HIPAA, the Health Insurance Portability and Accountability Act, is a US law that requires entities handling the Protected Health Information (PHI) of patients to take measures to ensure its security. And rightfully so, ransomware attacks on healthcare are exponentially increasing – up by 94% from 2020 to 2021. A systemic lack of high-tech security technologies and the bulk availability of PHI makes the healthcare industry highly vulnerable to malware attacks and data breaches. To secure patients’ PHI, HIPAA has a set of physical, technical, and administrative safeguards to protect PHI from unauthorized access, use, disclosure, or destruction. HIPAA also mandates backup and recovery capability in place for covered entities handling PHI. As the backup and recovery solution accesses and stores the valuable PHI, it has to be HIPAA compliant too. What’s on the must-have list for HIPAA-compliant backup? Let’s examine 5 aspects based on HIPAA’s physical, technical, and administrative safeguards and the all-important HIPAA Privacy Rule and Security Rule. The 5 checks for HIPAA-compliant cloud backup span redundancy, encryption, auditability and immutability, authentication and access, and finally data recovery. Let’s examine them further.
What is HIPAA? Does it Apply to Your Organization?
HIPAA is a US federal law that sets standards for the way sensitive patient data must be protected. One of the main reasons HIPAA was enacted was to protect patients from data breaches that the healthcare sector is vulnerable to as it accesses “lucrative” PHI. If patient data is compromised, it can lead to identity theft, fraud, and other financial crimes.
HIPAA applies to all organizations that handle protected health information (PHI). Covered entities, as defined in the HIPAA rules include:
- Healthcare Providers, such as hospitals, hospices, clinics, nursing homes, pharmacies, doctors, dentists, chiropractors, and their business associates.
- Health Plans, including company health plans, health insurance companies, HMOs, and government health programs.
- Healthcare Clearinghouses, healthcare providers who transmit ePHI (electronic Protected Health Information)
As part of this, HIPAA mandates that healthcare organizations have robust backup and disaster recovery plans in place to ensure patient data remains accessible in the event of an incident. However, the onus is on you to ensure that your cloud backup is HIPAA compliant.
5 Checks For HIPAA-Compliant Cloud Backup
Check #1 Redundancy: HIPAA Compliant Cloud Backup
“Physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion”
This is where the #1 check for Redundancy comes in. It is a key component of HIPAA compliance when it comes to backup and disaster recovery. Organizations must maintain multiple copies of their data on different media and in secure locations so that they can quickly recover in the event of a disaster. Redundancy also ensures that if one copy of the data is corrupted or lost, another copy exists elsewhere. Having redundant backups also helps organizations prevent data loss due to human error.
HIPAA-compliant cloud backup should adhere to the 3-2-1 backup rule, which states that there should be 3 copies of data stored on 2 different types of media, with 1 copy stored off-site. This redundancy helps to ensure patient data can still be accessed even if one copy is lost or corrupted. The rule is a best practice for breach, malware, or ransomware recovery because it guarantees that you have duplicates of your information in various places, making it less probable that every one of your copies will be destroyed or damaged in the event of an attack.
Check #2 Encryption: HIPAA-Compliant Cloud Backup
“Implement a mechanism to encrypt and decrypt electronic protected health information.”
Security measures must be taken when storing PHI, including encryption both at-rest and in-transit. Data encryption protects confidential information from unauthorized access by scrambling it so that only those with the correct credentials can view it. The Advanced Encryption Standard (AES) 256-bit encryption is the most secure method of encryption currently available, and it must be used when encrypting PHI. Furthermore, organizations should also use security protocols such as SSL/TLS when transmitting sensitive data over the Internet.
Check #3 Auditability & Immutability: HIPAA-Compliant Cloud Backup
“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
HIPAA-compliant documentation is also essential for backup and disaster recovery. Organizations must keep track of all backup procedures, as well as who has access to the backed-up data. Furthermore, backups must have complete audit trails, so that organizations can track who accessed the data and when. This ensures that the data cannot be tampered with in any way. Documentation is also essential for disaster recovery, as it helps organizations quickly recover their systems and data in the event of an emergency. Ensure that your cloud backup provider can give you a BAA agreement.
