HIPAA-Compliant Practices for Backing Up Healthcare Data to the Cloud

JANUARY 13TH, 2020
The healthcare industry is responsible for housing our most sensitive and private information. And in the event of an illness or emergency, it’s also potentially life-saving information that must always be easily and rapidly accessible. Thus, healthcare organizations are tasked with achieving a balance between finding effective ways to access, store, back up, and recover electronic protected health information (ePHI) without compromising the security of that personal health information. Cloud-based storage is one way that healthcare providers are looking to solve this problem. Historically, the healthcare industry has been slow to adopt data backup strategies that make use of the cloud because of concerns about cloud providers’ ability to ensure privacy and security in line with Health Insurance Portability and Accountability Act (HIPAA) regulations. This appears to be changing as more and more cloud-based storage providers are offering HIPAA-compliant services. Using the cloud benefits healthcare organizations because it reduces onsite infrastructure requirements and maintenance, and it scales with an organization’s growth. Using the cloud for backup and disaster recovery ensures data remains protected during a natural disaster or data breach. Since using the cloud is becoming an industry standard, here are some best practices for adopting cloud-based backup and disaster recovery and storage into your healthcare organization.

Encrypt Information at Every Step

HIPAA doesn’t state specific ways to secure data, but encryption is the best practice for maintaining compliance—the good news is that reputable cloud providers already have encryption in place. Ensure that ePHI is encrypted not just in the cloud but on its way to the cloud as well. With data encrypted in transit and at rest, patient information remains secure but easily accessible to physicians and other healthcare professionals.


Do Regular Testing

It’s essential to continually test for vulnerabilities in the system as well as connectivity issues. Some organizations might have a third party conduct penetration testing inside the cloud environment. Additionally, test backup and disaster recovery processes so you know everything is working properly. These types of tests ensure that the cloud remains secure, that information is being rapidly stored, and that, in the event of an emergency, an attack, or a breach, it can be easily retrieved.

Minimize RTO & RPO

When setting up cloud backup and disaster recovery for a healthcare organization, consider implementing key recovery metrics like recovery time and recovery point objectives (RTO and RPO). These two metrics refer to the maximum allowable time to recover from a disaster and the maximum tolerable amount of data to lose. They’re vital components of a sound disaster recovery plan and should be assessed proactively. There are many HIPAA-compliant cloud options for healthcare organizations to consider. With careful planning and implementation, and by following the above best practices, healthcare organizations can reap the benefits of cloud-based storage and cloud-based disaster recovery while resting assured that their patient’s ePHI remains secure.Note that before a healthcare organization stores or backs up ePHI in a provider’s cloud, a risk assessment is required and a signed business associate agreement (BAA) must be obtained from the provider. HIPAA compliance is the cloud user’s responsibility, not the cloud provider’s.