintain high standards of healthcare and preserve optimal public health standards.
In a nutshell, HIPAA has been devised to safeguard what is known as Protected Health Information (PHI). This privacy rule essentially is meant to protect “individually identifiable health information” that is documented, stored, or shared by hospitals, insurance companies, and other related entities.
- Health Care Providers – All healthcare providers, small and big, electronically transferring PHI, are considered to be covered entities.
- Insurance Companies – Insurance companies record and transmit PHI of millions of people. Therefore, they are legally b0unded by HIPAA.
- Third Party Vendors – Any person or organization that is performing activities on behalf of a covered entity is also responsible.
Did You Know?
As per the Physicians Practice website, there were 418 reported HIPAA breaches in 2019.
Database HIPAA Compliance Best Practices
Regardless of if your database is on-premise or in the cloud, hybrid or not, there are some best practices you must implement as soon as possible.
- Least Privilege Policy – This policy essentially means that all users and third-party apps should get the least possible privileges required to get the job done. Besides being a very effective technique for achieving database HIPAA compliance, this is a great mindset for all organizations.
- Secure Coding Practices – Hackers and malicious entities are often looking for loopholes in your application. By reducing the attack surface exposure with high code integrity, your developers are basically joining the fight and helping you in your fight against the “bad guys”.
- Pen Testing – Yes. Web Application Firewalls (WAFs) are here to stay and they do help to some extent. Apply patches and update them as much as possible. But you can take it one step further by hiring pen testers to test the robustness of your database and provide first-hand analysis.
Needless to say, backing up all PHI is highly recommended. Also, you can further protect all sensitive data by encrypting it to secure it.
Database HIPAA Compliance in the Cloud
With more and more organizations are moving their development to the cloud, making sure that the selected vendor is HIPAA-compliant has become mandatory. However, contrary to popular belief, doing this alone doesn’t mean that you are safe and HIPAA-compliant automatically.
You need to understand that the cloud vendor is now gaining unlimited access to your ePHI and entering a HIPAA-compliant business associate agreement. This is essentially a binding contract commonly referred to as a BAA, created following the communication that is established between you both.
Did You Know?
In total, 34.9 million Americans had their PHI compromised last year. 30.6 million were caused by database breaches.
There are three key things you will need to make sure of if you want to create a sustainable and scalable HIPAA compliance cloud database.
1) The Business Associate Agreement (BAA)
This is arguably the weakest link when it comes to enforcing HIPAA compliance in the cloud today. The BAA is basically an officially written and legally binding agreement that lays out every side’s responsibilities, duties, and commitments when it comes to establishing database HIPAA compliance in the cloud.
The BAA should always include the following:
- Required (and allowed) PHI uses by the third-party subcontractor/s
- Written commitment to not use PHI for unspecified purposes
- A list of security measures that need to be implemented at all times
- A list of all third-party identities that will be accessing the PHI
As per the latest HIPAA regulations, business associates are directly liable and subject to civil and, in some cases, criminal penalties for making uses and disclosures of PHI in an unauthorized manner. When a breach occurs, the covered entity has to solve the problem immediately or terminate the BAA.
2) Disaster Recovery
The DBA has to make sure that he has contingency plans when HIPAA-related violations are detected or reported. A HIPAA disaster-recovery plan is extremely crucial in such cases. This plan should contain detailed procedures the various stakeholders within the organization must take when disaster strikes.
Did You Know?
As per McAfee, 93% of cloud services in Healthcare are Medium to High Risk when it comes to HIPAA compliance.
More and more cloud vendors are now offering built-in disaster recovery services that can prove to be helpful in organizations that are scaling up fast.
3) Technical Safeguards
There are three types of safeguards that a HIPAA covered entity has to take at all times today. These involve the following:
- Administrative – Under this category, cover entities must have a sound security management process to protect PHI, hire dedicated security personnel, and also implement dedicated procedures and policies to ensure authorised role/permission-based access to PHI.
- Physical – As the name suggests, security often starts with the physical securing of the perimeter. Facility access should be strictly restricted, with proper surveillance and guarding in strategic spots. Workstation, computer, and database security should also be prioritized at all times.
- Technical – Besides having traditional safe solutions like firewalls and antivirus software in place, DBAs now need to make sure that they are using access control policies to limit access to PHI. Furthermore, they are also expected to implement audit and integrity controls.
Besides taking care of the aforementioned points, you must scrutinize the cloud environment you will be working in – hosting, storage, and the server.
Embracing HIPAA with Cloud Automation
HIPAA has become very strict today due to the massive amounts of PHI that can be found on the web. The DBA can no longer ignore the importance of creating sustainable and scalable database HIPAA compliance, even after it has been migrated to the cloud. A proactive approach is of the essence.
DBAs can now use automated solutions to create a series of dynamic privacy rules to protect PHI at all times. Only stakeholders with the right passwords and privileges can access the database. These permissions can be grated, revoked, and modified just with a few clicks from a centralized dashboard.
Furthermore, automating all HIPAA tasks also makes activity recording and documenting effortless, which eventually helps you ace your HIPAA audits.