Assessing Your Hosting Environment for HIPAA Compliance

1

Assessing Your Hosting Environment for HIPAA

Compliance

#HOSTINGHIPAA

• Confusion Surrounding HIPAA Audits

• What are the different assessments

• How to truly understand your provider’s

capabilities

• Strong tools for comparing providers’

control environments

• Q&A

2

SUMMARY

In January 2013, the U.S. Department of Health and Human Services

(HHS) Office for Civil Rights announced a final omnibus rule that

implements a number of provisions of the Health Information

Technology for Economic and Clinical Health (HITECH) Act, enacted as

part of the American Recovery and Reinvestment Act of 2009, to

strengthen the privacy and security protections for health information

established under the Health Insurance Portability and Accountability

Act of 1996 (HIPAA).

http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/

3

OMNIBUS RULE

4

HIPAA RISK ASSESSMENT SCHIZOPHRENIA

✔

Standard What Is It?

Proprietary Unique risk assessment standard

created by the auditing company

HITRUST Common Security

Framework

Framework of frameworks – a bunch of

security standards merged into one

umbrella standard

HIPPA OCR Audit Protocol Official HHS audit process for HIPAA

compliance

5

HIPAA ASSESSMENTS TODAY

Prescriptive Addresses

IT Controls

Designed

for MSPs

Assessed

by 3rd

Party

Recognized

by HHS

Provides Safe

Harbour

Proprietary Sometimes Sometimes No Yes No No

HITRUST Yes Yes No Sometimes No No

HIPAA OCR Yes No No Sometimes Yes No

6

HIPAA RISK ASSESSMENT BREAKDOWN


IT Controls

Designed

for MSPs

Assessed

by 3rd

Party

Recognized

by HHS

Provides Safe

Harbour




7



IT Controls

Designed

for MSPs

Assessed

by 3rd

Party

Recognized

by HHS

Provides Safe

Harbour




8



IT Controls

Designed

for MSPs

Assessed

by 3rd

Party

Recognized

by HHS

Provides Safe

Harbour




9



IT

Controls

Designed

for MSPs

Assessed

by 3rd Party

Recognized

by HHS

Provides Safe

Harbour




10



IT Controls

Designed

for MSPs

Assessed

by 3rd Party

Recognized

by HHS

Provides Safe

Harbor




11


• Scope of managed security services (what does the provider do and what do I have to do)

• Explicit demarcation of responsibilities

• Committing to obligations in a BAA

• Consistency of managed security services across compute platforms

• 3rd party assessment of platform and managed services against accepted prescriptive security framework

• HIPAA assessment guarantee

12

PROVIDER ASSESSMENT CHECKLIST

Compliance Controls HOSTING Customer

Physical Security X

Network Security X

Platform Security X

Storage Security X

Threat Monitoring X

Policy and Governance X X

Application Security X X

Change Control X X

Incident Response X X

Transit Security X X

Risk Assessment X X

Custom App Security X

13

COMPLIANCE CONTROLS FOR HIPAA

• Will the cloud service provider sign a Business Associate Agreement (BAA) with us?

• Is the cloud service provider even aware of its obligation to sign a BAA?

• Is the BAA more than three pages?

• If the BAA is more than three pages, is the cloud service provider willing to pay the legal fees necessary for excessive review?

• Does the BAA closely track the sample provisions published by the U.S. Dept. of Health & Human Services?

14

BAA CHECKLIST

• Official HIPAA audit checklist from HHS

• 3rd parties are starting to build assessment services around it

• Assessments are non-binding, not regulated and provide absolutely no Safe Harbor from a breach

• No audit program in place – impossible to be certified HIPAA compliant

15

HIPAA OCR AUDIT PROTOCOL

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

“HHS does not endorse or otherwise recognize

private organizations’ ‘certifications’ regarding the

Security Rule, and such certifications do not

absolve covered entities of their legal obligations

under the Security Rule. Moreover, performance of

a ‘certification’ by an external organization does

not preclude HHS from subsequently finding a

security violation.”

