HIPAA Compliance and Auditing in the Public Cloud

Transcription

1

2 HIPAA Compliance and Auditing in the Public Cloud This paper outlines what HIPAA compliance includes in the cloud era. It aims to help enterprise IT leaders interested in becoming more familiar with the requirements and, especially, how to adhere to them when running on a public cloud infrastructure, such as Amazon or Azure. This article details the different rules for handling compliance when it comes to dealing with Protected Health Information (PHI). As noted in a recent press release by the Health and Human Services government office (HHS), Memorial Healthcare System (MHS) paid the U.S. Department of Health and Human Services $5.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. According to the release, MHS failed to enforce user access procedures and review system logs of activity on applications. Organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen. Robinsue Frohboese, Acting Director, HHS Office for Civil Rights HIPAA compliance requires continuous monitoring and logging of the network and information assets. In this white paper, we outline the specifics required to keep a public cloud environment secure and provide practical recommendations for dealing with auditing. 2

3 Overview: HIPAA & Digital Transformation The American Health Industry s accelerated digital transformation and massive cloud adoption called for more scrutiny of the rules regarding the protection of an individual s privacy, particularly due to the implications the cloud had on data security and potential breaches. Subsequently, the U.S. Government and the Health and Human Services (HHS) reviewed and revised previous HIPAA rules, procedures, and policies. This effort resulted in the 2009 HITECH Act. The HITECH Act imposed stricter penalties for HIPAA violations, requiring relatively small data breaches reported to the HHS, the media, and the affected individuals. The Act also introduced the meaningful use definition and extended the HIPAA s Privacy and Security Rules application to business associates. Along with increased public cloud enterprise adoption, the HIPAA ruling has evolved (and is still evolving), exemplified by the publication of the HIPAA Omnibus Rule in The major implication of this rule was that business associates, including public cloud providers, are now directly liable for HIPAA compliance. Who must comply HIPAA applies to covered entities (health care providers, health plans, and health care clearinghouses) and business associates of covered entities (a person or entity who performs/assists functions or activities involving use or disclosure of PHI on behalf of a covered entity or a covered product). Organizations that run both covered entity activities and non-covered entity ones are designated as hybrid entities; the HIPAA requirements apply only to the former. 3

4 HIPAA Rules Rules most affecting HIPAA/HITECH compliance and governance in the cloud, and generally any PHIrelated activity, include: Privacy Rule: This general rule applies to all forms of individuals protected health information, whether electronic, written, or oral, and both establishes the federal standards to safeguard the privacy of PHI and gives patients a wide array of rights. It also determines who exactly has to comply with it. Security Rule: In contrast to the Privacy Rule, this rule applies only to electronic protected health information (ephi) and affects directly all the covered entities and business associates operating in the cloud and even cloud service providers (CSPs). This rule is made up of three parts: technical, physical, and administrative safeguards, which are further divided into standards and requirements. The standards and requirements may be required (implemented as specified) or addressable (reasonably fulfilled). See HIPAA FAQs on the topic. Enforcement Rule: This rule outlines investigations, penalties for noncompliance, and procedures for hearings. It also establishes the rules governing the compliance responsibilities of covered entities. HITECH then added a tiered increase in the amount of penalties based on culpability. HIPAA Breach Notification Rule: Also modified by the HITECH Act, this requires all the covered entities or business associates to notify individuals when their information is breached, outlining also the necessary form and delivery method of said notification. Depending on the severity of the breach, a notification through the media and to the HHS Secretary is also required. 4

5 When choosing a cloud service provider (AWS, Azure, Google, etc.), it is important to make sure the provider supplies a Business Associate Agreement (BAA) that makes them subject to audits by the Office for Civil Rights (OCR), accountable for a data breach, and fined for noncompliance when it occurs. There s no certification or seal of approval for HIPAA/HITECH compliance. The service provider should demonstrate fulfillment of all HIPAA rules and recommendations, ensuring the integrity and safety of all data resides in their data centers. Apart from encouraging audits run by OCR or accredited independent auditors, it is highly recommended that cloud vendors, including cloud service providers (CSPs), Managed Service Providers (MSPs), as well as third-party technology solutions vendors are also compliant with other certifications such as NIST , ISO 27001, and SAS70 Type II. 5

