Simple Guide to HIPAA Compliance
July 24, 2014 | DevOps | Kevin O'Brien
Cloud HIPAA Compliance with Conjur
HIPAA compliance is a common requirement for organizations who are moving infrastructure, workflows, and business processes to the cloud. Accordingly, there are requirements for managing access to appliances, databases, and devices, as well as for controlling permissions to access and modify data, that must be complied with. Ensuring full visibility for audits and regulatory adherence can be a massive undertaking, and shifting PHI and sensitive data to the cloud is often viewed with a combination of trepidation and resistance.
But does it have to be this way?
An article from 2013 disputes the common idea that housing, analyzing, and sharing (in this case specifically genomic) data in the cloud has more breach risk than hosting on-prem. The primary sources of data breaches reported to the Department of Health and Human Services were, interestingly, via “loss or theft of an electronic device” such as a laptop or flash drive with unencrypted data.
Obviously, this particular data exfiltration vector can be addressed by moving protected information to the cloud. However, doing so also introduces new risks, but unlike physical data loss these can be addressed through operations and management, decreasing the risk of human error.
Conjur can help implement these operational and automated HIPAA compliance processes. As a recent post points out, the terms can be muddled and confusing, but we have put together a HIPAA Resource Sheet to help address and clarify where and how to map our authz platform to your HIPAA requirements.