HIPAA Compliance in the Cloud:

Uncovering a Solution for Email and File Sharing

I. Protecting the Data that Makes Us Human

If you found out your credit card was stolen, how long would it take you to call to cancel
it? If you were using a public computer, would you save your banking info on it? Would you submit financial info to a website you didn’t trust?

When it comes to financial data, people don’t think twice about safety and privacy, but we tend to overlook these concerns when it comes to protected health information (PHI). This reality seems counterintuitive, given that medical information is worth more than 10 times as much to hackers as credit card numbers. However, the same companies that spend millions of dollars to lock down financial data often aren’t even aware that they’re housing this more highly desired health info, too.

The Health Insurance Portability and Accountability Act (HIPAA) was created to raise awareness of PHI’s ubiquity in government, business, and our day-to-day lives, but its sweeping standards have introduced an even more pressing dilemma: How can organizations protect valuable health data while keeping it easily accessible?

While this problem remains as relevant as ever, many organizations that handle health
info still struggle to find cost-effective, compliant ways to share this critical data. Understanding the background and requirements of HIPAA is the first step toward finding a feasible solution.

What is HIPAA?

Created in 1996, HIPAA was enacted by the U.S. Congress to establish regulations regarding a variety of issues in an increasingly digital medical world, such as health insurance coverage, electronic billing, and the general transmission of PHI. As businesses and healthcare organizations continue to move more of their operations online, cybersecurity attacks have become more prevalent than ever–and for good reason. Reuters recently found that medical info can be up to 10 times more valuable than financial info, which is partly why HIPAA defines PHI so broadly. HIPAA policy applies to several PHI identifiers, listed below, that relate to either “the individual’s past, present or future physical or mental health or condition; the provision of healthcare to the individual; or, the past, present, or future payment for the provision of healthcare to the individual.”

Some of these identifiers might not seem relevant to health data, but each of them must be handled securely under HIPAA Rules:

• Names

• Social Security numbers (SSNs)

• Medical record numbers

• Home addresses

• Birthdates

• Medical symptom descriptions

• Insurance plan beneficiary numbers

• Driver’s license numbers

• License plate numbers

• Medical device identifiers and serial numbers

• Internet Protocol (IP) addresses

• Fingerprints

• Medical history reports

• ICD-9 codes, and other unique identifying numbers, characteristics, or codes

HIPAA Rules apply to “covered entities,” which are usually healthcare providers, health plans (i.e., insurance companies and government programs that pay for healthcare), or healthcare clearinghouses, such as:

Medical offices

• Hospitals

• Insurance providers

• Hospice facilities

• Rehabilitation and therapy centers

• Counseling services

• Medical labs and diagnostic service providers

Even organizations that are not primarily focused on healthcare are considered covered entities if they have any employees who ever deal with health-related data. Some examples include:

City and County Governments – Health and Human Services Departments – Welfare Departments – City/County Assistance Offices • State Governments – Health and Human Services Depts. – Medicaid Programs – Depts. of Public Social Services – Depts. of Supportive Services • Life insurance firms • Nonprofits providing health or social services • Universities – Student health plan providers – University hospitals – Medical and Dental Schools – Offices of Student Life • K-12 school districts – School nurses – Teachers of students with medical conditions

Regardless of industry, all corporate HR departments must comply with HIPAA regulations as well, since they are responsible for processing employee benefits and health insurance information. As a result, HIPAA requirements are some of the most pertinent in the U.S.

What HIPAA Requirements Affect Email and File Sharing in the Cloud?

HIPAA requirements can be broken down into three basic categories:

1. Administrative Safeguards – providing adequate background checks, training, policies and documentation regarding PHI protection for employees.

2. Physical Safeguards – ensuring that physical facilities and devices are protected.

3. Technical Safeguards – establishing technological standards to keep PHI private (i.e., multi-factor authentication for user access, automatic logoff, and strong encryption).

While these administrative and physical standards deal primarily with an organization’s internal operations and procedures, HIPAA’s technical safeguards apply more directly to the ways that covered entities store, access, and share electronic PHI (ePHI).

In its Final Rule on HIPAA Security Standards, the U.S. Department of Health and Human Services (HHS) buckets these technical safeguards into four sub-categories:

a. Access controls

b. Audit controls

c. Integrity person or entity authentication

d. Transmission security

Of these areas, transmission security covers the bulk of email and file sharing activities, and its requirements stem from one overarching HIPAA expectation:

“With respect to transmissions from covered entities, covered entities must protect electronic protected health information when they transmit that information” (pp. 8338).