6 Compliance in the Public Cloud HIPAA is all about privacy, security, data segregation, encryption and key management, roles assignation, policies, risk analysis and management, and access monitoring. With all this potential liability, why are enterprises willing to outsource their IT infrastructure to third-party public cloud vendors? Because, as mentioned, liability has been extended to include business associates. In February 2013, the HIPAA Final Rule modified the business associate definition:... any data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis... This means that in comparison to the traditional scope of liability, your enterprise can move part of the liability to your cloud infrastructure and managed services vendors. However, this also means that HHS has forced shared effort and responsibility in running a HIPAA-sensitive and compliant information platform. AWS, for instance, introduced their Shared Responsibility Model (Figure 1) to mitigate liability. After signing a Business Associate Agreement (BAA), covered entities are responsible for customer data, platforms, applications, and Identity Access Management, along with all the technology not directly maintained by CSPs (operating systems, firewalls, encryption at-rest and on-the-fly). A good example of sharing the responsibility is AWS Identity and Access management (IAM). While Amazon provides this key security capability, enterprise IT needs to then follow the principle of least privilege (PoLP), limiting root access to specific users and using IAM groups to define policies and specify permissions for multiple users. 6

7 Cloud users, as covered entities, and their business associates, are responsible for patients (users ) PHI protection and encryption even on a managed cloud, while CSPs are responsible for running their infrastructure in accordance with HIPAA, indicating exactly which of their services are fully compliant. Shared Responsibility Model Customer Data Customer Responsible for Security IN the Cloud Platform, Applications, Identity & Access Management Client-Side Data Encryption & Data Integrity Authentication Server-Side Encryption File System and / or Data Compute Storage Database Networking AWS Responsible for Security OF the Cloud AWS Global Infastructure Regions Edge Locations Availability Zones Figure #1: AWS shared responsibility model 7

8 Auditing the Cloud Many CSPs provide internal audit tools to customers so they may cope more easily with the Phase 2 of HIPAA Audit Program that, since 2016, extends to the HHS Office for Civil Rights prerogatives adding the possibility of running audits without previous formal complaints. However, the above-mentioned Shared Responsibility Model leaves organizations in charge of auditing and governing their applications and data running on the cloud. Considering that HIPAA/HITECH and federal laws ruling the handling of protected health information data is continuously evolving, covered entities and business associates would be wise to adopt thirdparty solutions. Identifying and adopting the right solution partner, one that integrates management tools and specific assessment methodologies, is necessary nowadays to run a HIPAA-compliant organization in the cloud. For effective management of cloud infrastructure and data, security and governance are best grouped together. Security configuration, compliance, and monitoring should be automated and easily verifiable. With the help of a cloud management platform, this kind of monitoring and governance can be unified, offering comprehensive and prioritized insights for maintaining security posture. When it comes to IaaS especially, the adoption and use of up-to-date tools, integrated with the CSPs APIs and services, is crucial. Below are key monitoring and auditing tasks of the HIPAA-compliant enterprise IT team: Analyze and reduce attack vectors and surface Assess the perimeter of the internal private networks Manage access control, including role definition, user group permissions, and actions Segregate data and applications behind multiple physical and logical defensive layers Monitor external and internal threats (attacks and misconfigurations) 8

9 In case of auditing or incident response, producing a historic and detailed log of all the infrastructure resources, data access, configurations, and user permissions is critical. Keeping this data in order allows your cloud operation team to freeze the infrastructure status in a given time, enabling you to analyze an event without needing to stop ongoing activities such as users access. Modern NOCs should unify and integrate modern, cloud-compatible tools, providing automatic security configuration, activity monitoring, automated alerting, actionable insights, and remediation options. The whole framework should be able to aggregate and digest loads of data, and offer an easy-to-use interface and controls that can integrate into the day-to-day IT and security team processes. It should also ease and accelerate identification and remediation efforts. Use Case: Auditing Your AWS Deployment When it comes to auditing, you will need to know which tools to use, as well as the benefits of each. But before choosing tools, it is important to note that not all AWS products are HIPAA-compliant. Closely checking the Amazon HIPAA compliance section is highly recommended. The sample topology below, provided by AWS, represents a three-tier application deployed in one VPC in two availability zones. The relative private and public (DMZ) subnets are used respectively for applications, databases, and proxies. AWS provides you with the building blocks to define and secure your deployment network. These include: VPC, security groups, Network Access Control Lists (NACLs), and routing tables. All these Amazon security building blocks can be monitored and audited using APIs, as well as with AWS native logging and monitoring tools. Highlighted on the right side of Figure 2 are the tools AWS provides to manage security and auditing the deployment. 9

10 Amazon cross availability zones and VPC auditing proxie s DMZ Subnet proxie s DMZ Subnet Private Subnet Private Subnet M S Private Subnet Private Subnet AVAILABILITY ZONE 1 AVAILABILITY ZONE 2 VPC Security VPC Auditing Routing Tables Network ACLs Security Groups VPC Flow Logs Cloudtrail Cloudwatch AWS Config Trusted Advisor Figure #2: Amazon cross availability zones and VPC auditing 10

11 A few tools that are really handy when it comes to auditing: AWS VPC Flow Logs: Run a perimeter assessment of the internal private networks using VPC Flow Logs in order to get information on the network traffic going through our VPC network, storing them in Amazon CloudWatch Logs for further tracking and alerting. AWS CloudTrail: Keep a comprehensive log of API calls made within the AWS Management Console, using the AWS SDKs, the AWS CLI, or other AWS services. AWS Config: Get an instantaneous and detailed situation of the configuration of AWS resources, as well as alerts on changes using AWS Config, to ease auditing and breach analysis. AWS CloudWatch: Finally, you can use CloudWatch Alarms to define a wide range of metrics or log files you want to track in order to fire alerts or automatically react to resources changes. Once these components are properly enabled and configured, data flows separately from each source. This is raw data; it is the foundation of your compliance regime, but it is not automatically in a usable format. The data requires translation and analysis for you to fully meet your compliance mandate. Why It Matters: In order to monitor your deployment security effectively, you will have to process and analyze the log and events into meaningful, actionable insights. This is where third party solutions can help. An aggregated, centralized view of data sources, with prioritized recommendations for improving your compliance posture, are critical for maintaining HIPAA compliance. Though this use case focuses on AWS alone, if you operate in multi-cloud environment, it is important to look for solutions that provide you with a single, aggregated view. 11

12 Proactive Compliance for Healthy Cloud Infrastructure As we are seeing more sophisticated and harmful cyber threats, privacy breaches, and data leaks, staying informed and proactive about HIPAA and HITECH rules becomes more and more important. In the last two years, we ve witnessed an increase in ransomware attacks, in which cyber pirates infiltrate the networks of covered entities with malware, threatening to divulge critical information. According to the HHS Office for Civil Rights Breach Portal, intentional or accidental data leakage cases are becoming more common, as well as unauthorized accesses and simple thefts. Most organizations of any size cannot afford this kind of situation. Understanding compliance requirements is critical. Organizations and especially IT leaders should recognize their shifting responsibilities and make sure to maintain complete control over their cloud environments. For that, they need to have auditing and management tools aimed to improve data-handling methods and perimetral security, to be better armed to take proactive remediation actions. This will enable them to protect their organization s digital assets. 12

13 About CloudCheckr CloudCheckr s sophisticated cloud management platform offers control and clarity for leading organizations to manage and optimize their public cloud investments. The CloudCheckr platform offers a single pane of glass across infrastructure to ensure total security and compliance, while optimizing cost and expenses. With continuous monitoring, 400 best practice checks, and built-in automation, CloudCheckr enables IT, Security, and Finance teams to manage their AWS environments with confidence. Government organizations and Global 2000 enterprises trust CloudCheckr to unify their native AWS data and deliver the most robust cloud management platform in today s marketplace. CloudCheckr provides reports and dashboards that contain the most important events and insights based on public cloud security best practices, as well as specific compliance standards, such as HIPAA. This facilitates a comprehensive look across your environment, offering prioritized insights and recommendations to improve your security and compliance posture. CloudCheckr helps organizations to ensure compliance for highly regulated industries, with alerts, monitoring, and audits to meet NIST, HIPAA, PCI, and other security standards. With deeper intelligence across cloud infrastructure and a unified cloud management solution, organizations can prevent risks and mitigate threats before they occur. 13

14 Learn more: Contact Us (585)