OCR Issues Cloud Service Provider (CSP) Guidance

With the proliferation and widespread adoption of cloud computing solutions, HIPAA covered entities and business associates are questioning whether and how they can take advantage of cloud computing, while complying with the HIPAA Rules.  In response, the HHS Office for Civil Rights (OCR) has issued important new guidance to assist organizations, including cloud service providers (CSPs), in understanding their HIPAA obligations.  The guidance presents key questions and answers to assist HIPAA-regulated CSPs and their customers in understanding their responsibilities under the HIPAA Rules when they create, receive, maintain, or transmit electronic protected health information using cloud products and services.

(Editorial comments in red after each question)

Highlights:

1. May a HIPAA covered entity or business associate use a cloud service to store or process ePHI?

Yes, provided the covered entity or business associate enters into a HIPAA-compliant business associate contract or agreement (BAA) with the CSP that will be creating, receiving, maintaining, or transmitting electronic protected health information (ePHI) on its behalf, and otherwise complies with the HIPAA Rules.

The Covered Entity is required to insure that the Business Associate and any subcontractor Business Associates are compliant.

2. If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?

Yes, because the CSP receives and maintains (e.g., to process and/or store) electronic protected health information (ePHI) for a covered entity or another business associate.  Lacking an encryption key does not exempt a CSP from business associate status or associated obligations under the HIPAA Rules.

Any cloud Vendor that says that they do not have to be compliant should be disregarded as a Vendor. If you store ePHI with them, they must be compliant.

3. Can a CSP be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?

Generally, no. CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining  (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.

The conduit exemption is only properly applied to the USPS, FEDEX, UPS and Internet Service Providers transmitting data.

4. Which CSPs offer HIPAA-compliant cloud services?

OCR does not endorse, certify, or recommend specific technology or products.

5. What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP?

If a covered entity (or business associate) uses a CSP to maintain (e.g., to process or store) electronic protected health information (ePHI) without entering into a BAA with the CSP, the covered entity (or business associate) is in violation of the HIPAA Rules.  45 C.F.R §§164.308(b)(1) and §164.502(e).

OCR just fined an entity $750,000 for such behavior.

6. If a CSP experiences a security incident involving a HIPAA covered entity’s or business associate’s ePHI, must it report the incident to the covered entity or business associate?

Yes. The Security Rule at 45 CFR § 164.308(a)(6)(ii) requires business associates to identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the business associate; and document security incidents and their outcomes.

7. Do the HIPAA Rules allow health care providers to use mobile devices to access ePHI in a cloud?

Yes.  Health care providers, other covered entities, and business associates may use mobile devices to access electronic protected health information (ePHI) in a cloud as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and in the cloud, and appropriate BAAs are in place with any third party service providers for the device and/or the cloud that will have access to the e-PHI.

Mobile devices used to access ePHI must be addresses in the Covered Entity Security Risk Analysis and be properly protected.

8. Do the HIPAA Rules require a CSP to maintain ePHI for some period of time beyond when it has finished providing services to a covered entity or business associate?

No, the HIPAA Rules generally do not require a business associate to maintain electronic protected health information (ePHI) beyond the time it provides services to a covered entity or business associate.

The CSP may delete the ePHI upon termination of the contract between the parties.

9. Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States?

Yes, provided the covered entity (or business associate) enters into a business associate agreement (BAA) with the CSP and otherwise complies with the applicable requirements of the HIPAA Rules.  However, while the HIPAA Rules do not include requirements specific to protection of electronic protected health information (ePHI) processed or stored by a CSP or any other business associate outside of the United States, OCR notes that the risks to such ePHI may vary greatly depending on its geographic location.  In particular, outsourcing storage or other services for ePHI overseas may increase the risks and vulnerabilities to the information or present special considerations with respect to enforceability of privacy and security protections over the data. Covered entities (and business associates, including the CSP) should take these risks into account when conducting the risk analysis and risk management required by the Security Rule.  See 45 CFR §164.308(a)(1)(ii)(A) and (a)(1)(ii)(B).    For example, if ePHI is maintained in a country where there are documented increased attempts at hacking or other malware attacks, such risks should be considered, and entities must implement reasonable and appropriate technical safeguards to address such threats.

This is a huge deal as far as I am concerned and I would not allow it to happen. Let me ask this one question: “What Police Department are you going to call if a worker in a foreign country steals your ePHI?” ‘nuff said.

10. Do the HIPAA Rules require CSPs that are business associates to provide documentation, or allow auditing, of their security practices by their customers who are covered entities or business associates?

No. The HIPAA Rules require covered entity and business associate customers to obtain satisfactory assurances in the form of a business associate agreement (BAA) with the CSP that the CSP will, among other things, appropriately safeguard the protected health information (PHI) that it creates, receives, maintains or transmits for the covered entity or business associate in accordance with the HIPAA Rules.

While the rules do not **require** auditing of a BA, I would not do business with a BA who would not provide me with the documentation proving their compliance.

Here is a link to the entire guidance:

http://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html

Folks, 2017 is shaping up to be the year of the OCR audit. OCR gets to keep the Civil Monetary Penalties ($20,000,000.00 + so far this year) to fund additional enforcement actions. They have the right people in place (after a few years of shakeup at the Department), they have the funding in place and they have gotten their audit process to a point where they are comfortable with it. 

