4 Questions to Evaluate HIPAA Compliant Cloud Services

When you’re handling protected health information, security is of the utmost importance. Penalties for HIPAA compliance have included prison, millions of dollars in fines, fired employees, and worse. From drug store pharmacists to therapists to surgeons, if you work in any facet of the healthcare field, HIPAA applies to you.

Compliance with HIPAA is meant to secure patient information and prevent data breaches. After all, PHI is highly sensitive information. No one wants the world to know about their medical issues or personal struggles. HIPAA helps to ensure that that information is kept secure.

Choosing a HIPAA compliant cloud provider is a big decision. If the cloud provider slips in its compliance, you could be the one facing the consequences. Here are four questions to evaluate HIPAA compliant cloud services.

What’s Your Data Recovery Plan?

In the event of a security breach, you need to know that your HIPAA compliant cloud provider has a plan in place. These details should be reported to you in some sort of report that includes a detailed recovery plan. After all, the purpose of HIPAA compliance is to avoid the fall out that comes with a cyber-attack. If your cloud provider doesn’t have a satisfactory data recovery plan, then it’s time to choose a different provider.

When reviewing your provider’s data recovery plan, look for basics like encryption during data backup and redundancy for their servers. Do they have a plan in place should the power go out? Would generators be available to continue to power the most important servers?

For example, Xecunet’s data center includes infrastructure to keep the servers going in all but the most extreme situations. Geographically diverse fiber entries from multiple carriers and redundant routing and switching equipment within our data centers mean that the Xecunet data center doesn’t rely on just one carrier. Independent power feeds to each customer cabinet and redundant systems mean that if one cabinet has a power issue, it won’t impact other customers. We also have generators with 72 hours of fuel on-site with emergency refueling contracts to provide our data center with power in the event of a natural disaster or other emergency.

How do You Implement Access Control?

Access control prevents unauthorized personnel from accessing your protected health information. All the redundancy in the world wouldn’t matter if just anyone could access your data. Access control includes both physical and digital security measures. Digital measures include encrypted levels of access to specific system software, leaving only the highest individuals in an organization with full access to everything in the facility.

You also have the option to send all of your protected health information to the HIPAA compliant cloud provider in an encrypted format. This means that, without the decryption key, no one at the facility would be able to access any of your data. However, the data center would still have to follow all access control regulations.

What’s Your Process for Reporting Security Incidents?

While HIPAA does require that every data center notify customers in the event of a security breach, it’s flexible on the frequency, level of detail, and format of those reports. Before signing on with a HIPAA compliant cloud provider, make sure these details are worked out. A security breach is already stressful enough. You don’t want to also waste time working out the details of what you should be receiving in your reports on top of it.

While the level of detail in your reports is reliant on the knowledge of your security officer, frequent reporting is preferred. Circumstances can change minute-by-minute in the event of a security incident and receiving reports frequently will help you stay on top of the situation.

What Physical Safeguards Does Your Facility Maintain?

Physical access control is just as important as digital access control. The facility shouldn’t be open to just anyone off the street. As a matter of fact, most data centers aren’t even accessible to potential clients. Instead, third-party inspections are completed by licensed agencies and reports are distributed to customers.

Ensure that the data center of your choice employs security guards who can protect against both insider and outsider threats. Insider threats are often underestimated when it comes to data center security. Data center employees have access to the majority of the facility, understand the layout and process, and can access some files. Security guards are there to ensure that access control is maintained, and employees do not pose a threat.

At Xecunet, we use multi-level security systems including cardkey entry, hand geometry readers, pin-code, man trap, and indoor/outdoor video surveillance. On top of automated systems, we also employ security monitoring personnel 24/7 365 days a year. All cabinets are locked with combination locks to provide another layer of security should anyone get through.

Choose Your HIPAA Compliant Cloud Provider Wisely

Choosing a cloud provider for protected health information is a big decision that could have lasting consequences for your business. You don’t want to find yourself stuck with an unsecure cloud that doesn’t meet HIPAA regulations, or discover that your cloud provider has lost their HIPAA certification during your contract period. After going through each of these four questions, evaluate your interactions with the cloud provider. Does the relationship seem like it’s going well?

Xecunet offers our customers a reputation for top performance, practical business solutions, and personalized service. With over twenty years of experience, we understand what you need when it comes to HIPAA compliance. If you’re looking to work with a HIPAA compliant cloud provider who can go above and beyond your needs, contact us today.