A common concern when sharing confidential information in the cloud is security and, by extension, liability. Who is liable for data breaches in the public cloud? A CSP is classed as a business associate under HIPAA, even if the PHI shared is encrypted and the decryption key is not provided, meaning the CSP must meet HIPAA compliance obligations. When using the public cloud covered entities must enter a business associate agreement (BAA) with the CSP and a service level agreement (SLA) can be drawn to address specific responsibilities regarding data protection and security
In terms of security, the level of encryption used by most cloud service providers meets the minimum standard demanded by HIPAA. However, this does not necessarily mean the CSP is HIPAA compliant. For example, Apple averts culpability, clearly stating in its terms and conditions: “If you are a covered entity, business associate or representative of a covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function or other facility of iCloud to create, receive, maintain or transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business associate.”
Another important factor to consider is control of the encryption key. Granted, most CSPs will encrypt their customers’ data and some even offer a key management system service, which allows customers to manage their encryption keys. However, the encryption key is stored in the cloud and thus accessible to hackers and cloud staff – much like leaving your house key under the doormat that half the neighbourhood knows about.
With cloudAshur, each authorised user will have a copy of the encrypted encryption key stored physically within the PIN-authenticated cloudAshur encryption module. Using cloudAshur KeyWriter, all critical security parameters are copied, including the randomly generated encryption key and all PINs, between the Master cloudAshur module and as many Secondary cloudAshur modules as required. This allows secure and instant collaboration in the cloud between authorised users, as well securely sharing encrypted files via email and file transfer services.
Multi-factor authentication is also highly recommended as a best practice for HIPAA compliance. Although not mandatory, the HIPAA Journal advises it’s “the best way to comply with the HIPAA password requirements.” If a hacker obtains the cloud user’s credentials, the breach will go unnoticed to the CSP as it won’t be able to decipher between a legitimate user from an attacker. The cloudAshur encryption module increases security measures to an unprecedented five-factor authentication, as the encryption key is kept away from the cloud.
What if the CSP is willing to enter a BAA, such as Microsoft? Although Azure or OneDrive can be used in a way that satisfies HIPAA Rules, Microsoft will accept no responsibility for HIPAA violations caused as a result of the misuse of its services. As Microsoft explains, “Your organisation is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.” The same is true with many CSPs. CSPs will not accept liability for misuse of their service/platform or misconfigurations by healthcare employees. It is therefore the responsibility of the covered entity using the service to ensure that HIPAA Rules are followed.