This week on the HIPAA Vault show. We’re excited to bring you an essential guide to securing patient data in the cloud. Join us as we delve into ‘The Ultimate Tier List of HIPAA-Compliant Cloud Security Services’.


Hello and welcome to the HIPAA Vault show where we discuss all things HIPAA compliance in the cloud. My name is Adam Zeineddine and today I’m delighted to be bringing you our tier list of central security services for web applications that deal with healthcare data. And we’re going to be going from Foundational elements all the way up to S Tier Amazing to have security services. So before we get started, please subscribe and like, and if you’re listening in podcast format then you might want to move over to YouTube for visuals. 

So with that said, let’s get started. We’re going to start with the basics and climb our way to the peak of cloud security. All right, so here’s the tier list and a little bit about the format. So you’ve got your S Tier, A, B down to C, and we’ll probably work our way up from C all the way up to S here. On the right side is whether it’s required for HIPAA under law or not. 

On the left side is not required for HIPAA, but it’s a security service and it’s recommended to use. We’re not promoting any specific products here, we’re talking about services. There are many different products that might be used for these applications, but that really depends on the use case, whether the server is Linux, windows or what kind of size environment you’ve got. But if you do have any questions following this, then feel free to reach out to us at and we’ll do our best to answer them. So starting at the C tier is going to be strong password enforcement, and strong password enforcement is actually required for HIPAA, and it’s the first line of defense against unauthorized access to the website and the underlying data there. So strong password enforcement, it’s very easy to implement and it’s required for HIPAA. So that would be our first one there. 

The next one is antivirus and anti malware. There’s many antivirus and malware products out there, great products. And while not specifically required for HIPAA, these tools are crucial in protecting against malware, which could compromise the confidentiality, integrity or availability of PHI. 

So while not specifically required for HIPAA, I’m going to move it a little bit towards this zone here, because it’s definitely recommended to have anti malware, antivirus systems running within the environment that’s hosting the application. 

Next is multi factor authentication, MFA, and that is also in B tier and it’s not required for HIPAA surprisingly. However, and if you’re not familiar with multi factor authentication it verifies user identity by adding an extra step during login, by sending a code via email, text, et cetera. And it’s crucial to verifying the user’s identity. 

So while it’s not currently required for HIPAA, it is definitely recommended, and it’s in B tier in terms of how essential it is. 

Next up, we’re actually going to go to the A tier and network segmentation. Network segmentation is also not required for HIPAA. However, network separation, separating networks into different segments can reduce the spread of a breach and limit access to sensitive data. So it’s really good to have that in place. So what that would look like is maybe you have a less critical application. You would have that hosted on a different set of servers and within a different network to the application. For example, a portal that’s capturing patient data, you’d have that hosted elsewhere with a completely different rule set and maybe more robust rule set. And that just means that if the worst case scenario happens and the main website that doesn’t have the critical data is hacked, then the hackers can’t get into any of that critical data. 

And again, it’s not required for HIPAA, surprisingly, but it is good to have. 

All right, next is data backups, and that’s going to be in the A Tier now not required for HIPAA. This is kind of an interesting one because HIPA does state that it’s essential that patient data and PhI is retained for a certain amount of time. So that needs to be taken into account. However, backups, specifically how often you take backups, is not specified. 

There’s just a mention of regular backups. So there definitely needs to be some sort of backup in place. But what tools you use for that, it’s not really specified, a preference in terms of regularity for HIPA. So that’s going to go in. 

The next one is intrusion detection and prevention. That’s also going to be in the A tier. So intrusion detection and prevention provides real time monitoring and proactive threat mitigation capabilities for the application and really useful. 

Next is managed web application firewall and that is also going to be in the A tier and not required for HIPAA, surprisingly, so you’re seeing here that there’s quite a few that aren’t specified, services that aren’t specified within HIPAA law. 

HIPAA is a very broad law, so depending on the use case, you might need a web application firewall or not. Generally, firewalls are common to find on any kind of computer. Having a managed web application firewall allows you to do things like restrict access to the application from certain geolocations. So it’s a really cool tool to have one of the most essential for security. All right, so we’ve done Tier C, B and A. Next we’re going to supreme Tier. First one in supreme tier is encryption at rest and in transit, and encryption at rest and in transit is required for HIPAA. 

And it basically makes sure that data is stored securely. So when the computer is switched off, it’s encrypted at rest, and then it also protects data as it moves between systems from your servers and outbound, and data coming in as well. So it’s fundamental for data transfer security. It’s required for HIPAA, and we’re putting it in our S tier. 

Next is access control management also required for HIPAA? And again, this isn’t a specific product, it’s more of a concept, access control management, having the right access control policies and tools in place to control access to the patient data, and for example, if you’re using Google Cloud, Google Cloud’s IAM identity access manager there’s also access control that could be put in place using password managers, sharing certain credentials with certain users. And generally this fits into the overarching security policy of least privilege and zero trust so is required for HIPAA and is in the S tier. Next is vulnerability scanning and management, also required for HIPAA, and it’s in the S Tier. And this essentially regularly identifies and manages system vulnerabilities to prevent potential exploits. So it scans the systems to alert if the softwares are running a little bit older, need to be updated. And this is essential for HIPAA there because vulnerabilities can occur with older versions of software. So it’s required for HIPAA.

And then finally SIEM, not required for HIPAA. If you Google SIeM tools, you’ll find a host of them, depending on which cloud you’re hosting the application in as well. They’ll probably have their own native SCIM tool. SEIM stands for security information and event management, and it provides comprehensive security management for monitoring and analyzing security events, and it’s crucial for threat detection and response, and there’s even a newer term, and that’s Soar. And SOAR stands for security orchestration, automation and recovery. The cybersecurity field is ever evolving, and SOAR is a fairly recent term, and Soar kind of alludes to a more broader SIEM, and it includes things like access to databases, where if a security vulnerability is detected, there’ll be databases on the website to see what the best practices are in order to remediate against that vulnerability and next steps there. 

IT nowadays includes AI tools that allow you to set up automation where it’ll automatically fix a vulnerability that’s detected so SOAR is also in there with SIEM. Typically we see this not being used for smaller entry level kind of applications. But as the application scales and you have a lot more servers, a lot more resources to protect SIEM tools for your security operations team to be able to effectively manage the security on the website so not required for HIPAA, but we love it. 

Great well so there is a list of essential security services. 

The list is non exhaustive, so there could well be some that we missed out there. If there’s any you can think of, let us know in the comments below. Understanding this tier list helps in building a robust, layered approach to cloud security. So from crucial to supreme, each tier plays its part in ensuring HIPAA compliance and the safety of patient data, ultimately. 

For more detailed insights, and don’t forget to subscribe for more tech Cloud HIPAA Insights Stay informed and compliant.