The recent LifeLabs data breach, the largest ever in Canada, serves as a reminder that as the conversation around privacy and security continues to get louder, the Health Insurance Portability and Accountability Act (HIPAA) will remain a driving force shaping the healthcare landscape. What began as a United States law aimed at protecting the privacy of patients’ medical records is now an internationally recognized driver of best practices for security and privacy, and has become the collective responsibility of vendors, practitioners and all other stakeholders involved to uphold.
The path to becoming HIPAA-compliant can be a difficult one to navigate and requires a balancing act of multiple parts working harmoniously together. There are various myths about roundabout ways of achieving compliance and but the truth is, shortcuts rarely produce results.
A common misconception is that compliance is as simple as using a compliant hosting vendor. Amazon Web Services (AWS) in particular has received a lot of attention since announcing that it supports HIPAA. While it is true that AWS adheres to all of the necessary requirements to ensure HIPAA can be satisfied, it is ultimately the responsibility of healthcare developers to configure the various components of their applications in a compliant way.
Other cloud hosting vendors such as Google Cloud Platform (GCP) and Microsoft Azure also have similar limitations. And beyond some of the physical safeguards that hosting providers might provide, full HIPAA compliance also requires adherence to strict technical as well as administrative safeguards that are outside the scope of the cloud vendors.
We examine this issue in more detail below, and also look at how MedStack differs to help to fill in the gaps.
The Shared Responsibility Model
The “shared responsibility model” refers to the fact that vendors take responsibility only for certain aspects of security and compliance while holding the user responsible for other aspects. While vendors such as AWS have tools, features and services that make it easier to be HIPAA compliant, they only take responsibility for the physical and low-level factors of their systems, data centers, virtual networks and virtual machines. Above that level, most hosting providers shift to a shared responsibility model as described above, where the customer must share in the responsibility of configuring its systems appropriately.
The critical issue then, is that even though a vendor’s system can be HIPAA-compliant if used correctly, they can also be configured in a way that isn’t. In fact, most defaults are non-compliant, leaving the onus on customers to reconfigure their services in a compliant manner. At any time you might discover that your configuration is non-compliant, or worse, your customers might discover that first.
MedStack Chain of Responsibility
Whereas most vendors follow a “shared responsibility model”, MedStack abides by a concept we refer to as the “chain of responsibility”. We take compliance guarantees to a much higher level, all the way up to the Docker environment, and also expand those guarantees to critical elements like administrative access to the dashboard, logs, and security updates.
MedStack’s Provable Compliance Guarantees
In general, a cloud hosting vendor’s responsibility is limited to the physical security of its own networks and facilities. Vendors will often take steps to specifically call out what is not in their scope and define customer responsibility in regards to compliance. AWS itself states that the customer is responsible for their clients’ data, identity access, Operating System updates and security, network and firewall configuration, and encryption. This means that simple changes in the configuration of settings can unintentionally leave information vulnerable and overexposed.
In contrast, MedStack’s services are pre-configured to be compliant, and the necessary evidence is readily available for our customers’ assessors and auditors. There’s no guesswork required, and no configuration needed. Privacy policies for industry regulations are pre-written and real-time auditable by MedStack’s platform.
MedStack is committed to providing audit support when required, and our HIPAA Business Associate Agreement, Annual Penetration Test, Privacy Impact Assessment and Threat Risk Assessment are also available to all of our customers. In addition, MedStack recently completed its SOC 2 Type I audit, meaning our customers can now more easily and quickly achieve their own SOC 2 audit reports.
MedStack’s solution isn’t a replacement for other cloud services, but rather a supplemental service, extending far beyond hosting to tackle privacy compliance more holistically. Our custom developer platform delivers built-in privacy and security protocols tailor-made to healthcare industry expectations, including encryption, certificate and key management, backups, monitoring and logging. This ensures your entire application runs and manages data in the cloud in a HIPAA-compliant manner.