Ensuring data protection in SaaS applications containing PHI

GETTING YOUR

CLOUD STRATEGYON SOLID GROUND

Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI02

Why read this white paper?

In February of 2016, a southern California hospital was

severely operationally compromised by hackers using

ransomware. The attackers took control of the hospital’s

IT infrastructure, locking the staff out of their systems and

resulting in patient diversion to other facilities.

This case, and countless others like it, underscore the need

for healthcare providers and payers to ensure continuity of

care by implementing robust data protection plans that

enable rapid recovery from data loss.

If your organization manages e-PHI in cloud applications,

the information in this white paper is key to keeping your

organization compliant and productive.

Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI03

Getting your cloud strategy on solid ground

Whether you’re just making the transition to cloud applications or you’ve

already moved core business applications to SaaS (software as a service),

you’re to be commended for advancing your industry and improving your

level of service and care. We know that your industry continues to be

saddled with increasing demands: better, faster, more affordable care and

implementation of the latest technologies, while also maintaining strict

privacy and security standards.

In service of these goals, many healthcare institutions, pharmaceutical

organizations, and other entities managing protected health information

are turning to the cloud to increase agility, connectivity, and accessibility.

SaaS applications like Google Apps, Office 365, Salesforce, and Veeva

are revolutionizing healthcare operations, but proper data protection,

especially of PHI, remains a top concern for administrators.

If you too are concerned with your organization’s compliance, data

protection, and privacy of information, read this white paper to:

Better understand your relationship with your selected cloud vendor

Learn a few notable gaps in the native data protection provided

by cloud providers

Discover how to fill those gaps in order to ensure compliance with

HIPAA and other standards surrounding data protection, retention,

and accessibility

Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI04

Understanding your relationship with your cloud service providers and HIPAA

Ensuring you and your teams are trained and

familiar with HIPAA requirements regarding

data protection is an important facet of HIPAA

compliance. This section highlights some of

what you need to know to be compliant.

For more details, see HIPAA Administrative

Simplification information here.

THE BASICS OF HIPAA

The US Department of Health and Human

Services mandates that covered entities and

their business associates must comply with the

Health Insurance Portability and Accountability

Act (or HIPAA).

Covered entities are defined as:

Health care providers

Health plans

Healthcare clearinghouses

Business associates include:

Entities or persons that provide data

transmission services to a covered entity

and require routine access to protected

health information (PHI)

Subcontractors that create, receive,

maintain, or transmit PHI on behalf of a

business associate

Vendors that offer personal health records

to one or more individuals on behalf of a

covered entity

As a covered entity, you are responsible for

ensuring the security of protected health

information in your health IT system. This

requires that you institute measures to guard

against unauthorized use and disclosure of PHI.

One of these measures also requires covered

entities to have contracts, known as a Business

Associate Agreement (BAA), in place with

their partners and affiliates to ensure that

these associates will appropriately safeguard

electronic PHI.

Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI05

USING SAAS SERVICES WITH E-PHI

One such business associate is your selected

cloud service provider (CSP), like Google,

Microsoft, or Salesforce – the entity that

furnishes your SaaS applications. You and

your CSP are required to sign a Business

Associate Agreement (BAA) if you plan to

manage PHI in the cloud.

Be aware that some cloud providers restrict

you to a subset of their application services

so that PHI can be properly safeguarded, and

IT administrators must configure their SaaS

environments accordingly.

To learn about how Google, Salesforce,

and Microsoft individually manage PHI and

help you fulfill HIPAA requirements, visit

these resources:

Google Apps HIPAA compliance support

Salesforce for healthcare overview

Office 365 HIPAA FAQs

UNDERSTANDING YOUR RELATIONSHIP WITH YOUR CLOUD SERVICE PROVIDERS AND HIPAA

When migrating your current systems to the

cloud, you’ll want to make sure your SaaS

applications support the guidelines below.

Observing the following can help ensure your

organization and its Business Associates align

with HIPAA requirements and Meaningful Use

standards (principles that govern Electronic

Health Record, or EHR, programs):

Encryption of your data in transit and at rest

Ownership of your data

Data portability, with no vendor lock-in

Enterprise integration, via open interfaces

and APIs

Complete compliance by protecting your

unstructured data just like your structured

data (EHR)

You and your CSP are required

to sign a Business Associate

Agreement (BAA) if you plan to

manage PHI in the cloud.

Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI06

USING THIRD-PARTY

APPLICATIONS WITH E-PHI

You will likely need to add third-party services

to your SaaS environment to protect and

enhance your use of Google Apps, Salesforce,

or Office 365. In the eyes of the law, as well

as your primary CSP, it is your organization’s

responsibility to ensure that appropriate HIPAA-

compliant measures are in place with any third-

party application or service before sharing or

transmitting e-PHI.

Thus, you’ll need to be prepared to sign

additional Business Associate Agreements with

the provider of any SaaS application that will

integrate with your cloud environment.

UNDERSTANDING YOUR RELATIONSHIP WITH YOUR CLOUD SERVICE PROVIDERS AND HIPAA

CREATING AND USING CUSTOM SAAS

APPLICATIONS ON A CLOUD PLATFORM

An important subset of SaaS applications which

also must be HIPAA-compliant are the custom

applications built to meet your organization’s

operational needs. These will likely run on a

CSP’s platform (like the internal-only custom

apps built on Force.com, the Salesforce

platform). These are often built to feed data into

ERP systems, HR systems, and financial systems

of record; so they’re key to your organization’s

operations and will likely contain e-PHI.

It is your organization’s

responsibility to ensure that

appropriate HIPAA-compliant

measures are in place with

any third-party application

or service.

Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI07

Gaps in SaaS and CSP native data protection

RISK FACTORS IN THE CLOUD

You may think that your chosen provider has

data protection, including backup and recovery

of your critical information, covered, but in

reality, there are several important gaps in the

native data protection offered by your CSP.

Google, Microsoft, and Salesforce do an expert

job of protecting your data from accidents

and losses within their control – like server

failures caused by a natural disaster. But they

are severely limited in how they can protect

you from mishaps that happen on your side

of things, leaving you vulnerable to data loss

caused by several risk factors.

Why? Google Apps, Office 365, and Salesforce

are not designed to be specialized backup

and recovery services in addition to the core

applications they provide, and there are actually

policies in place that restrict the data recovery

capacities of these vendors.

While this may seem curious, consider this: Your

service level agreement (SLA) with your cloud

vendor legally requires them to purge data you

instruct them to delete. For example, Google

warns, “Once an administrator or end-user has

deleted any data in Google Apps, we delete it

according to your Customer Agreement and

our Privacy Policy.” Wouldn’t you be angry if

they retained data you wish to have destroyed?

However, the problem is that your CSP has no

way of knowing if the deletion is malicious,

accidental, or intentional. Thus, unfortunately,

when accidents do happen, CSPs can’t help you

recover data quickly, if at all.

Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI08

SaaS and CSP vendors cannot protect

you from data loss due to:

Human error on your side

While not likely to lead to the same

level of news coverage as hacking and

malicious insider attacks, human error is

common – it is the most frequent cause of

data loss – and it can pose serious risks of

HIPAA noncompliance as it constitutes a

failure to protect e-PHI.

Sync errors

It’s rare for a SaaS application to not

be integrated with other systems and

applications, but once integrated, it is always

possible for data loss to occur due to a failed

sync. AMAG Pharmaceuticals experienced

data loss when an HR folder was moved

within Google Drive and didn’t sync correctly.

As a result, all files were lost – including some

that weren’t even owned by the user

moving the folder.

Malicious insiders

Your e-PHI data can be at risk from malicious

insiders. In one case, the FBI reported that an

IT director for an organ donation nonprofit

repeatedly gained unauthorized access

to her employer’s network via a remote

connection from her home and intentionally

deleted numerous database files and software

applications, as well as their backups. Further,

attempting to conceal her activities, she

disabled the logging functions on several

servers and erased computer logs that

recorded her remote access to the network.

Hacking

No matter whether data is breached,

destroyed, or simply made inaccessible, it

represents a failure to protect e-PHI. In a

recent ransomware attack on a hospital, more

than 900 patients needed to be moved to

other medical centers because the hospital’s

digital operations were shut down.

In spite of these risks, according to HIMSS

Analytics, data backup and recovery systems

are currently in use at only 35% of surveyed

healthcare organizations. Just 31% are currently

planning to adopt such systems, and more

than 33% are not planning to use backup and

recovery systems at all!

GAPS IN SAAS AND CSP NATIVE DATA PROTECTION

Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI09

CSPS RECOMMEND

THIRD-PARTY BACKUP

Even when a CSP can help you recover lost

data, the process can be confusing, lengthy,

and expensive. For example, recovering data

through Salesforce can cost a minimum of

$10,000 and can take several weeks. That’s

why most CSPs recommend implementing a

third-party backup solution to augment the

protection they’re able to provide.

Google support tells its users, “For non-email

data recovery solutions, please consult the

Google Apps Marketplace, where one of our

partners may have a solution suitable for your

needs.” And Salesforce says, “We recommend

that you use a partner backup solution that can

be found on the AppExchange.”

GAPS IN SAAS AND CSP NATIVE DATA PROTECTION

Most CSPs recommend

implementing a third-party

backup solution to augment

the protection they’re able

to provide.

Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI10

Ensuring compliance with SaaS data protection

Losing data constitutes an unacceptable risk

for your organization, in addition to interfering

with patient care, employee collaboration,

and record accessibility. And this can have

serious implications for your ability to maintain

compliance standards surrounding HIPAA and

data protection, recoverability, and accessibility.

You’ll need to implement a HIPAA-compliant

backup and restore solution to ensure your

complete compliance and to eliminate worry

over data loss (not to mention saving you from

costly fines and negative press).

To help you identify an effective SaaS backup

and restore solution for your organization, use

the following checklist for evaluating third-

party SaaS data protection solutions:

Cloud-to-cloud SaaS model

Choosing a cloud-to-cloud backup provider

allows you to continue enjoying the cost-

saving benefits that drew you to adopt SaaS

applications. Instead of managing backups

on-premises, an extremely time-consuming

and error-prone activity, cloud solutions allow

you to save time and money while managing

backups more effectively and allowing your IT

team to focus on more strategic endeavors.

Automated and on-demand backups

This gives you the option to “set it and forget

it” as your backups will run automatically each

day, while also enabling manual backup to

support data protection before major changes

to the IT organization or database are made.

Fast and accurate recovery

The operational and financial impact of data

loss can be severe, in part due to the unseen

cost of lost productivity. On the provider

side alone, recent research shows that, for

an organization with 50 providers where

loss of access to data is within a typical CSP

SLA of 96% uptime, the cost per year to that

organization can be more than $2 million

dollars. Combine that with HIPAA compliance

risk and related fines, and you have a perfect

financial storm – unless fast and accurate data

recovery is part of your evaluation process.

Look for a backup and restore solution that

can get your data back from any point in time

in just a matter of clicks.

Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI11

Auditability and immutability.

HIPAA compliance requires that you ensure

changes to e-PHI are auditable, and that there

is an immutable record of data at a backup

point in time.

Data encryption at rest and in transit.

This ensures the privacy and security of e-PHI

with robust encryption; it’s also a HIPAA

requirement.

SOC 2 and HIPAA compliance.

Every link in the chain related to e-PHI should

be HIPAA-compliant and highly secure; and

that extends to third-party vendors providing

backup solutions.

Now that you have a better understanding of

your risks and responsibilities while managing

PHI in SaaS applications, it’s time to explore

options for a cloud-to-cloud backup and restore

solution that fits your organization’s needs.

ENSURING COMPLIANCE WITH SAAS DATA PROTECTION

“As an FDA regulated business,

we have certain compliance

requirements that we have to

achieve – the biggest one being

data retention.

Because I know Spanning just

works and our data in the cloud

is protected regardless of what

happens at Microsoft, it’s one

less thing we need to worry

about on a daily basis.”

TODD MILLER

IT Director, Millar, Inc.

Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI12

About Spanning by EMC

Spanning helps healthcare payers, providers, and

organizations in the healthcare and pharmaceutical

industries work in the cloud with confidence when using

leading SaaS applications like Google Apps, Office 365,

and Salesforce.

Spanning Backup provides automated, daily backups of

your application data and the ability to restore any lost or

deleted data back into your environment from any point in

time. The restore process makes it easy for both application

administrators and end users to quickly recover lost or

deleted data without calling in an IT expert.

Contact a product specialist to learn more about

what Spanning Backup can do for your organization

at +1-855-295-8111 or visit www.spanning.com.

© 2016 Spanning Cloud Apps, Inc. All Rights Reserved. 5001 - 0316