These days, it’s getting harder and harder to say no to the cloud, even for healthcare organizations grappling with a tangle of HIPAA compliance requirements that can complicate cloud adoption. The operational efficiencies and cost benefits achieved by using cloud services like Salesforce.com are simply too significant to ignore. Salesforce’s own security measures are robust, but HIPAA compliance is ultimately your organization’s responsibility. Luckily, meeting HIPAA compliance in Salesforce.com is easier than it appears for organizations that follow a few best practices. Here are three strategies definitely worth considering.
1. Know what you need to protect
HIPAA regulations aim to protect the privacy, integrity, and availability of “protected health information” (PHI), which the U.S. Department of Health and Human Services describes as “individually identifiable health information.” PHI includes names, addresses, birth dates, social security numbers, and information related to individuals’ mental and physical health and treatment and information related to their payment for healthcare. When it comes to meeting Salesforce.com HIPAA compliance, you’ll need to worry about the electronic versions of that data—the ePHI. So your first step must be to examine the data you send to Salesforce and identify every field that contains, or might contain, ePHI. An initial risk assessment is absolutely vital to your Salesforce.com HIPAA compliance strategy.
2. Implement access controls for your ePHI
Now that you know what ePHI you must protect, you can begin to lock that data down by crafting strict access control policies to limit access to the data to only the employees and applications that truly need them and truly warrant authorization to access them. Here’s where your DLP policy and appliances begin to come into play, too. Now that you’ve identified what data must not be leaked, you can take steps to minimize the chance that unauthorized access or disclosure could leak it. CipherCloud’s Cloud Information Protection platform comes with turnkey DLP modules that can identify HIPAA/HITECH violations, giving you a head start on protecting your data. CipherCloud’s Data Discovery & Monitoring module for Salesforce also helps HIPAA compliance in Salesforce.com by exposing user activity, helping you catch potential violators before their actions cause a problem.
3. Encrypt ePHI “out of the gate.”
User activity isn’t the only security hole you must plug if you want to achieve HIPAA
compliance in Salesforce.com . At the heart of CipherCloud’s cloud information protection platform is a wide selection of encryption and tokenization options and the ability to apply them in a granular fashion all the way down to the field level or even the character level. CipherCloud customers often deploy our platform as a gateway on your premises, automatically encrypting data like ePHI before it ever leaves your perimeter. This secure gateway acts as the gatekeeper to your sensitive information, ensuring its integrity no matter where the ePHI resides. And by giving your organization exclusive access to the encryption keys, CipherCloud enables you to retain full control over the decryption of your data. Even if it’s leaked, no one will be able to read it without your participation.
HIPAA/HITECH can seem confusing. The regulations demand the “reasonable” protection of ePHI and mandate often heavy penalties—and potentially reputation-destroying public breach disclosures—in the event of noncompliance, but don’t give many specifics as to how organizations are to safeguard their ePHI in the cloud. What is clear, however, is that encryption confers safe harbor from breach notifications. You should, therefore, think of encryption as the standard approach to ePHI protection and the key to Salesforce.com HIPAA compliance. Happily for CipherCloud customers, CipherCloud searchable strong encryption strategies preserve the functionality of encrypted data in the Salesforce cloud, so you can have your cloud cake and eat it, too.
What concerns do you have around HIPAA compliance in Salesforce.com? Let us know in the comments.