The healthcare sector has made great waves recently in embracing cloud based technology. Most healthcare groups now implementing secure cloud storage services to host web applications or store data which contains electronic protected health information (ePHI) pertaining to subscribers.
However, as the proliferation of secure cloud storage systems continues at pace, it does not mean data breaches will not be experienced, and neither does it ensure compliance with HIPAA. Improperly configured secure cloud storage service systems are releasing sensitive data and many groups are no conscious that this occurring.
HIPAA Compliance Not Guaranteed by Business Associate Agreement
Prior to implementing any cloud storage service system, HIPAA-covered groups must obtain a signed business associate agreement (B.A.A.) from their cloud service providers.
Obtaining a completed and signed, HIPAA-compliant business associate agreement before to the transferring of any ePHI to the cloud is a critical element of HIPAA compliance, but a BAA solely will not ensure compliance. ePHI can easily be accessed if cloud storage services are not configured properly.
As tech giant Microsoft states, “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”
Configure your account properly and your sensitive data will always be secure. Make any errors and sensitive data will be exposed and you could easily breach HIPAA Regulations.
Improperly Secured Cloud Storage Services
When dealing with the implementation of secure cloud storage, many HIPAA covered entities believe their cloud environments have been secured, but that is often not what is actually happening. How many businesses are leaving data accessible? According to recent findings by cloud threat defense firm RedLock, the majority of businesses have made critical mistakes that have exposed sensitive data in their cloud storage.
The report shows many HIPAA covered groups are not following established security best practices, such as using multi-factor authentication for all privileged account subscribers. As if that wasn’t bad enough, many businesses are neglecting to monitor their cloud environments which means data is being exposed and no one is aware of this.
This issue appears to be on the rise. RedLock’s last report for Q2 showed findings that 40% of businesses had improperly configured at least one of their cloud storage services – Amazon Simple Storage Service (Amazon S3) for example. A new analysis, released in its latest Cloud Security Trends Report, shows that percentage inrecreased to 53% by the time period from June to September 2017.
Key Report Findings
- 53% of HIPAA covered entities have at least one exposed cloud storage service
- 38% of users exposed private data through accessible administrative user accounts
- 81% are not managing host weaknesses and flaws in the cloud
- 37% of databases allow inbound connection requests from suspicious IP addresses
- 64% of databases are not properly encrypted to stop cyber attacks
- 45% of Center of Internet Security (CIS) compliance checks are failed
- 48% of Payment Card Industry Data Security Standard (PCI DSS) compliance checks are not passed
- 250 HIPAA covered entities were found to be releasing credentials to their cloud environments on internet-facing web servers
What HIPAA covered entities organizations must do is to make sure all accessible doors have been closed and locked. Unless these entities proactively monitor their cloud storage environments, they will be unaware there is a leak long after it can be controlled.