To achieve this security standard, HIPAA policy recommends two potential solutions:

  1. Integrity Controls – “Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.” (pp. 8338)
  2. Encryption – “Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.” (pp. 8338)

These two “implementation specifications,” as the policy refers to them, are not the only ways to meet transmission security requirements, nor are they mutually exclusive methods, however, they are the only security solutions formally acknowledged by HIPAA to fulfill this aspect of compliance. They are also the most well-suited options given today’s cloud technology landscape.

Nowadays, as insurance and other healthcare costs continue to rise, most organizations have moved their electronic communications entirely to the cloud. The cloud enables covered HIPAA entities to cut back on hardware and storage expenses while increasing collaboration, but it also expands the scope of their HIPAA obligations for email and file sharing.

By enlisting third party cloud providers in the transmission of ePHI, organizations must also ensure that these vendors, known as “business associates,” meet certain HIPAA requirements. According to the HIPAA Privacy Rule, a covered entity must “obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity.”

This stipulation means that in addition to complying with HIPAA itself, the organization must also ensure that certain vendors do, too. Given the number and variety of third party vendors that covered entities rely on to transmit data in the cloud, achieving full HIPAA compliance is more difficult now than ever.

What Makes HIPAA Compliance So Difficult to Achieve in the Cloud?

HIPAA Security Policy acknowledges that the ever-evolving nature of cloud technology makes it imprudent and infeasible to name hardline technical requirements across all aspects of ePHI transmission. For example, regarding standards for encryption strength, the Final Rule states:

“We remain committed to the principle of technology neutrality and agree with the comment that rapidly changing technology makes it impractical and inappropriate to name a specific technology.” (pp. 8357)

To accommodate this “technology neutrality,” HIPAA Security Policy includes both “required” and “addressable” implementation specifications for its different technical standards. A required specification, such as the creation of an emergency access control procedure (164.312), must be adopted. An addressable specification, such as the use of integrity controls as a means to authenticate personnel access to data (164.312), is not mandatory, but rather included as one of several acceptable means to meeting a specific HIPAA safeguard.

These addressable specifications provide HIPAA covered entities flexibility in choosing their technical solutions, but they also create a problematic gray area regarding which solutions are most effective in securing ePHI and assuring HIPAA compliance. As a result of HIPAA’s broad-ranging recommendations, organizations suffer breaches and violations that could have been prevented with better defined protocols.

Since 2003, there have been 123,065 reported HIPAA complaints, according to HHS. The average cost of a settled HIPAA case is roughly $880,000, with some of the more recent violations more than quintupling that amount:

• September 2012, Massachusetts Eye and Ear Infirmary – An unencrypted laptop containing ePHI was stolen. ($1.5M)

• July 2013, WellPoint – Technical safeguards were not in place to verify access to an ePHI database. ($1.7M)

• March 2014, AvMed – More than 1M patient records, including SSNs, were compromised following the theft of unencrypted laptops. ($3M)

• April 2014, Concentra Health Services – An unencrypted laptop containing ePHI was stolen. ($1.7M)

• May 2014, New York-Presbyterian Hospital and Columbia University – Unauthorized access was granted to the ePHI of over 6,800 individuals. ($4.8M)

Even Sony Pictures, which operates outside of the healthcare industry but still has HR-related HIPAA requirements, has struggled to adequately secure PHI in the cloud. Following its 2014 email hack, Sony sent out a breach notification email admitting that info covered by HIPAA policy was among the leaked data.

Over 30,000 Sony HR emails and files revealed the medical details of Sony employees, their spouses, and their children. The leaked PHI spans multiple health conditions including cancer, kidney failure and cirrhosis, as well as denied insurance claims.

While it is tough to pinpoint one cause for data breaches of this scale, three limitations have ultimately made secure, HIPAA compliant email and file sharing difficult for organizations like Sony, Columbia, and many others to achieve:

1. Cloud vendors struggle to meet HIPAA requirements.

When a covered entity enlists a cloud service like Microsoft Office 365, Gmail, or Google Apps for Work for email and file sharing, that entity’s digital information must be stored on and shared across that vendor’s servers. As a result, that vendor will have access to PHI and becomes a business associate, as defined in HIPAA policy:

“A ‘business associate’ is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”

As previously mentioned, HIPAA-covered entities must “obtain satisfactory assurances” from their business associates that they are properly suited to meet HIPAA compliance, and these assurances can be as tedious as those faced by the entities themselves. In order to provide HIPAA compliant services to a customer, vendors must complete a multitude of preventative tasks, including:

Assign unique indicators for identifying and tracking employee identities.

• Establish procedures for obtaining necessary ePHI during an emergency.

• Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

• Implement procedures to create and maintain retrievable exact copies of ePHI.

• Establish procedures to enable continuation of critical business processes for protection of the security of ePHI when main servers are down.

