A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Similar documents
HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

The simplified guide to. HIPAA compliance

Putting It All Together:

All Aboard the HIPAA Omnibus An Auditor s Perspective

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

TRACKVIA SECURITY OVERVIEW

EU General Data Protection Regulation (GDPR) Achieving compliance

Cloud & Managed Server Hosting for Healthcare Professionals

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

Google Cloud & the General Data Protection Regulation (GDPR)

locuz.com SOC Services

HIPAA Privacy, Security and Breach Notification

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

TRUE SECURITY-AS-A-SERVICE

Cloud Communications for Healthcare

HIPAA Security and Privacy Policies & Procedures

Finding and Securing ephi in SharePoint and SharePoint Online

What is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS

Secure HIPAA Compliant Cloud Computing

GDPR Update and ENISA guidelines

The ABCs of HIPAA Security

General Data Protection Regulation (GDPR)

IT your way - Hybrid IT FAQs

Compliance with CloudCheckr

HITRUST Common Security Framework - Are you prepared?

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Custom cloud hosting for your Sitecore Experience Platform.

Village Software. Security Assessment Report

CLOUD COMPUTING READINESS CHECKLIST

HIPAA Compliance Checklist

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Healthcare in the Public Cloud DIY vs. Managed Services

DeMystifying Data Breaches and Information Security Compliance

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Best Practices in Securing a Multicloud World

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

01.0 Policy Responsibilities and Oversight

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

VMware vcloud Air Network Service Providers Ensure Smooth Cloud Deployment

A company built on security

Avanade s Approach to Client Data Protection

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Three Key Challenges Facing ISPs and Their Enterprise Clients

Magento GDPR Frequently Asked Questions

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Accelerate GDPR compliance with the Microsoft Cloud

MultiPlan Selects CyrusOne for Exceptional Colocation and Flexible Solutions

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

How to Ensure Continuous Compliance?

Cloud Brief. Understanding Compliance in the Cloud. Introduction PCI DSS THE CLOUD STRATEGY COMPANY TM

Keys to a more secure data environment

Getting ready for GDPR

Data Security: Public Contracts and the Cloud

HIPAA 101: What All Doctors NEED To Know

Choosing the Right Solution for Strategic Deployment of Encryption

The HIPAA Omnibus Rule

Healthcare Privacy and Security:

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Support for the HIPAA Security Rule

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

HIPAA Compliance and Auditing in the Public Cloud

Data Backup and Contingency Planning Procedure

WHITE PAPER. The General Data Protection Regulation: What Title It Means and How SAS Data Management Can Help

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

GDPR Compliance. Clauses

Run the business. Not the risks.

Symantec Security Monitoring Services

Modern Database Architectures Demand Modern Data Security Measures

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

NYDFS Cybersecurity Regulations

case study Business Profile The Challenge Company... emix Size... SMB Industry... Healthcare Cloud Application... Production Location...

Twilio cloud communications SECURITY

COBIT 5 With COSO 2013

Protecting your data. EY s approach to data privacy and information security

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Sage Data Security Services Directory

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

Clearwater HIPAA Security Assessment Software. Demonstration

2016 Survey: A Pulse on Mobility in Healthcare

Accelerating the HCLS Industry Through Cloud Computing

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

Altius IT Policy Collection Compliance and Standards Matrix

Choosing a Secure Cloud Service Provider

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

Business Continuity Management Standards A Side-by-Side Comparison

Create the ideal conditions for your network to grow.