The Internet of Evil Things

The Internet of Evil Things is in the news: Most devices deployed as part of the Internet of Things (IoT) lack basic security hygiene. There has been a wave of Mirai DDoS (Distributed Denial of Service) attacks that exploit that lack of security weakness, compromising thousands of security cameras, DVRs and other IoT devices to launch powerful DDoS attacks. Denial of Service may be the tip of the iceberg if we don't make rapid progress securing the IoT.

The takeaway is that not all of the manufacturers of new Internet connected devices (security cameras, refrigerators, HVAC controls, etc.) take security seriously. A lot of them are too concerned with getting their products to market and not with the security of those products. Buyer beware!

Massive DDoS attack harnesses 145,000 hacked IoT devices

In what some are calling the biggest distributed denial-of-services attack ever seen, a botnet comprising thousands of hacked Internet-of-Things devices took aim at a European web host earlier this month – flooding it with a data deluge that at times exceeded one terabit per second.

The attack ushers in a dangerous new era for data security and system uptime, experts said, and could pose dramatic new risks for EHRs and other hospital IT systems.

According to Ars Technica, the hackers took control of a legion of web-connected cameras, routers and other devices to effectuate a series of DDoS attacks – the largest of which vastly exceeded the 363 Gbps that had heretofore been the largest mitigated by the web performance and cybersecurity firm Akamai.

[Also: The Hollywood Presbyterian hack signals more ransomware attacks to come]

"Now that we've seen a 600 gig botnet, we have to plan that within one to two years, those are going to become common," Martin McKeay, a member of Akamai's security intelligence team, told Ars Technica. "They may not be every attack, but we will see a dozen of them a quarter, we'll see a couple hundred of them a year. Now that people know those are a possibility, they're going to start pushing in that direction. They're going to make it happen."

In other words, much like ransomware attacks – which few in healthcare were even aware of as recently as a year ago – once cyber crooks have seen the damage DDoS on this scale can wreak, it seems clear that they'll be instigating a lot more of them.

Yahoo Scanned eMail for US Government

According to Reuters, Yahoo created a tool to scan all customers' incoming emails for a certain set of characters at the behest of US intelligence. There is speculation that this is the first instance of a US Internet company agreeing to comply with a government demand to scanning all incoming messages. Former employees say that some senior executives were unhappy with the company's decision to comply with the demand. Alex Stamos, who at the time was Yahoo's Chief Information Security Officer (CISO), left that company in June 2015. This is a good cautionary tale to use in your discussions with management, *not* because Yahoo cooperated with government demands for surveillance but because the Yahoo CEO showed a continuing pattern of ignoring CISO recommendations and choosing to accept high risks to avoid "inconveniencing" users. At just about the same time Yahoo made those decisions, its prime competitor Google was going the opposite way, "inconveniencing" users to protect them and their data. Even looking at it strictly from a financial perspective, it is clear who made the right business decisions.

Computer Networks of Roanoke, Inc.

Hank Wagner, Owner
hank.wagner@computernetworksinc.com
757-333-3299 x232

PHI is everywhere. Find it. Protect it.

This Is Why You Do Not Allow Your Users To Go Anywhere They Want On The Internet

Ad on Free Versions of Spotify
Opened Malicious Sites
Spotify, a music sharing service, has fixed a problem that was allowing advertisements to open malicious websites in users' browsers. The issue affected users running the free version of Spotify's music service on Windows, Mac, and Linux operating systems. Spotify says the issue was traced to a single ad that has since been removed.

HHS Criticized by GAO for ePHI Security Guidance and CE Oversight

Sep 27, 2016 | HIPAA Journal  | No comment | Healthcare Data Security

The Government Accountability Office (GAO) has slammed the Department of Health and Human Services (HHS) for its lack of oversight of HIPAA covered entities and the guidance for covered entities on security controls to implement to keep electronic protected health information (ePHI) secure.

A GAO study on the current health information cybersecurity infrastructure was requested by the U.S. Senate’s Chairman of the Committee on Health, Education, Labor and Pensions Sen. Lamar Alexander (R-Tenn.) and ranking member Sen. Patty Murray, (D-Wash.).

GAO wanted to determine if standards and guidance issued by the HHS under HIPAA/HITECH were consistent with federal information security guidance, assess the extent to which the HHS is overseeing compliance with HIPAA Privacy and Security Rules, and find out if its efforts are being effectively executed. GAO also examined the benefits of using electronic health records and the cyber threats to electronic health data.

The study was conducted following a particularly bad year for the healthcare industry. More than 113 million records were exposed as a result of healthcare data breaches in 2015. The number of healthcare data breaches also increased considerably last year. Aside from the cost to the healthcare industry, the data breaches have had an adverse financial impact on patients and have caused major disruptions to the provision of patient care.

HHS Must Do More to Help Covered Entities Keep ePHI Secure

HIPAA required the Secretary of the HHS to develop regulations to ensure the privacy and security of ePHI is protected, which took the form of the HIPAA Privacy and Security Rules.

Those HIPAA Rules are deliberately vague when it comes to protections that covered entities should apply to safeguard ePHI. It is not possible for legislation to keep up with the rapid pace of technology, so specifics were omitted.

However, GAO determined that the guidance issued by the HHS does not cover important controls that are detailed in federal guidance on data security. Healthcare organizations are struggling to select appropriate privacy and security controls, and the HHS is not offering enough help in this regard.