A Checklist for Compliance in the Cloud 1 A Checklist for Compliance in the Cloud
A Checklist for Compliance in the Cloud 1 With the industrialization of hacking and the enormous impact of security breaches, governments, industries and individual organizations are increasingly adopting regulations and standards to handle sensitive information. Complying with these rules and best practices challenges any IT team. Audit processes and the need to prove compliance further complicates matters. As organizations pursue cloud-based services, upholding compliance together with their cloud service provider can raise additional hurdles. Regulations and Standards For healthcare in the US, HIPAA (Health Insurance Portability and Accountability Act) governs handling of sensitive patient information, referred to as Electronic Protected Health Information (ephi). HIPAA regulations apply to medical care providers and health plan administrators, as well as those hosting this information. Similar standards and regulations exist in various geographies around the world. The European Union (EU) has one overarching privacy law, the Data Protection Directive 1995/46/EC. In 2002, the EU adopted the e-privacy Directive 2002/58/ EC, which adds protection for personal data in the field of telecommunications and includes requirements regarding the handling of what HIPAA considers ephi. The Data Protection Directive and e-privacy Directive combined would be considered the HIPAA equivalent for the EU, but is much wider in scope than just the protection of healthrelated information.
A Checklist for Compliance in the Cloud 2 Since 2009, when the HIPAA breach notification requirement took effect, millions of people have had their protected health information compromised in privacy and security breaches. The Office for Civil Rights, the HHS division responsible for enforcing HIPAA, has levied more than $74 million in fines, with almost $20 million in 2017 alone, against healthcare organizations responsible for violating the privacy and security rules. u.s. deparatment of health and human services Organizations that store, process or handle credit card information fall under standards established by an independent organization, the Payment Card Industry (PCI). Fines for noncompliance can be significant. PCI DSS is a global standard and applies wherever the industry s services are being used. Also, many organizations are setting up their own internal compliance requirements. Therefore, organizations typically have multiple regulations or frameworks with which they must comply. The range, variety and changing nature of compliance rules may be difficult to understand and interpret for an organization. Relying on cloud-based services may add further complexity and decrease visibility. How do you ensure you are complying when not all resources are on your premises in your physical control? Is the Cloud Right for Stringent Compliance Applications? The cloud offers significant benefits: instant scalability, flexibility, access when and where needed, lowered costs and fewer operational demands on the IT department.
A Checklist for Compliance in the Cloud 3 It allows organizations to respond to their present and future needs without up-front lead time and capital investment. They can get and use what they need, when they need it. The organization can focus on their core mission and invest in areas strategic to their business. HIPAA compliance requires a proactive stance on the part of the cloud service provider, they aren t just a passive host or warehouse of data and/or applications. Despite these advantages, many still question whether flexibility and cost savings are worth the risks when faced with a potentially daunting regulatory environment. For example, consider the role the cloud plays in complying with regulations such as HIPAA. Below are a few key requirements of HIPAA that directly impact the cloud service provider as well as the healthcare, medical records, insurance or other medical-related organization. > Physical access to the facility storing the data must be secured and authentication required. > Sensitive data may need to be encrypted throughout, both at rest and during transmission, regardless of the device it is coming from or going to. > Backup, operation in an emergency and disaster recovery must be planned for and documented. > Inactive sessions must be securely disconnected. > The service provider must be thoroughly familiar with the required HIPAA requirements and pass a HIPAA audit. > Throughout, audit controls and documentation are imperative to demonstrate compliance is being met and to identify vulnerabilities.
A Checklist for Compliance in the Cloud 4 Evaluating your Cloud Service Provider for Compliance How should you select a partner for your cloud needs? First, identify the regulations and operational requirements that bind you. Typically, your organization must comply with more than one set of regulations or standards. Use of credit and other payment card services in addition to the sensitive health information data necessitate complying with both HIPAA and PCI in the United States. Also, take note of the geographical constraints you have, governing where workloads are allowed to run. Verify that the cloud provider will maintain data sovereignty and not move your workloads. Second, identify service providers that meet the criteria listed above. Look at analyst reports, websites for customer stories of organizations like yours, referrals from your application or network platform providers. Approach it as a search for a long-term partnership, not just a series of transactions. Third, come to those prospective cloud service providers with a checklist to ensure all your questions are answered. Expect a conversation not an email exchange. You will be entrusting sensitive data of your customers and risking the reputation of your organization. Often, the greatest costs of a breach are not the HIPAA violation fines imposed but the negative publicity and loss of patient or customer faith.