HIPAA RISK ADVISOR SAMPLE REPORT

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Introduction to AWS GoldBase

HITRUST ON THE CLOUD. Navigating Healthcare Compliance

Layer Security White Paper

HIPAA Regulatory Compliance

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Is Your Compliance Strategy Putting Your Business at Risk?

efolder White Paper: HIPAA Compliance

Transcription:

A Checklist for Compliance in the Cloud 1 A Checklist for Compliance in the Cloud

A Checklist for Compliance in the Cloud 1 With the industrialization of hacking and the enormous impact of security breaches, governments, industries and individual organizations are increasingly adopting regulations and standards to handle sensitive information. Complying with these rules and best practices challenges any IT team. Audit processes and the need to prove compliance further complicates matters. As organizations pursue cloud-based services, upholding compliance together with their cloud service provider can raise additional hurdles. Regulations and Standards For healthcare in the US, HIPAA (Health Insurance Portability and Accountability Act) governs handling of sensitive patient information, referred to as Electronic Protected Health Information (ephi). HIPAA regulations apply to medical care providers and health plan administrators, as well as those hosting this information. Similar standards and regulations exist in various geographies around the world. The European Union (EU) has one overarching privacy law, the Data Protection Directive 1995/46/EC. In 2002, the EU adopted the e-privacy Directive 2002/58/ EC, which adds protection for personal data in the field of telecommunications and includes requirements regarding the handling of what HIPAA considers ephi. The Data Protection Directive and e-privacy Directive combined would be considered the HIPAA equivalent for the EU, but is much wider in scope than just the protection of healthrelated information.

A Checklist for Compliance in the Cloud 2 Since 2009, when the HIPAA breach notification requirement took effect, millions of people have had their protected health information compromised in privacy and security breaches. The Office for Civil Rights, the HHS division responsible for enforcing HIPAA, has levied more than $74 million in fines, with almost $20 million in 2017 alone, against healthcare organizations responsible for violating the privacy and security rules. u.s. deparatment of health and human services Organizations that store, process or handle credit card information fall under standards established by an independent organization, the Payment Card Industry (PCI). Fines for noncompliance can be significant. PCI DSS is a global standard and applies wherever the industry s services are being used. Also, many organizations are setting up their own internal compliance requirements. Therefore, organizations typically have multiple regulations or frameworks with which they must comply. The range, variety and changing nature of compliance rules may be difficult to understand and interpret for an organization. Relying on cloud-based services may add further complexity and decrease visibility. How do you ensure you are complying when not all resources are on your premises in your physical control? Is the Cloud Right for Stringent Compliance Applications? The cloud offers significant benefits: instant scalability, flexibility, access when and where needed, lowered costs and fewer operational demands on the IT department.

A Checklist for Compliance in the Cloud 3 It allows organizations to respond to their present and future needs without up-front lead time and capital investment. They can get and use what they need, when they need it. The organization can focus on their core mission and invest in areas strategic to their business. HIPAA compliance requires a proactive stance on the part of the cloud service provider, they aren t just a passive host or warehouse of data and/or applications. Despite these advantages, many still question whether flexibility and cost savings are worth the risks when faced with a potentially daunting regulatory environment. For example, consider the role the cloud plays in complying with regulations such as HIPAA. Below are a few key requirements of HIPAA that directly impact the cloud service provider as well as the healthcare, medical records, insurance or other medical-related organization. > Physical access to the facility storing the data must be secured and authentication required. > Sensitive data may need to be encrypted throughout, both at rest and during transmission, regardless of the device it is coming from or going to. > Backup, operation in an emergency and disaster recovery must be planned for and documented. > Inactive sessions must be securely disconnected. > The service provider must be thoroughly familiar with the required HIPAA requirements and pass a HIPAA audit. > Throughout, audit controls and documentation are imperative to demonstrate compliance is being met and to identify vulnerabilities.

A Checklist for Compliance in the Cloud 4 Evaluating your Cloud Service Provider for Compliance How should you select a partner for your cloud needs? First, identify the regulations and operational requirements that bind you. Typically, your organization must comply with more than one set of regulations or standards. Use of credit and other payment card services in addition to the sensitive health information data necessitate complying with both HIPAA and PCI in the United States. Also, take note of the geographical constraints you have, governing where workloads are allowed to run. Verify that the cloud provider will maintain data sovereignty and not move your workloads. Second, identify service providers that meet the criteria listed above. Look at analyst reports, websites for customer stories of organizations like yours, referrals from your application or network platform providers. Approach it as a search for a long-term partnership, not just a series of transactions. Third, come to those prospective cloud service providers with a checklist to ensure all your questions are answered. Expect a conversation not an email exchange. You will be entrusting sensitive data of your customers and risking the reputation of your organization. Often, the greatest costs of a breach are not the HIPAA violation fines imposed but the negative publicity and loss of patient or customer faith.

A Checklist for Compliance in the Cloud 5 A Checklist for Evaluating Cloud Service Providers Assemble your checklist. Meet with one of the cloud provider s compliance officers. Arrange a walk-through of their facilities and compliance-related processes. Some considerations you might include in your checklist: Qualities of the Cloud Service Provider Commits to adhering to the applicable compliance regulations and standards. Upholds standards in accordance with HIPAA, ITIL, HITECH, etc. Conducts constant risk assessment of their cloud infrastructure to ensure it meets SSAE16 and HIPAA requirements and protected from other vulnerabilities. Willing to sign Business Associates Agreement (BAA). Contract incorporates language covering applicable BA obligations. Documents and fulfills security incident response, emergency mode operations, and disaster recovery plans. Compliance Technologies in Place Software or services to identify and alert on compliance gaps in your configuration. Scanning software running on the platform, ensuring it remains compliant and secure. Physical safeguards and authentication methods used at data centers and facilities. Reporting Capabilities Available Reporting on-demand without undue bureaucracy or lead time. Required audit documentation and support for your audit process. Reporting of incidents and vulnerabilities so they can be rapidly addressed.

A Checklist for Compliance in the Cloud 6 Compliance-Oriented Customer Support Service provider s compliance professionals are available to meet with your team. Service provider s staff have applicable certifications. Procedures aligned with regulatory requirements, including final disposal of sensitive data. If needed, service provider compliance professionals can discuss compliance and security procedures directly with auditors. Fulfilling Your Compliant Cloud Plan Finally, develop comfort with your cloud provider through your roll out plan. Work with your cloud partner to decide how best to configure your workloads to ensure compliance. Take it a step at a time, possibly starting with the least sensitive workloads or just net new virtual machines. Or, maybe you have some less compliance-critical systems. Work to get those in, and see how well the compliance framework of your chosen cloud is working for you. With the experience and expertise of your cloud partner, you ll gain confidence to move more of your footprint into the cloud. Realizing the Benefits of a Compliant Cloud Getting the flexibility and benefits of the cloud, as well as the compliance you need, takes consideration and planning. Don t settle. From the beginning, ensure your cloud service provider has your compliance and audit needs in mind. You want a provider who puts you first and wants you to benefit from the cloud. Find a provider that will keep your organization in compliance and protect you and your customers sensitive data. Make sure they have the experience, skills, staff and processes to deliver on your specific compliance needs.

A Checklist for Compliance in the Cloud 7 Discover the iland difference With over 20 years of experience supporting customers and their critical workloads, iland has a keen understanding of the space and the requirements and regulations that cloud customers are held to. In response, iland has developed specific compliance offerings for a wide range of industry regulations. Our team of certified, inhouse compliance professionals consult with customers and provide assistance when interpreting reports and using report data to help them meet their requirements. Scheduled a consultation with one of our compliance experts today. Not quite ready to talk? That s OK. Take a look at a few of our other compliance-related materials first. > Ensuring a Compliance Cloud That s Audit Ready > Compliance Data Sheet

A Checklist for Compliance in the Cloud Contact www.iland.com +1 713 868 2267 +(44) (0) 20 7096 0149 +(31) (0) 10 808 0440 +(65) 3158 8438 +(61) (0) 2 9056 7004 About iland iland is a global cloud service provider of secure and compliant hosting for infrastructure (IaaS), disaster recovery (DRaaS), and backup as a service (BaaS). They are recognized by industry analysts as a leader in disaster recovery. The award-winning iland Secure Cloud Console natively combines deep layered security, predictive analytics, and compliance to deliver unmatched visibility and ease of management for all of iland s cloud services. Headquartered in Houston, Texas and London, UK, iland delivers cloud services from its data centers throughout the Americas, Europe, Australia and Asia. Learn more at iland.com. 2018 iland. All rights reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback