getting your cloud strategy on solid groundgo.spanning.com/rs/832-ufi-346/images/spanning... ·...
TRANSCRIPT
Ensuring data protection in SaaS applications containing PHI
GETTING YOUR
CLOUD STRATEGYON SOLID GROUND
Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI02
Why read this white paper?
In February of 2016, a southern California hospital was
severely operationally compromised by hackers using
ransomware. The attackers took control of the hospital’s
IT infrastructure, locking the staff out of their systems and
resulting in patient diversion to other facilities.
This case, and countless others like it, underscore the need
for healthcare providers and payers to ensure continuity of
care by implementing robust data protection plans that
enable rapid recovery from data loss.
If your organization manages e-PHI in cloud applications,
the information in this white paper is key to keeping your
organization compliant and productive.
Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI03
Getting your cloud strategy on solid ground
Whether you’re just making the transition to cloud applications or you’ve
already moved core business applications to SaaS (software as a service),
you’re to be commended for advancing your industry and improving your
level of service and care. We know that your industry continues to be
saddled with increasing demands: better, faster, more affordable care and
implementation of the latest technologies, while also maintaining strict
privacy and security standards.
In service of these goals, many healthcare institutions, pharmaceutical
organizations, and other entities managing protected health information
are turning to the cloud to increase agility, connectivity, and accessibility.
SaaS applications like Google Apps, Office 365, Salesforce, and Veeva
are revolutionizing healthcare operations, but proper data protection,
especially of PHI, remains a top concern for administrators.
If you too are concerned with your organization’s compliance, data
protection, and privacy of information, read this white paper to:
Better understand your relationship with your selected cloud vendor
Learn a few notable gaps in the native data protection provided
by cloud providers
Discover how to fill those gaps in order to ensure compliance with
HIPAA and other standards surrounding data protection, retention,
and accessibility
Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI04
Understanding your relationship with your cloud service providers and HIPAA
Ensuring you and your teams are trained and
familiar with HIPAA requirements regarding
data protection is an important facet of HIPAA
compliance. This section highlights some of
what you need to know to be compliant.
For more details, see HIPAA Administrative
Simplification information here.
THE BASICS OF HIPAA
The US Department of Health and Human
Services mandates that covered entities and
their business associates must comply with the
Health Insurance Portability and Accountability
Act (or HIPAA).
Covered entities are defined as:
Health care providers
Health plans
Healthcare clearinghouses
Business associates include:
Entities or persons that provide data
transmission services to a covered entity
and require routine access to protected
health information (PHI)
Subcontractors that create, receive,
maintain, or transmit PHI on behalf of a
business associate
Vendors that offer personal health records
to one or more individuals on behalf of a
covered entity
As a covered entity, you are responsible for
ensuring the security of protected health
information in your health IT system. This
requires that you institute measures to guard
against unauthorized use and disclosure of PHI.
One of these measures also requires covered
entities to have contracts, known as a Business
Associate Agreement (BAA), in place with
their partners and affiliates to ensure that
these associates will appropriately safeguard
electronic PHI.
Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI05
USING SAAS SERVICES WITH E-PHI
One such business associate is your selected
cloud service provider (CSP), like Google,
Microsoft, or Salesforce – the entity that
furnishes your SaaS applications. You and
your CSP are required to sign a Business
Associate Agreement (BAA) if you plan to
manage PHI in the cloud.
Be aware that some cloud providers restrict
you to a subset of their application services
so that PHI can be properly safeguarded, and
IT administrators must configure their SaaS
environments accordingly.
To learn about how Google, Salesforce,
and Microsoft individually manage PHI and
help you fulfill HIPAA requirements, visit
these resources:
Google Apps HIPAA compliance support
Salesforce for healthcare overview
Office 365 HIPAA FAQs
UNDERSTANDING YOUR RELATIONSHIP WITH YOUR CLOUD SERVICE PROVIDERS AND HIPAA
When migrating your current systems to the
cloud, you’ll want to make sure your SaaS
applications support the guidelines below.
Observing the following can help ensure your
organization and its Business Associates align
with HIPAA requirements and Meaningful Use
standards (principles that govern Electronic
Health Record, or EHR, programs):
Encryption of your data in transit and at rest
Ownership of your data
Data portability, with no vendor lock-in
Enterprise integration, via open interfaces
and APIs
Complete compliance by protecting your
unstructured data just like your structured
data (EHR)
You and your CSP are required
to sign a Business Associate
Agreement (BAA) if you plan to
manage PHI in the cloud.
Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI06
USING THIRD-PARTY
APPLICATIONS WITH E-PHI
You will likely need to add third-party services
to your SaaS environment to protect and
enhance your use of Google Apps, Salesforce,
or Office 365. In the eyes of the law, as well
as your primary CSP, it is your organization’s
responsibility to ensure that appropriate HIPAA-
compliant measures are in place with any third-
party application or service before sharing or
transmitting e-PHI.
Thus, you’ll need to be prepared to sign
additional Business Associate Agreements with
the provider of any SaaS application that will
integrate with your cloud environment.
UNDERSTANDING YOUR RELATIONSHIP WITH YOUR CLOUD SERVICE PROVIDERS AND HIPAA
CREATING AND USING CUSTOM SAAS
APPLICATIONS ON A CLOUD PLATFORM
An important subset of SaaS applications which
also must be HIPAA-compliant are the custom
applications built to meet your organization’s
operational needs. These will likely run on a
CSP’s platform (like the internal-only custom
apps built on Force.com, the Salesforce
platform). These are often built to feed data into
ERP systems, HR systems, and financial systems
of record; so they’re key to your organization’s
operations and will likely contain e-PHI.
It is your organization’s
responsibility to ensure that
appropriate HIPAA-compliant
measures are in place with
any third-party application
or service.
Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI07
Gaps in SaaS and CSP native data protection
RISK FACTORS IN THE CLOUD
You may think that your chosen provider has
data protection, including backup and recovery
of your critical information, covered, but in
reality, there are several important gaps in the
native data protection offered by your CSP.
Google, Microsoft, and Salesforce do an expert
job of protecting your data from accidents
and losses within their control – like server
failures caused by a natural disaster. But they
are severely limited in how they can protect
you from mishaps that happen on your side
of things, leaving you vulnerable to data loss
caused by several risk factors.
Why? Google Apps, Office 365, and Salesforce
are not designed to be specialized backup
and recovery services in addition to the core
applications they provide, and there are actually
policies in place that restrict the data recovery
capacities of these vendors.
While this may seem curious, consider this: Your
service level agreement (SLA) with your cloud
vendor legally requires them to purge data you
instruct them to delete. For example, Google
warns, “Once an administrator or end-user has
deleted any data in Google Apps, we delete it
according to your Customer Agreement and
our Privacy Policy.” Wouldn’t you be angry if
they retained data you wish to have destroyed?
However, the problem is that your CSP has no
way of knowing if the deletion is malicious,
accidental, or intentional. Thus, unfortunately,
when accidents do happen, CSPs can’t help you
recover data quickly, if at all.
Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI08
SaaS and CSP vendors cannot protect
you from data loss due to:
Human error on your side
While not likely to lead to the same
level of news coverage as hacking and
malicious insider attacks, human error is
common – it is the most frequent cause of
data loss – and it can pose serious risks of
HIPAA noncompliance as it constitutes a
failure to protect e-PHI.
Sync errors
It’s rare for a SaaS application to not
be integrated with other systems and
applications, but once integrated, it is always
possible for data loss to occur due to a failed
sync. AMAG Pharmaceuticals experienced
data loss when an HR folder was moved
within Google Drive and didn’t sync correctly.
As a result, all files were lost – including some
that weren’t even owned by the user
moving the folder.
Malicious insiders
Your e-PHI data can be at risk from malicious
insiders. In one case, the FBI reported that an
IT director for an organ donation nonprofit
repeatedly gained unauthorized access
to her employer’s network via a remote
connection from her home and intentionally
deleted numerous database files and software
applications, as well as their backups. Further,
attempting to conceal her activities, she
disabled the logging functions on several
servers and erased computer logs that
recorded her remote access to the network.
Hacking
No matter whether data is breached,
destroyed, or simply made inaccessible, it
represents a failure to protect e-PHI. In a
recent ransomware attack on a hospital, more
than 900 patients needed to be moved to
other medical centers because the hospital’s
digital operations were shut down.
In spite of these risks, according to HIMSS
Analytics, data backup and recovery systems
are currently in use at only 35% of surveyed
healthcare organizations. Just 31% are currently
planning to adopt such systems, and more
than 33% are not planning to use backup and
recovery systems at all!
