For healthcare organizations, the need to protect patient data has always been significant. The rapid adoption of digital technology in the healthcare industry has driven greater attention to patient data protection and the subsequent demand for strong cybersecurity postures. The Health Insurance Portability and Accountability Act (HIPAA)—a security rule requiring covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for electronic protected health information (e-PHI)—is designed and enforced to meet this growing need.
HIPAA audits are expected to increase this year. In recent news, an administrative law judge has upheld the authority of the Office for Civil Rights (OCR) of the Department of Health and Human Services to enforce HIPAA regulations and impose fines. This is the second time a judge has made such a ruling in OCR’s favor. Because HIPAA is a US federal law, willfully negligent stakeholders can go to jail for non-compliance, moreover, if a breach occurs the associated penalties and public embarrassment could ruin a company.
According to the HIPAA Omnibus Rule, “a patients’ privacy is protected, regardless of where it is being stored.” For this reason, healthcare organizations that are subject to HIPAA compliance, are only allowed to use cloud providers that are also certified to be HIPAA compliant as their Business Associates. In addition, the cloud provider must be able to complete a risk assessment and management plan for addressing each of the HIPAA safeguards. 5nine Cloud Security for Hyper-V is positioned to help your organization meet the national standards, established by HIPAA in protecting the e-PHI created, received, used, or maintained by a covered entity.
The Three safeguards in HIPAA Compliance
HIPAA compliance, in addition to technical safeguards, encompasses physical security policies and business processes. Healthcare organizations and their Business Associates need to find ways to meet these safeguards by following the OCR guidance materials concerning the HIPAA Security and Privacy rules. 5nine Cloud Security is the solution to help healthcare technology companies and their business associates meet a majority of the HIPAA requirements. Its centralized management console simplifies the administration of security tasks and provides auditing capabilities for compliance. 5nine Cloud Security is a unified security and compliance solution designed to specifically address every Hyper-V security vulnerability using patent-pending technologies, eliminating the need to install additional expensive and resource-consuming security software.
The following table provides an overview of how 5nine Cloud Security supports the different HIPAA safeguards.
|HIPAA Safeguard||Requirement||5nine Cloud Security provides|
|Administrative Safeguards||Security Management Process. Covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.||The security management process must be developed by the organization. 5nine Cloud Security can then be used to implement security for the organization’s virtualized environment to protect e-PHI.|
|Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.||Not related to the product as it’s an organizational requirement|
|Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the “minimum necessary,” the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient’s role (role-based access).||5nine Cloud Security is a multi-tenant solution enabling isolation of the virtualized resources under management. Organizations can segregate these resources and provide role based access so that only designated users can access and perform the desired administrative or auditing functions for the 5nine Cloud Security solution.|
|Workforce Training and Management. A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI. A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.||Not related to the product as it’s an organizational requirement|
|Evaluation. A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule||Not related to the product as it’s an organizational requirement|
|Security awareness and Training. A Covered Entity have to install, maintain and update antivirus services to prevent e-PHI data to be stolen. It has to monitor login and keep security policy up-to-date||5nine Cloud Security has integrated multiple antivirus services that is using a centralized host-based update method. Antivirus signatures can be set to check update even every hour. Remaining requirements can be covered by the standard Windows Server Active Directory services.|
|Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.|
Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).
|This requirement cannot be covered by 5nine as it’s a question of physical access. Refer to|
164.310 (d)(1) Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
|Technical Safeguards||Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).|
Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
|5nine Cloud Security leverages Active Directory integrated authentication. This provides access controls to the solution for managing security policies for virtual infrastructure containing e-PHI.|
|5nine Cloud Security can track and report on all access and activities within the solution. Any changes to security policy that effects e-PHI can be examined. Also, 5nine Cloud Security integrates with the Hyper-V virtual switch, it can monitor and report on all inbound and outbound traffic for any VM with e-PHI.|
|5nine Cloud Security implements integrity controls for its own configuration and audit data to prevent tampering.|
|5nine Cloud Security offer a virtual Firewall. IDS based on Cisco Snort signatures and heuristics detects malicious and suspicious network activity|
To summarize, many of the HIPAA requirements for virtual and cloud infrastructure protection can be covered by 5nine Cloud Security and standard Microsoft Windows Server methods. The remaining ones can be met through physical restrictions and organizational requirements. 5nine Cloud Security will help healthcare providers cover a majority of HIPAA requirements, providing better protections of their patients’ records.
Are you interested in learning more about HIPAA compliance? Leave your comments or questions and we will be happy to provide more insight!