New HIPAA regulations are driving heightened security around electronic protected health information (ePHI) and Cloud Service Providers (CSP). These regulations detail the types of security for data in the cloud, as you might expect, but they also focus on securing and controlling the access to cloud systems, infrastructure and data.
In the simplest terms, this means healthcare companies and their business associates (BA), need to focus on securing and managing resources IN the cloud, as well as securing and managing access TO the cloud. This can be broken down to mean that healthcare companies need to:
- Ensure cloud resources are truly private instances.
- Encrypt data stored in the cloud, even in the case of “no view services.”
- Manage and secure access to cloud resources for both users and administrators.
Read on to learn about how Centrify can bolster security and help support compliance with these new regulations for CSPs.
What’s Changed with HIPAA?
New HIPAA Regulations, impact healthcare companies, their BAs and CSPs who handle ePHI. Under the new regulations, CSPs could become BAs and as such, are subject to HIPAA regulatory compliance.
What’s Driving the Change in Regulations?
Growth in cloud infrastructure and services mean that HIPAA regulations need to extend to these new environments. Examples range from simple data storage to entire cloud infrastructures, including software development and test platforms. In many cases, CSPs are acting as BAs which is also a driving factor in these new regulations.
How Centrify and Amazon Web Services Can Help HCPs, BAs and CSPs Comply with HIPAA Requirements
Amazon Web Services
Amazon recently published a white paper for “Architecting for HIPAA Security and Compliance on Amazon Web Services.” In this paper, Amazon describes how healthcare providers can take advantage of the built-in encryption and security protections offered by AWS, by using “Dedicated Instances” within Amazon EC2. These Dedicated Instances are isolated at the hardware level from other non-dedicated instances and from instances that belong to other AWS accounts.
Additionally, Amazon Virtual Private Cloud offers a set of network security features well aligned to architecting for HIPAA compliance, including stateless network access control lists and dynamic reassignment of instances into state-full security groups that afford flexibility in protecting the instances from unauthorized network access.
VPC Flow Logs provide an audit trail of accepted and rejected connections to instances processing, transmitting or storing PHI.
Among many of the HIPAA guidelines that discuss access, the Department of Health and Human Services makes these recommendations regarding authorization:
164.308 (a)(4)(i) Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.
164.312(a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).
It could be easy to view this as simply, “Make sure the right people have the right access to ePHI.” But the implementation and auditability of any solution is key to both driving compliance and protecting against breaches.
Securing Cloud Access
As described above, Amazon does an excellent job of encrypting and isolating data in the cloud. But protecting data is only part of compliance – healthcare providers, BAs and CSPs have to also secure and manage the user access to cloud resources. To that end, Centrify provides a platform approach to securing and simplifying the integration of AWS and EC2 instances into the enterprise environment.
Protecting Privileged Access to AWS Infrastructure
Centrify’s privileged identity management solutions enable organizations to consolidate identities, deliver cross-platform least privilege access and control shared accounts, while securing remote access and auditing all privileged sessions. This helps comply with regulations that specify that access needs to be tied back to specific users. Centrify extends user management across cloud infrastructure, apps and management consoles.
Single Sign-on and Multi-factor Authentication
To prevent unauthorized access to ePHI, it’s important to ensure a second factor of authentication is implemented for both local and remote users. Centrify provides multi-factor authentication (MFA) across the enterprise and over a VPN for access to apps and servers, at login or when elevating administrative privilege.
Centrify can help healthcare companies with the identity and access management portion of this requirement and support various preferred methods of authentication. Centrify MFA supports modern, mobile authenticators, as well as smart cards, Yubikeys (via a partnership with Yubico), OATH-compliant OTP tokens and legacy MFA solutions that comply with RADIUS to verify identities where mobile phones are not allowed.
Integration with Active Directory
Centrify leverages existing directory infrastructures such as Active Directory to reduce the risk and complexity associated with multiple identity stores. Users log in as themselves to perform their daily tasks, and IT users elevate privilege only when needed.
By creating a single identity and providing least-privilege and role-based access, Centrify can reduce the complexity and effort to administer shared accounts, perform password resets and prove who has logged into AWS for auditing and compliance.
Continuous Compliance and Reporting
Centrify’s built-in forensics and reporting enable supervisors and auditors to spot anomalies that put organizations at risk of compliance drift and to prove continuous compliance.
The Bottom Line
As per the Privacy rule, Centrify can help ensure that the person or entity trying to access ePHI is the one claimed. Centrify helps secure ePHI in the cloud with consideration for the Technical Safeguards outlined in the HIPAA Privacy Standard.
Learn about how Centrify addresses the specific requirements of key industry and federal regulations with a unified identity platform here.