GAPS IN SAAS AND CSP NATIVE DATA PROTECTION
Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI09
CSPS RECOMMEND
THIRD-PARTY BACKUP
Even when a CSP can help you recover lost
data, the process can be confusing, lengthy,
and expensive. For example, recovering data
through Salesforce can cost a minimum of
$10,000 and can take several weeks. That’s
why most CSPs recommend implementing a
third-party backup solution to augment the
protection they’re able to provide.
Google support tells its users, “For non-email
data recovery solutions, please consult the
Google Apps Marketplace, where one of our
partners may have a solution suitable for your
needs.” And Salesforce says, “We recommend
that you use a partner backup solution that can
be found on the AppExchange.”
GAPS IN SAAS AND CSP NATIVE DATA PROTECTION
Most CSPs recommend
implementing a third-party
backup solution to augment
the protection they’re able
to provide.
Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI10
Ensuring compliance with SaaS data protection
Losing data constitutes an unacceptable risk
for your organization, in addition to interfering
with patient care, employee collaboration,
and record accessibility. And this can have
serious implications for your ability to maintain
compliance standards surrounding HIPAA and
data protection, recoverability, and accessibility.
You’ll need to implement a HIPAA-compliant
backup and restore solution to ensure your
complete compliance and to eliminate worry
over data loss (not to mention saving you from
costly fines and negative press).
To help you identify an effective SaaS backup
and restore solution for your organization, use
the following checklist for evaluating third-
party SaaS data protection solutions:
Cloud-to-cloud SaaS model
Choosing a cloud-to-cloud backup provider
allows you to continue enjoying the cost-
saving benefits that drew you to adopt SaaS
applications. Instead of managing backups
on-premises, an extremely time-consuming
and error-prone activity, cloud solutions allow
you to save time and money while managing
backups more effectively and allowing your IT
team to focus on more strategic endeavors.
Automated and on-demand backups
This gives you the option to “set it and forget
it” as your backups will run automatically each
day, while also enabling manual backup to
support data protection before major changes
to the IT organization or database are made.
Fast and accurate recovery
The operational and financial impact of data
loss can be severe, in part due to the unseen
cost of lost productivity. On the provider
side alone, recent research shows that, for
an organization with 50 providers where
loss of access to data is within a typical CSP
SLA of 96% uptime, the cost per year to that
organization can be more than $2 million
dollars. Combine that with HIPAA compliance
risk and related fines, and you have a perfect
financial storm – unless fast and accurate data
recovery is part of your evaluation process.
Look for a backup and restore solution that
can get your data back from any point in time
in just a matter of clicks.
Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI11
Auditability and immutability.
HIPAA compliance requires that you ensure
changes to e-PHI are auditable, and that there
is an immutable record of data at a backup
point in time.
Data encryption at rest and in transit.
This ensures the privacy and security of e-PHI
with robust encryption; it’s also a HIPAA
requirement.
SOC 2 and HIPAA compliance.
Every link in the chain related to e-PHI should
be HIPAA-compliant and highly secure; and
that extends to third-party vendors providing
backup solutions.
Now that you have a better understanding of
your risks and responsibilities while managing
PHI in SaaS applications, it’s time to explore
options for a cloud-to-cloud backup and restore
solution that fits your organization’s needs.
ENSURING COMPLIANCE WITH SAAS DATA PROTECTION
“As an FDA regulated business,
we have certain compliance
requirements that we have to
achieve – the biggest one being
data retention.
Because I know Spanning just
works and our data in the cloud
is protected regardless of what
happens at Microsoft, it’s one
less thing we need to worry
about on a daily basis.”
TODD MILLER
IT Director, Millar, Inc.
Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI12
About Spanning by EMC
Spanning helps healthcare payers, providers, and
organizations in the healthcare and pharmaceutical
industries work in the cloud with confidence when using
leading SaaS applications like Google Apps, Office 365,
and Salesforce.
Spanning Backup provides automated, daily backups of
your application data and the ability to restore any lost or
deleted data back into your environment from any point in
time. The restore process makes it easy for both application
administrators and end users to quickly recover lost or
deleted data without calling in an IT expert.
Contact a product specialist to learn more about
what Spanning Backup can do for your organization
at +1-855-295-8111 or visit www.spanning.com.
© 2016 Spanning Cloud Apps, Inc. All Rights Reserved. 5001 - 0316