You can ensure compliance in the cloud through HIPAA/HITRUST, PCI DSS and other regulatory certifications, but it takes time, money, and expertise to get the documentation you need to prove it.
The benefits cloud computing offers include improved productivity, easier off-campus access, and reduced IT cost. 74 percent of CFOs note cloud computing as having the most measurable impact on their business, reported Forbes. Therefore, many have already or are planning on migrating to the cloud. Yet, there can be trade-offs. How can businesses be sure that their provider is protecting the company’s information no matter where their data resides and ensure compliance?
Although enterprises have a high level of control in a private cloud solution, using public or hybrid cloud services could present compliance challenges when done haphazardly. Thankfully, cloud service providers, like LightEdge, can help customers achieve compliance in the cloud through proven experience, evolving knowledge and best practices, and 24/7 diligence. When done correctly, migrating to the cloud can actually help ease your compliance load. Here is the ultimate guide to gaining a highly compliant cloud environment.
Vet Out a Compliant Cloud Service Provider
Many cloud providers continue to focus on providing the data storage and cloud services with little to no security provision. The burden is then left on the cloud customers to meet the regulatory requirements or ensure that their cloud service providers complied with regulations to protect their data.
Thankfully, there are providers out there that take your data security as seriously as you do. Not only are there more cloud providers that are paying attention and helping customers achieve compliance, but regulatory agencies have also started recognizing the benefits of cloud computing to organizations’ security and compliance. As a result, new guidelines and standards have been updated to include safety in the cloud.
For example, updates were made to the Health Insurance Portability and Accountability Act (HIPAA) in 2013. The U.S. Department of Health and Human Services (HHS) finally designated cloud service providers as business associates of covered entities. This means that cloud service providers must also be HIPAA compliant. According to HHS, the covered entity (or business associate) and the cloud service provider must enter into a HIPAA-compliant business associate agreement (BAA). The cloud service provider is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.
In addition, the PCI Security Standards Council published the Third-Party Security Assurance information supplement that addresses cloud use in a PCI DSS context. When you are vetting out compliant cloud service providers, look to see which ones have standards-based cloud environments and meet the same regulatory policies and procedures that your organization must comply with.
While many providers advertise their compliance standards, be sure to check the contract and service level agreement language. A good number of providers say they follow certain regulations, but they do not actually go through the auditing process to earn said compliance certification. Any cloud service provider being considered should be able to validate that they meet compliance requirements or standards and can actually prove it in an audit.
LightEdge’s Chief Security Officer and Chief Compliance Officer, Jake Gibson, is a free asset to all of our customers. He provides security assessments and will walk line-by-line through compliance regulations with customers to distinguish what compliance burdens LightEdge will take over on behalf of their clients. He is also there to offer up proven best practices to help ensure audit readiness.
Understanding Compliance in the Cloud
Once you have vetted out top contenders for compliant cloud service providers, it is important to understand the divide in responsibility. The cloud could increase the complexity of IT security, and IT organizations must rely on the cloud service provider’s ability to secure data and meet critical compliance standards. It is important to establish and allocate responsibility for secure controls at the beginning of the relationship with a cloud provider.
While the various compliance standards involve different processes in order to achieve certifications, there are methods that remain consistent across the board regardless of the specific compliance standard. Taking a closer look at each of the standards, challenges, and questions to ask will help determine which cloud service provider can best meet your compliance needs and puts you one step closer to understanding compliance in the cloud.
Here is a quick rundown of common compliance standards, challenges they present, and good questions to ask your cloud service provider:
HIPAA/HITRUST
HIPAA requires healthcare (or “covered”) entities to comply with specific security, privacy, and breach notification rules for the storage and transmission of protected health information (PHI) including electronic data. These rules are further enforced by the Health Information Trust Alliance (HITRUST).
HIPAA establishes requirements for the use, disclosure, and safeguarding of protected health information (PHI). HIPAA should be top-of-mind for any organization that handles or stores sensitive healthcare data, including:
- Hospitals
- Physicians
- Health Insurance Providers
- HR departments
Due to the shifting IT landscape, 80% of healthcare data will travel to the cloud by 2020. It is becoming increasingly uneconomical for businesses to run their own data centers due to the growing need for HIPAA considerations in cloud storage, security, and IT infrastructure. The transition away from traditional, on-site data storage is fast approaching and businesses are looking for cloud storage partners that consider HIPAA in their control environment to help keep sensitive healthcare data secure.
There are many inconsistencies and ambiguous details in the requirements for HIPAA compliance. The vague language and lack of guidance make it difficult to understand HIPAA’s “reasonable and appropriate” protections. If you make a mistake in meeting HIPAA’s requirements, you risk hefty fines and security breaches, or worse, the loss of your brand reputation. Thankfully, HITRUST helps to put up those missing pieces to ensure world-class security for the healthcare industry.
HITRUST (The Health Information Trust Alliance) created the Common Security Framework (CSF) and incorporated best practices across several industries to create a meaningful, robust compliance framework for healthcare.
Potential HIPAA/HITRUST Compliance Challenges
Many cloud service providers claim to be HIPAA certified, yet the Department of Health and Human Services does not require of formally recognize any HIPAA certification for cloud providers. In addition, very few hosting providers have gone through the demanding process of attaining the HITRUST CSF Certification. If a provider is claiming to be certified, be sure to take a second look.
Even though there is no formal certification, LightEdge has successfully undergone a third-party examination against the HIPAA Security Rule and HITECH Breach Notification Requirements and has been issued a Type 1 attestation report from an independent CPA firm.
In addition, gaining HITECH certification is demanding and very few hosting providers have gone through the auditing process of attaining the HITRUST CSF certification. LightEdge is one of few providers who has been HITRUST audited and certified.
If the cloud service provider that you are vetting is not HITRUST certified, challenges that you could face include spending considerable time and money during audit season and putting your customers’ critical data at risk.
Questions to ask your Cloud Provider about HIPAA and HITRUST Compliance
Consider the following questions as you continue to vet out cloud service providers:
- Do you have a Compliance Officer or a designated official responsible for HIPAA/HITRUST?
- Have you been independently audited against the HIPAA audit protocol?
- How many of your customers are in the healthcare industry and rely on you to facilitate HIPAA compliance?
- What are your disaster recovery and business continuity solutions?
PCI DSS
Any organization that handles credit or debit card information needs to abide by the Payment Card Industry Data Security Standard (PCI DSS) requirements. Yet, according to a 2016 study by Verizon, only 50% of organizations meet all 12 PCI requirements, and half of those companies fell out of compliance within 9 months of validation. There’s strong correlation between PCI DSS non-compliance and the likelihood of suffering a data breach.
PCI DSS is a proprietary information security standard for organizations that handle credit cards. This standard is required by the major credit card brands and administered by the Payment Card Industry Security Standards Council. The standards are intended to increase controls around cardholder data to reduce credit card fraud. Compliance audits must be preformed annually, wither by an external Qualified Security Assessor (QSA) or by a firm specific to Internal Security Assessor.
Potential PCI DSS Challenges
Your cloud service provider needs to take ownership of access controls and the separation between customers to verify its security controls are effective. The recommended practice for customers that are held against PCI DSS regulations is to work with a cloud service provider whose solutions have been independently audited as being PCI DSS compliant.
Customers must ask the right questions to ensure that the provider is the right third-party organization to partner with. Ensure they provide visibility into physical and virtual security measures to protect their critical data.
Questions to ask your Cloud Provider about PCI DSS Compliance
Consider the following questions as you continue to vet out cloud service providers:
- Are you contracted with the QSA and certified against all 12 sections of the PCI DSS?
- Are other parties involved in the service delivery, security or support?
- What physical security measures are in place at your data center(s)?
- Do you have environmental controls and redundant power units in place at all of your data centers?
- How are your PCI DSS assessments validated?
- Can I tour your data center facility and personally meet your expert team to review the data center design and operating procedures?
Access Control is Key
Having proper controls in place over a system and data access is critical in regulatory IT compliance in the cloud. During an audit, the business must provide proof of the level of access that each user has and how those levels are maintained. Your cloud service provider should have access controls in place and maintain and update them regularly.
When vetting out potential providers, ask if they would be willing to provide documentation showing which users have access to the system, when they have access, and what each user can access. This information can be important to comply with certain regulations. According to Forrester, 80 percent of security breaches involve privileged credentials.
Shared Responsibility in the Cloud
Responsibility for data security and compliance in the cloud is shared between multiple parties. Certain solutions offer higher levels of security and compliance that your cloud service provider manages, yet the responsibility is still shared.
Before deciding on a cloud solution and provider, it is important to understand who is responsible for what compliance processes.
Meet your Next Compliant Cloud Service Provider Today
Security and compliance not only protect businesses from excessive regulatory fines, it also protects their critical data from threats and breaches. From a dedicated physical infrastructure to a virtual delivery model, we’ve got the compliant cloud and hosting solution for your organization. Retain the level of control you want, and the amount of data isolation you require.
LightEdge’s highly-trained compliance and security experts take the guesswork out of keeping your business protected. Trust our expertise to ensure you are covered through our security and compliance services, including risk management, information security, audit preparedness, and support.
LightEdge builds security and redundancy into every detail of our data center facilities and compliant service offerings, and our engineers have the know-how to advise you on meeting your compliance requirements, regardless of industry standard.
LightEdge also offers a free risk assessment from our Chief Security Officer and Chief Compliance Officer as a free resource to all of our clients. Based on findings from the risk assessment, our experts recommend the appropriate security controls you’ll need to protect sensitive data and pass audits. We assist in gathering the evidence and documentation you need to prove you’re in compliance; we even provide support during third-party audits. LightEdge is compliant with:
- ISO 27001
- ISO 20000-1
- SSAE 18 SOC 1 Type II, SOC 2 Type II and SOC 3
- HIPAA/HITRUST
- PCI DSS 3.2
If you are interested in meeting with our compliance and security experts, or touring of any of our 7 world-class data centers, contact us here. We have compliant cloud experts standing by to answer your questions. Start by getting a free quote today.