Backups that hold an immutable record of data are a must for HIPAA compliance. Organizations must ensure that their backups are immutable, meaning they cannot be changed or deleted. This prevents unauthorized users from tampering with backup files and PHI stored within them.
Finally, HIPAA also requires that regular “Testing and Revision Procedures” are in place, so don’t forget to test your backups regularly.
Check #4 Authentication & Access: HIPAA-Compliant Cloud Backup
“Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner”
An important part of HIPAA compliance is authentication and access control. Organizations must ensure that only authorized personnel are able to access PHI, both online and offline. Your backup solution should be able to enforce secure authentication using MFA/2FA (multi-factor authentication/ two-factor authentication) to prevent unauthorized access. Furthermore, ensure that your backup solution uses granular access controls based on user roles, so that everyone has the appropriate level of access needed to do their job. Access logs should be kept for all PHI backups so that you can easily track who is accessing the files and when.
Check #5 Recovery: HIPAA-Compliant Cloud Backup
Covered entities (have) to implement procedures to create and maintain retrievable exact copies of EPHI.
Finally, organizations must have a solid backup and recovery plan in place to ensure that they can recover their systems and data quickly in the event of an emergency. All ePHI must be comprehensively and securely backed up and restorable. Make sure that your backup solution includes unlimited point-in-time recovery so PHI can be recovered from any point in time, no matter what.
In today’s business world, data is everything. From customer information to financial records, the loss of data can be devastating for a company. That’s why it’s important to have a robust and secure backup system in place. Ideally, you should look for a backup solution that offers a 99.9% SLA and unlimited point-in-time recovery. This will ensure that your data is always safe and that you can quickly recover from any disaster or system failure. With the right backup solution in place, you can rest assured that your data is always protected.
Overall, complying with HIPAA’s backup and disaster recovery requirements helps to ensure patient data remains confidential and accessible, even in the event of an incident.
Penalties for Non-Compliance with HIPAA
One of the main purposes of the Health Insurance Portability and Accountability Act (HIPAA) is to protect the privacy of the patient’s health information. HIPAA regulates how this information can be used, disclosed, and stored by covered entities, which include healthcare providers, insurers, and other organizations that handle health information. When covered entities fail to comply with HIPAA regulations, they can be subject to civil and criminal penalties. Civil penalties for HIPAA violations can range from $100 to $50,000 per violation, with a maximum of $1.5 million per year for repeated violations. Criminal penalties for HIPAA violations can include fines of up to $250,000 and imprisonment of up to 10 years. In addition, the Department of Justice (DOJ) can bring charges against covered entities for violating the False Claims Act or other laws. As these penalties illustrate, it is important for covered entities to take steps to ensure compliance with HIPAA regulations.
Secure All Your ePHI With HIPAA-Compliant CloudAlly Backup
CloudAlly’s HIPAA-compliant backup for healthcare, ticks all the above checkboxes:
- Redundancy: With CloudAlly backup, apart from your ePHI on the SaaS platform, you have a backup on Amazon S3 and another on Glacier. By doing this, we adhere to the 3-2-1 rule for full data backup redundancy.
- Encryption: We understand how important data security is to our customers, which is why we only use the best encryption methods available. All of our data is stored using Amazon S3’s immutable storage option and encrypted using AES-256 bit encryption. In addition, all end-user sessions with CloudAlly utilize SSL for added protection. Lastly, our servers are well-protected and always up-to-date with the latest security patches.
- Auditability & Immutability: CloudAlly backup includes an exhaustive Security and Audit log with all access to the backups tracked. We also offer S3 Object Lock to provide an additional layer of protection for your sensitive data by keeping records in a non-rewritable and non-erasable format, which meets stringent data regulations. We also provide a BAA Agreement on request
- Authentication & Access: CloudAlly backup provides an option for mandatory Two Factor Authentication (2FA). We also support SAML authentication via Okta, the leading provider in addition to OAuth for secure authentication. In addition, we provide robust password protection, and vulnerability and patch management. The customer has full control of data with Admin-controlled backups and no data retention after deletion.
- Recovery: CloudAlly provides an unprecedented level of storage and security for businesses of any size. With unlimited retention and point-in-time recovery, you can rest assured that your data is always safe and recoverable.