Many cloud service providers do not have the physical or technical resources to meet these requirements, so organizations cannot use their platforms for HIPAA compliant communications. The pool of possible technology vendors is much smaller for covered entities than for the rest of the general population.

2. Most ePHI travels through many different cloud servers.

As it does with many of its addressable implementation specifications, HIPAA policy provides some discretion when advising covered entities when to encrypt ePHI:

“We agree with the commenters that switched, point-to-point connections, for example, dial-up lines, have a very small probability of interception…Covered entities are encouraged, however, to consider use of encryption technology for transmitting electronic protected health information, particularly over the internet.” (pp. 8357)

HIPAA purposely leaves some gray area here to account for the fact that different covered entities transmit ePHI via different, often incompatible methods. Today’s businesses use a multitude of email and file sharing tools that do not always enable secure communications with one another, and that makes it difficult to always ensure the encryption HIPAA requires.

For example, Google Apps for Work encrypts all of the emails sent by its users with a form of encryption known as transport layer security (TLS). TLS helps ensure that communications sent to or from a user’s mail server will remain encrypted and HIPAA compliant, provided that the other servers that they travel through also support TLS.

However, since not all email platforms provide default TLS encryption like Google, it is impossible to ensure that emails sent to non-Google Apps users will be encrypted, and, more importantly, HIPAA compliant, throughout their full transmission.

An organization has no control over how many servers its emails will pass through, and no way to predict the security controls that these servers provide. That reality, coupled with the fact that most older email platforms do not support TLS like Google, makes it difficult to ensure that emails and files containing ePHI will remain protected no matter where they travel.

3. Senders and recipients have struggled to adopt effective encryption solutions.

Unlike with TLS encryption, when ePHI is encrypted client-side, it is protected before it leaves a sender’s device or email client, and it remains encrypted until it reaches the intended recipient–regardless of what kind of technology the recipient is using.

Therefore, if a user shares ePHI in the cloud using client-side encryption, he would satisfy HIPAA’s transmission security requirements no matter who that content travels to or how many servers it passes through.

Client-side encryption can make widespread cloud adoption a reality for HIPAA-covered entities, but it typically requires manual key exchanges that make it difficult to deploy.

This means that, for a doctor to send an email or file encrypted client-side to an insurance provider, he would first have to retrieve a unique encryption key from that provider. The provider would also have to have the same encryption technology implemented on his device. If the doctor were to lose the provider’s key for any reason, he would have to repeat the process.

Traditional client-side encryption techniques alleviate many of the most common HIPAA vulnerabilities in the cloud, but they are not well-suited to most use cases.

II. A New Day for HIPAA Compliance in the Cloud – Simple Client-Side Encryption

Derrick Wlodarz, in a 2013 article about HIPAA, reaffirms client-side encryption’s necessity for any modern email or file system:

“End-to-end encryption services that ensure data is controlled all the way until end-user authentication can be performed…are vital towards leveraging an email system that will pass HIPAA inspection with relatively little issue.”

A 2014 report from compliance exchange, HIPAA Central, echoes these sentiments, while also acknowledging the inherent difficulty that encryption has historically entailed:

“The best approach to safeguarding ePHI is to maintain it in an encrypted state. Although there are numerous challenges to implementing an endto-end encryption standard, the benefit…could prove to be invaluable, especially in the event of a breach.”

Several other experts describe a client-side configuration that would provide covered HIPAA entities all of the collaboration and cost savings of the cloud without compromising compliance or other data privacy concerns. This vision had long been unattainable, but client-side encryption add-ons like Virtru have recently made it a reality.

Introducing Virtru Pro Client-Side Encryption for HIPAA Compliance

Virtru Pro adds client-side encryption to Google Apps, Gmail, Microsoft Office 365, and Outlook via plug-ins and browser extensions. By simplifying client-side encryption and adding valuable control features, Virtru Pro assures full HIPAA compliance in the cloud in several ways:

1. Virtru Pro meets or exceeds all HIPAA requirements

Even though Virtru never has access to any of its users’ unencrypted content, it is still considered a business associate since it participates in the client-side encryption of a covered entity’s emails and files that might contain ePHI (more on this shortly).

As a result, Virtru Pro has fulfilled all of the administrative, physical, and technical safeguards required by HIPAA business associates, and it provides these assurances to customers in a signed Business Associate Agreement (BAA), as obligated by HIPAA policy:

“When a covered entity uses a contractor or other non-workforce member to perform ‘business associate’ services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement…In the business associate contract, a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates.”

With regard to the strength of Virtru (or any encryption tool), that depends on the length of the keys used to encrypt the data being shared. Encryption keys are measured in commonly used computing units called bits. The more bits in a key, the more difficult it is to guess, and thus the safer the encrypted data is from hackers.

2. Virtru encrypts from the client-side.

In order to make their customers’ emails and files widely accessible, cloud providers must host this content in multiple data servers distributed across geographic locations. These servers constantly exchange ePHI with each other and the devices that must access the content, making it difficult (if not impossible) to confine ePHI to environments that can protect it, per HIPAA transmission security standards.

That is why ePHI must be encrypted before it ever leaves its original location, be that a person’s computer or portable device, in order fulfill HIPAA requirements no matter where it travels. Since Virtru encrypts from client-side, it follows the same methods for secure transport described in HIPAA Policy regarding transmission security, as well as those suggested for access control:

“The use of file encryption is an acceptable method of denying access to information in that file. Encryption provides confidentiality, which is a form of control.” (G-26)

When Virtru Pro encrypts ePHI, the encryption remains no matter where the ePHI goes (i.e., if a recipient forwards an email to another recipient), and protections persist even when the content is not travelling. As a result, users do not have to apply additional security layers to the data that has already been emailed to them or uploaded to the cloud. In locking down sensitive info from the moment it is created, client-side encryption provides HIPAA compliance by ensuring third parties can never access the content regardless of where it ends up being stored (i.e., on an unprotected device or server that does not support TLS encryption).

This means that Google Apps users, for example, who could otherwise only guarantee HIPAA compliance when sending to other Google users, can use Virtru to share ePHI with any recipients–regardless of their technical configuration

What’s more, Virtru’s architecture enables customers to manage their own encryption keys, which prevents third parties like Google and Microsoft from accessing ePHI in unencrypted form. And since Virtru does not host any content on its servers (this content is stored on the cloud provider’s servers in encrypted “Encryption provides confidentiality, which is a form of control.” | HIPAA Compliance in the Cloud: Uncovering a Solution for Email and File Sharing 12 form), but just the encryption keys, Virtru never has access to the sensitive emails and files either.

3. Virtru makes encryption easy for senders and recipients.

HIPAA policy acknowledges how difficult it can be for organizations to implement email and file encryption, explaining that it “can adversely affect processing times and become both financially and technically burdensome” (pp. 8356).

When the policy was finalized in 2003, there was no way for covered entities of all sizes to easily encrypt ePHI, which is why the technology was never widely adopted–and why the majority of HIPAA violations occur when unencrypted information is accessed by stolen or misplaced devices. As the HIPAA Security Rules concede:

“Particularly when considering situations faced by small and rural providers, it became clear that there is not yet available a simple and interoperable solution to encrypting email communications with patients. As a result, we decided to make the use of encryption in the transmission process an addressable implementation specification.” (pp. 8357)

Fortunately, Virtru has developed a tool that provides powerful encryption and requires minimal technical and financial resources to use and deploy. Virtru just takes a minute to add to an organization, and users only have to download a simple plugin to start sharing encrypted emails and files directly from existing platforms like Gmail, Google Drive, and Microsoft Outlook.

4. Virtru Pro’s Data Loss Prevention (DLP) automatically encrypts PHI.

52% of security breaches are caused by human error. Even if an organization has implemented robust encryption protocols, it faces severe HIPAA penalties anytime unauthorized access to PHI is granted. Whether a user sends an email to the wrong recipient or accidentally uploads a sensitive file to the wrong folder, human error can easily disrupt the security posture of a cloud environment–unless Data Loss Prevention (DLP) has been implemented.

Virtru’s DLP capabilities scan emails and files before they ever leave the sender’s inbox or local folders, thus preventing PHI from ever hitting the cloud unprotected. Most DLP tools scan sensitive content after it has already travelled from the user’s device to a separate server, but Virtru enables these scans to occur on the device or “client-side,” which keeps unencrypted content out of third party control.

Virtru DLP also comes equipped with HIPAA-related rule packs that can be turned on to scan emails for ICD-9 codes, SSNs, birthdates, and other ePHI. And by notifying end-users when they have triggered these rules and why, Virtru DLP educates individuals about HIPAA compliance directly, which helps foster long-term adoption of policies and best practices.

Even if a user disables Virtru DLP and accidentally sends PHI to the wrong recipient, Virtru provides the ability to revoke any email or file sent, even after recipients have already viewed the sensitive content. This revocation ability provides covered entities a one-click way to resolve HIPAA violations in the event they accidentally share PHI with an unauthorized party.

III. More Information on HIPAA Compliance in the Cloud

Given the rate at which cloud technology continues to evolve, it is important to stay up-to-date with how these developments impact HIPAA regulations. As a HIPAA compliance
thought leader, Virtru offers a valuable array of resources to help covered entities keep
pace with the always-changing landscape of the cloud: