HIPAA Compliant Cloud Storage Explained
By Stephen Trout, , HIPAA Blog, HIPAA Hosting, Resources, Security

In 1980s Canada, the infamous “tainted blood scandal” led to thousands of unsuspecting transfusion recipients being exposed to HIV and hepatitis C.

Inadequate screening of stored blood produced the largest, most preventable health disaster in Canada’s history.

Like blood in a body, the quality and storage of data in your organization can make all the difference.

A transfusion of good data can vastly improve decision-making, and lead to flourishing. “Tainted” or corrupted data will likely lead to poor business decisions, and a failure to thrive.

For healthcare, the stakes are even higher: the quality or integrity of patient data your doctor receives can directly impact your health. How that data is “screened,” stored, and made available, therefore, makes all the difference.


What’s at stake? 

Since paper health records from yesteryear have mostly gone digital – kept in the cloud – storage concerns have drastically changed. 

And yet, just as your doctor’s old filing cabinet was liable to destruction (largely from theft, flood, or fire), digital data has its own set of enemies: unscrupulous actors who steal or ransom PHI; IT systems that can be faulty – even internal “hackers” with malicious intent.

Today, quality patient data rests no longer on the strength of a file cabinet, but on truly HIPAA-compliant cloud storage to preserve it.  

Meanwhile, threats to health data continue to evolve. (We’ve detailed some of the alarming new ways this can happen). It’s incumbent on healthcare and cloud providers to keep pace.

If cloud storage fails to maintain the “3 pillars of data security” – confidentiality, integrity, and availability – it can mean the collapse of your practice. Ultimately, it’s patients who will suffer from a lack of care. 


How Cloud Storage Works  

If you’re a health provider, you may have wondered how reliable cloud storage can be attained.  Deriving an answer begins with learning how cloud storage itself works.

First, in contrast to the traditional, on-premise “server room” – located somewhere on your campus and maintained by members of your IT team – cloud storage involves remote servers

These servers are housed in off-site, protected data centers, typically operated by a third party, or cloud service provider (CSP). 

The primary responsibility then for hosting your data, managing the equipment, essential infrastructure, and data security is now largely in the CSP’s hands. 

They sign a written pledge (a BAA) to meet your uptime guarantees (somewhere close to 99.99%), and through a secure internet connection, keep your data flowing freely to and from the protected data center.  

Among its many advantages, cost is a primary cloud benefit. You save in:

  • capital equipment and maintenance expenditures
  • physical footprint, and 
  • IT staff and oversight 

These alone can add up to significant savings, and less concern. 

Related to this, the ability to scale your applications and environments up or down – seamlessly and efficiently, without adding or removing physical resources – is a primary benefit of the cloud as well.   


State-of-the-Art Storage

Just as the days of bare-metal file cabinets for protected health information (PHI) are largely gone, so too are the IT rooms full of bare-metal servers for your environment(s). 

Today, many virtual machines (or VMs) can live on one server – a far more efficient use of resources. 

So the process of cloud storage essentially goes like this: health practitioners receive patient data from their in-person examinations, intake forms, or web portals.

They create a digital patient file on their tablet, phone, or computer, and then upload it to the server which is housed in a state-of-the-art data center. The data is then saved on the VM. 

Since CSPs (like Google) have a vast network of data centers, latency (the time it takes for data to pass from one point to another) can generally be improved in a closer geographic region. 

These data centers are state-of-the-art, each with multiple rings or layers of physical security: locked gates, barriers, guards, cameras, access controls, and more.  

Inside, the data is stored according to the requested storage type: 

  • Object storage is available for unstructured data, and is typically the cheapest storage option.
  • File storage is used for directories, folders, and data repositories
  • Block storage is ideal for large volumes of data requiring low latency (such as high-performance databases). Typically, block storage is the most expensive type.

Additionally, tools like load-balancers and added VMs can easily be “spun up” as demand requires. In this way, performance lag is prevented while achieving optimal efficiency and cost. 

Finally, when you the provider need to retrieve the stored data (often referred to as “hot data” which is accessed regularly), it can be received quickly, through a browser on an office computer or tablet, or an app on your phone via an application programming interface (API).


Cloud Storage Advantages

As noted, this amazing technology has numerous advantages. Let’s summarize the primary ones here:

  • Time

Nearly instantaneous data retrieval – from almost anywhere in the world – aids fast healthcare treatments and can save lives, especially in times of emergency. 

  • Cost 

As mentioned, healthcare organizations save on capital equipment maintenance and upgrades, data centers, and energy consumption; IT resources can be redirected to operational/business concerns. 

The cloud’s ability to scale up or down (elasticity) based on storage needs also makes for a more efficient environment cost.

  • Flexibility

Organizations have more flexibility and cost-efficiency in how they choose to store data in the cloud. They may choose object storage for unstructured data, file storage (for directories, folders, and data repositories), or block storage, which is ideal for large volumes of data requiring low latency (such as high-performance databases). Typically, object storage offers a more cost-effective option than block storage.

  • Security

It’s true – some cloud providers can actually provide better security than on-premise server systems. Google, for instance, with its massive global system built to repel countless numbers of attacks each minute, has invested in security far beyond what could be achieved by most enterprises. 

This includes world-class data centers, and a “by-design, zero-trust” architecture with built-in security at the software and application levels (including identity and access management, and data encryption – HIPAA requirements).

  • Redundancy

Trusted failover systems are especially key for preserving business continuity, and some clouds excel in providing it. The replication of data across servers to multiple geographic regions is ideal for HIPAA since disaster recovery (earthquakes, fires, floods) is a HIPAA requirement and is needed to preserve the availability of data for patient care. 


Various cloud models for storage 

Today, cloud storage is available to customers in various models, according to need. While some top-secret facilities, for example, might invest in their own private data centers and cloud, the typical models are:

Public Cloud

Public Cloud providers like Google, AWS, and Microsoft Azure provide state-of-the-art data centers for their customer’s data storage needs, and the fees vary according to usage. 

These clouds are highly “elastic,” scaling to adjust to your organization’s changing needs. 

Since the physical servers are managed by the provider, your company saves on equipment and maintenance costs. 

Hybrid Cloud

Some companies opt for a mixture of private and public cloud storage, based on what their security and compliance requirements dictate. 

A more stringent, private cloud is chosen for certain kinds of sensitive data, while the remainder of their data is stored in the public cloud, with its inherent benefits.  

Multicloud

Another version of dividing data among clouds is multicloud or utilizing multiple cloud providers for the benefit of each. 

This is a flexible approach, with service level agreements dictating the need; for example, one cloud may be dedicated to a specified, geographic location and assigned to a designated team; another may be chosen to leverage that particular cloud’s apps, which may be proprietary. 


A HIPAA-Compliant Public Cloud? 

It’s understandable to have questions about public cloud storage for healthcare since HIPAA puts an appropriate focus on questions of control, privacy, and security. 

Providers tend to ask, “Can I really entrust my data to a cloud service provider whose data centers and servers are not directly under my watchful eye, and immediately proximate to my healthcare practice? In addition, what about issues of logging, backups, and archiving – all key components of a HIPAA-compliant cloud?”  

The question of whether the cloud provider is willing to sign a Business Associate Agreement, or BAA (a written pledge detailing their part in protecting your data), is also a critical question.

Google and HIPAA Compliance

Since HIPAA Vault is a Managed Security Service Provider (MSSP) and a trusted Google Cloud partner, we can speak directly to concerns over HIPAA compliance as it relates to the proven solutions we’ve built on the Google Cloud Platform (GCP). 

The good news is, GCP ensures enterprise security certifications and regular audits for FedRAMP cloud, SSAE16, ISO 27017, ISO 27018, PCI, and HIPAA compliance. 

Think of what you’ve got in your corner: Google maintains a world-class internal audit team for compliance, security, and ongoing review of global regulations. 

Before and after a product launch, a privacy team oversees automated processes that audit data traffic. In addition to inside security, privacy, and compliance teams, outside experts are consulted to perform regular security assessments.

From an infrastructure perspective, software, servers, internal machines, and secure data centers are all aimed at providing superior data storage and protection with end-user privacy safeguards. 

This high level of technical expertise and consistent service is unmatched, and has helped establish a generally accepted truth about the cloud, as Gartner notes:

“The challenge exists not in the security of the cloud itself, but in the policies and technologies for security and control of the technology. In nearly all cases, it is the user, not the cloud provider, who fails to manage the controls used to protect an organization’s data.”

Like Google, HIPAA Vault embraces a “zero trust” security approach in all our cloud solutions.

The idea here is that no user or network should ultimately be “trusted,” and all attempts to access a business system or application must be verified before any level of access is granted. 

This extends to the sharing of sensitive data – both from “insiders” within your company (an often overlooked, but frequent cause of data loss) and external contractors – which makes encryption a necessity. 

For this reason, all of our secure cloud-based solutions, including encrypted databases, drives, and file sharing, are designed with user controls to protect your sensitive data, both inside and outside your network.

The Necessity of Proven Encryption

Encryption protects your data by replacing it with ciphertext, making it unreadable until decrypted. Cybercriminals seek to exploit sensitive data to their advantage, bypassing these encryption protections by attempting to access keys or crack encryption algorithms.

The National Institute of Standards and Technology (NIST) has set the standards and requirements for cryptographic modules for U.S. federal agencies with Federal Information Processing Standard (FIPS) 140-2. Covering hardware, software, and/or firmware, it establishes a validated certification for how sensitive, unclassified information is stored. 

The Google Cloud Platform uses a FIPS 140-2 validated encryption module called BoringCrypto (certificate 3318), which ensures the encryption of data that is “in transit” (outside Google’s physical boundaries to the customer, and the wide area network (WAN) between data centers), and “at rest.”

In addition, all at-rest data is chunked, individually encrypted, then “wrapped” with additional encryption keys. Google offers these multiple layers of data encryption for their customers by default. 

As a data-security pioneer with one of the largest, most security-conscious private networks in the world, Google continually invests in new innovations for encryption technology, including Key Transparency and post-quantum cryptography. 

A cloud-hosted key management service (KMS) also allows you to manage cryptographic keys in the same way as you would for on-premises environments.

Backups 

High availability for your HIPAA data requires high redundancy. With Google’s “redundancy of everything” approach, your data is systematically replicated multiple times across active servers and distributed geographically. 

Service continuity is ensured by a highly redundant system, one where the failure of a single server, data center, network connection, or even a maintenance window will not result in downtime or loss of data. In other words, your data is always available within a secondary system, should one system fail. 

Distributed, compliant data centers with redundant security, power, and environmental controls minimize the impact of a natural disaster or a local power outage, so your sensitive data will remain available.  

Two-Factor Authentication

Two-factor authentication, or 2-step verification, is another tool provided by Google that HIPAA Vault’s administrators use to add an additional security layer for accessing a server. This means that in addition to the standard username/password combination, a unique verification code is generated and sent to users each time they seek to log in to their server.

Audit Logs

HIPAA requires that detailed audit logs be kept, recording who has accessed ePHI on your server(s) and why they’ve accessed it – both failed and successful log-in attempts. This system and network access information, including any security event or malicious software, attempted breach, or even attempts to delete or modify the logs themselves, must be kept for a minimum of six years. 

Google will keep all admin activity, data access, and system event logs for varying lengths of time, which can then be exported so you can retain them for as long as needed. 

Conclusion

Clearly, Google Cloud meets the test for trusted cloud storage and HIPAA compliance. How the end-user manages the controls and HIPAA policies becomes the real issue. 

HIPAA Vault’s expertise with GCP can help you navigate these complex cloud concerns, allowing for significant cost-savings and greater peace of mind knowing your critical patient data is in good hands.   

Our advanced automation, detection, and mitigation capabilities, and proven ability to configure your environment and servers for HIPAA compliance, help ensure that your critical data is well protected. 

HIPAA Vault is a leading provider of HIPAA-compliant solutions and cloud storage. We enable healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities, and keep them doing what they do best – saving lives!

Contact us at 760–290–3460 or www.hipaavault.com.

Stephen is an award-winning writer with a depth of experience in healthcare security and HIPAA compliance. In addition to writing for HIPAA Vault, his work has been published in Security Magazine, New England Society for Healthcare Communications, and others. Stephen has a degree in Engineering from Temple University, and can be reached at strout@hipaavault.com.