A Checklist for Compliance in the Cloud 5 A Checklist for Evaluating Cloud Service Providers Assemble your checklist. Meet with one of the cloud provider s compliance officers. Arrange a walk-through of their facilities and compliance-related processes. Some considerations you might include in your checklist: Qualities of the Cloud Service Provider Commits to adhering to the applicable compliance regulations and standards. Upholds standards in accordance with HIPAA, ITIL, HITECH, etc. Conducts constant risk assessment of their cloud infrastructure to ensure it meets SSAE16 and HIPAA requirements and protected from other vulnerabilities. Willing to sign Business Associates Agreement (BAA). Contract incorporates language covering applicable BA obligations. Documents and fulfills security incident response, emergency mode operations, and disaster recovery plans. Compliance Technologies in Place Software or services to identify and alert on compliance gaps in your configuration. Scanning software running on the platform, ensuring it remains compliant and secure. Physical safeguards and authentication methods used at data centers and facilities. Reporting Capabilities Available Reporting on-demand without undue bureaucracy or lead time. Required audit documentation and support for your audit process. Reporting of incidents and vulnerabilities so they can be rapidly addressed.
A Checklist for Compliance in the Cloud 6 Compliance-Oriented Customer Support Service provider s compliance professionals are available to meet with your team. Service provider s staff have applicable certifications. Procedures aligned with regulatory requirements, including final disposal of sensitive data. If needed, service provider compliance professionals can discuss compliance and security procedures directly with auditors. Fulfilling Your Compliant Cloud Plan Finally, develop comfort with your cloud provider through your roll out plan. Work with your cloud partner to decide how best to configure your workloads to ensure compliance. Take it a step at a time, possibly starting with the least sensitive workloads or just net new virtual machines. Or, maybe you have some less compliance-critical systems. Work to get those in, and see how well the compliance framework of your chosen cloud is working for you. With the experience and expertise of your cloud partner, you ll gain confidence to move more of your footprint into the cloud. Realizing the Benefits of a Compliant Cloud Getting the flexibility and benefits of the cloud, as well as the compliance you need, takes consideration and planning. Don t settle. From the beginning, ensure your cloud service provider has your compliance and audit needs in mind. You want a provider who puts you first and wants you to benefit from the cloud. Find a provider that will keep your organization in compliance and protect you and your customers sensitive data. Make sure they have the experience, skills, staff and processes to deliver on your specific compliance needs.
A Checklist for Compliance in the Cloud 7 Discover the iland difference With over 20 years of experience supporting customers and their critical workloads, iland has a keen understanding of the space and the requirements and regulations that cloud customers are held to. In response, iland has developed specific compliance offerings for a wide range of industry regulations. Our team of certified, inhouse compliance professionals consult with customers and provide assistance when interpreting reports and using report data to help them meet their requirements. Scheduled a consultation with one of our compliance experts today. Not quite ready to talk? That s OK. Take a look at a few of our other compliance-related materials first. > Ensuring a Compliance Cloud That s Audit Ready > Compliance Data Sheet
A Checklist for Compliance in the Cloud Contact www.iland.com +1 713 868 2267 +(44) (0) 20 7096 0149 +(31) (0) 10 808 0440 +(65) 3158 8438 +(61) (0) 2 9056 7004 About iland iland is a global cloud service provider of secure and compliant hosting for infrastructure (IaaS), disaster recovery (DRaaS), and backup as a service (BaaS). They are recognized by industry analysts as a leader in disaster recovery. The award-winning iland Secure Cloud Console natively combines deep layered security, predictive analytics, and compliance to deliver unmatched visibility and ease of management for all of iland s cloud services. Headquartered in Houston, Texas and London, UK, iland delivers cloud services from its data centers throughout the Americas, Europe, Australia and Asia. Learn more at iland.com. 2018 iland. All rights reserved.