http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2003.html

HIPAA regulations

Firewall

Antivirus

VPN

IDS

Patching

Cloud

Encryption

45 CFR 160

0

0

0

0

0

0

0

45 CFR 164

0

0

0

0

0

0

5


IT

Controls

Designed

for MSPs

Assessed

by 3rd

Party

Recognize

d by HHS

Provides

Safe

Harbor



HIPAA

OCR

Yes No No Sometimes Yes No

18

FRAMEWORK COMPARISON


IT

Controls

Designed

for MSPs

Assessed

by 3rd

Party

Recognized

by HHS

Provides

Safe Harbor

SOC 1 No Sometimes No Yes No No

SOC 2 Yes Yes Yes Yes No No

PCI DSS Yes Yes Yes Yes No Yes (CC only)

• SOC 1

• Formerly SAS-70, aka SSAE-16

• Focused on financial report accuracy, not technical, no standard or minimum control set

• SOC 2

• Often confused with SSAE-16

• Officially recognized AICPA review of MSP control environment

• Mapped to the Trust Service Principles – prescriptive standard for IT service provider security and privacy controls

19

COMMON PROVIDER ASSESSMENTS

• PCI DSS

• Explicitly prescriptive

• Over 220 unique IT controls

• Same purpose as HIPAA Security Rule: protect against unauthorized access to sensitive data

• Explicitly addresses service providers and cloud environments

• The most widely utilized security framework

• A decade of evolution

20

COMMON PROVIDER ASSESSMENTS

21

PCI/SOC to HIPAA MAPPING

• Providers can choose which portions of

infrastructure, data center locations,

services and even which controls from the

standard they will assess

• Get a responsibilities matrix written by the

3rd party

22

READ THE REPORT!

Document What is it? 3rd Party

Assessment

Expect to Sign

NDA

SAQ Self assessment

questionnaire

No Yes

AOC Attestation of

Compliance

Maybe – look at

party that signed

No

ROC Report on

Compliance

Yes Absolutely

23

PCI DSS REPORTS


Assessment

Expect to Sign

NDA

SAQ Self assessment

questionnaire

No Yes

AOC Attestation of

Compliance

Maybe – look at

party that signed

No

ROC Report on

Compliance

Yes Absolutely

Control Mapping Explicit mapping

of responsibilities

Maybe – look at

issuing party

No

24

PCI DSS REPORTS


Assessment

Expect to Sign

NDA

SAQ Self assessment

questionnaire

No Yes

AOC Attestation of

Compliance

Maybe – look at

party that signed

No

ROC Report on

Compliance

Yes Absolutely

Control Mapping Explicit mapping

of responsibilities

Maybe – look at

issuing party

No

25

PCI DSS REPORTS


Assessme

nt

Expect to

Sign NDA

SOC 1 Type I Financial accuracy assessment

– policy review only, no

evidence

Yes Yes


– >=6mo effectiveness review

Yes Yes

SOC 2 Type I IT service provider controls –

policy review only, no evidence

Yes Yes

SOC 2 Type II IT service provider controls –

>=6mo effectiveness review

Yes Yes

SOC 3 Stamp used to publicly assert

that provider successfully

completed SOC 2 Type II, no

details

Yes No

26

SOC REPORTS


Assessme

nt

Expect to

Sign NDA


– policy review only, no

evidence

Yes Yes


– >=6mo effectiveness review

Yes Yes

SOC 2 Type I IT service provider controls –

policy review only, no evidence

Yes Yes

SOC 2 Type II IT service provider controls –

>=6mo effectiveness review

Yes Yes

SOC 3 Stamp used to publicly assert

that provider successfully

completed SOC 2 Type II, no

details

Yes No

27

SOC REPORTS

View the on-demand

webinar here!

28

http://www.hosting.com/resources/webinars/?source=slideshare?commid=112829

29

Q&ASean Bruton | Vice President of Product Management

For more information about compliant solution packages by HOSTING, please

contact Mark Click at 302.444.6511 or [email protected].