As we’ve discussed in past blogs, your public or private cloud vendor plays an instrumental role in your compliance attestation. Without proper management – and due diligence during the selection process – cloud vendors can become a liability rather than a helpful resource for minimizing your security and compliance burdens. They can easily become a weak link in your security posture, potentially jeopardizing your ability to safely and properly handle sensitive ePHI data in the cloud.
However, ensuring that your cloud vendors don’t essentially become high-priced vulnerabilities isn’t necessarily a clear-cut task – especially with the prevalence of too-good-to-be-true sales pitches, miscommunications and confusion regarding shared responsibility.
Back to Basics on Vendor Management
With complications mounting and the business need for cloud vendors building, there’s only one thing to do: focus on the basics.
In this two-part blog series, we’ll do just that – establish a straightforward, actionable framework for selecting and managing your cloud vendors. Part one, which we’ll cover today, concentrates on the key HIPAA compliance questions to ask cloud vendors during the selection process.
This due diligence, while broad by design, will help you identify HIPAA compliance-related red flags in potential cloud vendors.
Key HIPAA Compliance Questions for Cloud Vendors
- Which security controls do you provide?
All cloud vendors provide infrastructure to host your data and applications. Many also offer additional services, but are they the ones you need? Compare these to the deficiencies identified during a security gap analysis. Common additional services include malware protection, file integrity monitoring, patch management, intruder detection and vulnerability scanning.
- How do you handle shared responsibility?
While our focus on due diligence puts potential cloud vendors in the spotlight, it’s not to imply that they’re the sole source of cloud-based security inadequacies or mishaps. In fact, as you’re hopefully aware, working with a cloud vendor does not exempt you from managing the security of your cloud data. What your cloud vendor is and isn’t responsible for regarding security should be outlined in a shared responsibility matrix.
- Do you have (XYZ) certification?
Many cloud vendors tout their various certifications. Based on a gap analysis, you should know which aspects are important to you. Maybe you already have great malware protection but lack a security solution for BYOD or incident management.
Since there are no certifications for individual areas, but rather against frameworks like HITRUST, it’s important when reviewing vendor certifications to be able to verify that the scope of the assessment covers the controls you care about. Many vendors don’t include every service in their scope. For instance, AWS only allows usage of certain services for processing ePHI while being covered according to their Business Associate Addendum (BAA).
Also, ensure that they cover the requirements at a sufficient level of complexity. Not all certifications are equal. For example, HITRUST requirements are more stringent than SOC2 or PCI attestation of compliance (AOC), which many hosting providers lean on for proof of compliance. That’s why it’s critical you also have the right to audit, as it will often be necessary to dig deeper into different areas to address your specific needs.
- Will I have the right to audit?
Since we’ve established that you share responsibility for HIPAA compliance with your cloud vendor, you need to be able to check that they do what they say they do. You should either have the right to audit or ask them to provide an attestation of certain aspects of their operations.
Armed with your gap analysis and HIPAA compliance questions like these, you should be able to find and assess a cloud vendor that fits the needs of your organization. Now it’s time to make them part of your team.
In part two of our HIPAA compliance blog series, we detail how to manage your vendors and ensure that they complement your HIPAA compliance needs – instead of working against them.