Use This Ten-Point Checklist to Find Out
Farmington Hills, MI, March 29, 2011 – If
you’re a Covered Entity under HIPAA, you may be torn between moving
your data into the cloud or maintaining it the old-fashioned way –
in your own data center. Either way, you must be sure you’re
complying with HIPAA requirements. But according to Logicalis
an international provider of integrated information and
communications technology (ICT) solutions and services, there’s no
longer any reason to be concerned about moving healthcare data into
the cloud if your cloud provider has addressed privacy and
For highly regulated industries like healthcare with strict
compliance requirements, the cloud presents a particular
challenge. “When it comes to the cloud, privacy and security
is a big deal for Covered Entities,” says Von Williams, security
analyst for Logicalis. “While it remains the ultimate
responsibility of the Covered Entity to comply with HIPAA, there
are policies and procedures that a cloud provider can have in place
to lift the burden of securing at-rest and in-transit data from the
shoulders of the Covered Entity.” The key, Williams says, is
in knowing what to look for.
To help healthcare IT pros assess a potential cloud provider’s
HIPAA readiness, Logicalis has developed a 10-point checklist
addressing privacy and security of healthcare data.
Is Your Cloud Provider HIPAA-Ready?
Your cloud provider may be HIPAA-ready if it meets these 10
conditions. But, think of these as forming a STOP sign in your
mind, Williams cautions. Don’t proceed to “Go” until every one of
these conditions is met.
1. Policies. Your cloud provider must have a
security program that meets the specific policies and procedures
required by HIPAA.
2. People. Your cloud provider should have a
dedicated person on-site at the cloud provider whose job is to be
responsible for matching the provider’s offerings with HIPAA’s
3. Access Controls. It is vital that your cloud
provider has access controls in place that include electronic
identification and limit physical on-site data access to a
restricted list of people.
4. Encrypted Data in Transit. Unless the
provider is processing your data, the cloud provider cannot offer
security at the point of input, but it can ensure that the transfer
of that data to and from the cloud is encrypted and, therefore,
5. Encrypted Data at Rest. If the cloud
provider is storing healthcare data on hard drives, that data must
be encrypted and each drive accounted for at all times. That
includes any backup copies of the data as well.
6. Monitoring. For cloud providers to be
HIPAA-ready, daily operational procedures that log and monitor the
data in the cloud 24/7 looking for any suspicious activities are a
7. Breach Notification. In case of a security
breach, cloud providers must have an incident response process that
includes procedures for containing the incident and notification of
Covered Entities in accordance with HITECH.
8. Disaster Recovery. A cloud provider
should have a plan to address the recovery or continuation of
technology infrastructure critical to a Covered Entity after a
9. Data Location. Know where your data is
located; choose a cloud provider that stores your data on a server
in the United States. If your data is on servers residing in
foreign countries, the data may be subject to search by the foreign
governments in those countries.
10. Experience and Organization-Wide Awareness.
Make sure you choose a cloud provider that has a proven track
record of successfully managing cloud services for other healthcare
clients. You want a provider that has a security awareness
program for its entire organization in place so everyone there is
“The advantages cloud computing offers to healthcare providers
can be realized without sacrificing security,” Williams says.
“By storing your data in the cloud, you take advantage of a secure
environment with expandability and scalability in mind.
Through a flexible compute container cloud infrastructure, you can
accommodate spikes in business without adding cap-ex costs.
And even though you technically remain responsible for complying
with HIPAA, you can effectively offload a majority of the expensive
and time-consuming burden of safeguarding your healthcare data
while in transit and at rest to a HIPAA-ready cloud provider.”
Logicalis is an international provider of integrated information
and communications technology (ICT) solutions and services founded
on a superior breadth of knowledge and expertise in communications
& collaboration; data center; and professional and managed
Logicalis Group employs over 1,900 people worldwide, including
highly trained service specialists who design, specify, deploy and
manage complex ICT infrastructures to meet the needs of over 5,000
corporate and public sector customers. To achieve this,
Logicalis maintains strong partnerships with technology leaders
such as Cisco, HP, IBM and Microsoft.
The Logicalis Group has annualized revenues of $1 billion, from
operations in the UK, US, Germany, South America and Asia Pacific,
and is fast establishing itself as one of the leading IT and
Communications solution integrators, specializing in the areas of
advanced technologies and services.
The Logicalis Group is a division of Datatec Limited, listed on
the Johannesburg and London AIM Stock Exchanges, with revenues in
excess of $4 billion.
For more information, visit http://www.us.logicalis.com/.