Cloud storage has become essential to the functioning of a modern enterprise: a 2021 Flexera report states that 92% of enterprises use a multi-cloud strategy and 80% opt for a hybrid cloud environment. Yet the intricacies of HIPAA compliance, the HITECH Act, and the specific risks of ransomware that healthcare institutions face present security teams seeking HIPAA compliant cloud storage with a steep but imperative challenge.
In this article, we’ll review the key requirements of HIPAA compliant cloud storage, the responsibilities of clients and vendors for reaching HIPAA compliance, and the best cloud services for enterprises seeking to store their healthcare data in a safe, secure, and convenient manner.
Requirements of HIPAA Compliant Cloud Storage Services
The primary requirement for working with a HIPAA compliant cloud storage is signing a business associate agreement, which, according to the Department of Health & Human Services, “contractually requires the business associate to appropriately safeguard the ePHI [electronic Protected Health Information], including implementing the requirements of the Security Rule.”
The HIPAA Security rule, which covers ePHI, sets baseline standards for physical, technical, and administrative safeguards and procedures for the storage of data objects as well as the reporting of security incidents. These include strict access controls, oversight over data access attempts, end-to-end data encryption, and specific audit controls.
While the responsibility for safeguarding healthcare data doesn’t rest with cloud storage services alone, the following three services give their customers the best start for storing their ePHI:
Sync.com for Teams
Sync.com offers a variety of inexpensive packages for cloud storage and file-sharing that boast some of the best security features and capacity in the market, especially for the price. The service offers control over user permissions as well as oversight over user activity, on top of end-to-end encryption, 2FA, and SOC 2 type 1 compliance. And it’s all driven by zero-knowledge encryption protocols.
Sync.com offers plans starting at as low as $6 per user per month for 1TB of storage, or unlimited storage for $15 per user per month. These prices make Sync.com a great option for businesses with smaller budgets while also offering enterprise-level solutions for 100+ user teams. The most notable downsides are a lack of a monthly billing option for the lower tier package, and some users have complained about slow speeds.
User management features such as SSO and an intelligent data lifecycle management tool set Egnyte apart as another excellent cloud storage option featuring zero-knowledge encryption. While it lacks client-side encryption on cheaper plans, if businesses have the budget to pay for the highest tier package —$20 per month per user for 1TB of storage — they’ll receive excellent security and a feature-rich file sharing service.
Some of the service’s benefits include private and collaborative storage space as well as a network drive and fully syncable local storage.
Box has become a leader in the industry for both its security features and usability, including its long list of external app integrations. Its Box Business plan is a slightly more expensive option but it justifies the cost with client-side encryption and 2FA for collaborators outside the organization, as well as device trust, password policy enforcement, and admin role delegation.
Client-side encryption is a premium service for Box, and it requires both a larger budget than Sync.com and at least three users – so it’s not perfect for smaller teams or smaller budgets – but for the price you get an excellent platform that’s easy to work within.
Responsibilities of Vendors and Customers for HIPAA Compliance
By signing a BAA, the healthcare entity and cloud service provider agree to the “permitted and required uses and disclosure of health information by the business associate” while also establishing the limitations and safeguards that the business associate must put on protected data. Ultimately, healthcare entities must ensure for themselves that they have maintained best practices to maintain HIPAA compliant network architecture.
Fines and settlementslevied by the DHS Office of Civil Rights Management (OCR), the office responsible for HIPAA enforcement, have historically been far more frequent — and hefty — on the healthcare entity’s side. The 2009 HITECH Act increased HIPAA penalties significantly, creating a tiered structure of up to $50,000 per violation.
Compliance is a shared responsibility between the vendor and customer, and only a strong understanding of both the health entity’s data posture and the cloud service provider’s processes will provide proper protection and compliance.
How Symmetry Systems DataGuard Can Maintain and Protect Your Cloud Storage Environments
Symmetry Systems DataGuard is a modern, data-centric security solution that provides organizations with insight into all of their data, no matter where it is. Within one hour, DataGuard will give you a full understanding of your data security posture, identifying risks from excessive permissions and anomalous data flows, all without ever having your data leave your existing cloud environment.
If you need to ensure the highest standards of compliance and data security, DataGuard will help you identify where your data resides across platforms, surface potential risks, and advise on practical responses to better protect your most valuable asset. Contact us today to find out more about how DataGuard can strengthen your data security posture.