Architecting HIPAA Compliant Services
Healthcare organizations, software vendors, and healthcare startups have a number of decisions to make when developing HIPAA compliant solutions. In order to build and execute a proper HIPAA security plan, organizations must define:
- Which cloud platform and cloud services will be utilized
- Roles for conducting compliance tasks and implementing security safeguards
- Security settings and configuration for cloud resources
- Standard operating procedures for implementing security protections and reviewing compliance concerns
With all of these concerns, it can be easy for security operations and compliance requirements to get confusing. That is why Dash has built our latest guide, “Planning and Architecting For HIPAA Compliance” outlining key steps for designing and architect HIPAA compliant solutions.
In this guide, we detail best practices for architecture compliant solutions and addressing many of the cloud architecture, security and DevOps concerns teams face when building secure infrastructure.
Download our latest free guide — “Planning & Architecting For HIPAA Compliance”
Principles of HIPAA Compliance
Organizations must implement administrative, technical, and physical safeguards in order to comply with HIPAA. Overall security requirements build several core principles that organizations should build around.
High Availability —
Services and applications that process, transmit, or store protected health information (PHI) should always be available. Cloud services and applications should be built with availability in mind. Teams should consider building applications with fail-over capabilities.
Resiliency —
Applications should be consistently deployed and maintained. Sensitive data should be stored in a secure and reliable manner with protections in place to prevent accidental deletion of PHI. A configuration management process should be developed for deploying consistent applications.
Security —
Organizations should focus on limiting access and maintaining strong security controls for cloud services containing sensitive information and PHI. Security solutions including encryption, disaster recovery, and intrusion detection, should be implemented to prevent a potential security breach.
Cloud And Infrastructure Considerations
Managing Operational “Drift”
As organizations continue to grow, infrastructure and day-to-day operations change. As teams scale applications, new cloud resources are created, new technologies may be used, and new staff are hired. Organizations must maintain the same security configuration when utilizing new infrastructure and must adjust administrative policies to account for operational drift, as staff structure and security procedures change.
DevOps and SecOps Needs
Many public cloud providers offer a Business Associates’ Agreement (BAA) enabling organizations to utilize protected health information (PHI) on cloud services. It is important to note that organizations must implement all administrative and technical safeguards required under this agreement. It is possible to sign a BAA and fall out of compliance.
HIPAA is an ongoing process. Organizations should take time to consider all necessary policies and security safeguards required to maintain a HIPAA security program. Download our guide and start building and architecting around HIPAA compliance.
Dash Solutions provides organizations with solutions for configuring, monitoring, and maintaining HIPAA compliance in the public cloud. Learn more about Dash at www.dashsdk.com
