I’m Zlatko Unger, CISO Expert at Wiz. I’ve spent years helping healthcare organizations navigate HIPAA compliance in the cloud. In this blog, I’ll break down key cloud security controls and how Wiz can help you achieve compliance and stay compliant.
Context
The healthcare industry has been moving to the cloud. With the incredible benefits of the could—scalability, flexibility, and cost savings—there are a lot of complexities to navigate, especially as to how electronic Protected Healthcare Information (ePHI) is handled. Ensuring your cloud environment meets the stringent requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is not just good practice; it's a matter of US law.
HIPAA compliance is not just about switching your architecture. Rather, it is a continuous process involving administrative, physical, and technical safeguards and controls. While your cloud service provider (CSP) handles much of the physical security requirements, healthcare companies in the cloud—as a Covered Entity or a Business Associate—retain the majority of the responsibility, particularly regarding the administrative and technical safeguards applied to your cloud environment. This is where Wiz comes in; helping prolific healthcare organizations like Pfizer and Takeda to properly manage cloud controls.
Governance vs Compliance
Before we get into the specifics, it is crucial to differentiate governance and compliance of HIPAA.
Governance is the overall framework of a companies policies, procedures, risk management, training, and ongoing monitoring. It is established to ensure sustained compliance and to manage security effectively.
Compliance, on the other hand, is how you demonstrate the effectiveness of governance, to ultimately meet HIPAA’s needs.
Cloud Controls
Let’s break down how the technical controls in the cloud map to specific parts of HIPAA’s Security Rule requirements. This is the area of the regulation where Wiz can help the compliance team meet the governance and compliance needs as the controls relate the in-scope CSP infrastructure.
Risk Analysis (164.308(a)(1)(ii)(A)) - Mandates that organizations conduct accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality and availability of electronic protected health information (ePHI). Wiz can be used to enrich your technology risk assessments that will ultimately feed the risk register.
Security Management Process (164.308(a)(1)) - Encompasses the overall framework for managing security, including policies, procedures, and responsibilities. This section covers controls like establishing security policies, designating a security officer, and providing security awareness training. Wiz can help looking for deviations of policies not being met by the scoped infrastructure, ultimately funneling risks to the risk register.
Access Control (164.312(a)) - Explains how implementing technical policies and procedures for authorized access to ePHI. Wiz allows you to review who has access to your scoped environment and query the different technologies that process ePHI.
Transmission Security (164.312(e)(1)) - Measures to protect ePHI during electronic transmission. Wiz can help query the infrastructure for assurance of encryption being used for the target environment. Likewise the summaries from Graph Searches can be used to demonstrate compliance.
Audit Controls (164.312(b)) - This requires implementing mechanisms to record and examine activity in information systems containing or processing ePHI. Wiz can point to resources that do not have logging enabled. Additionally, Wiz can help with any escalations with the integration to your alerting and ticketing systems.
Integrity Controls (164.312(c)(1)) - Ensures that that ePHI is not improperly altered or destroyed. Wiz can help monitor access rules and demonstrate that the data is protected though different technological controls (ACLs, IAM, cloud configuration rules).
Non-cloud Controls
Additionally, there are several different areas of HIPAA where the processes are based on internal personnel and systems that are used to conduct business across the organization. They include:
Risk Management (164.308(a)(1)(ii)(B)) - Requires organizations to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
Workforce Security (164.308(a)(3)) - Focuses on ensuring that workforce members have appropriate access to ePHI and that their access is terminated when necessary.
Contingency Planning (64.308(a)(7)) - Focuses on the implementation data backup, disaster recovery, and emergency mode ****operations plans to ensure ePHI is recoverable after an outage or breach. CNAPP/CSPM platforms can monitor backup configurations in cloud environments.
Business Associate Agreements (164.308(b)) - This section outlines the requirements for agreements with business associates who handle ePHI.
Facility Access Controls (164.310(a)(1)) - Addresses limiting physical access to facilities where ePHI is stored which would include offices and shared responsibility with the CSP(s) for data center’s physical security.
Workstation Security (164.310(b)) - Focuses on the physical security of workstations and devices that access ePHI.
Device and Media Controls (164.310(d)) - Covers the handling of hardware and electronic media containing ePHI.
Policies and Procedures (164.316(a)) - Maintain written security policies addressing all HIPAA safeguards and conduct annual policy reviews and updates.
Documentation Retention (164.316(b)) - Keep security-related documents for at least six years.
Breach Notification Rule (164.400-414) - Implement an incident response plan to notify affected parties and HHS in case of a breach.
Breakdown
Below are the various HIPAA requirements and areas where Wiz can help govern—maintain internal controls effectiveness and risk management—and comply—demonstrate externally that controls are in place. Please note that each HIPAA requirement has sub-requirements that might require a policy or a process that are exhibited outside of Wiz.
| HIPAA Requirement | Control Implementation for a SaaS | Governance | Compliance |
|---|---|---|---|
| Risk Analysis (164.308(a)(1)) | Conduct risk assessments, implement risk management plans | ✅ | |
| Workforce Training (164.308(a)(5)) | Security awareness programs, phishing simulations | ||
| Contingency Plan (164.308(a)(7)) | Data backup, disaster recovery, emergency mode plans | ✅ | |
| Business Associate Agreements (164.308(b)) | Contracts with third parties handling ePHI | ||
| Access Control (164.312(a)) | Role-based access, MFA, session timeouts | ✅ | ✅ |
| Physical Security (164.310) | Secured data centers, device encryption, facility access control | ||
| Audit Logs (164.312(b)) | Logging and monitoring all ePHI access and changes | ✅ | ✅ |
| Data Encryption (164.312(e)) | AES-256 for storage, TLS 1.2+ for transmission | ✅ | ✅ |
| Breach Notification (164.400-414) | Incident response plan, breach reporting policies |
Summary
With our old platform, we were getting thousands of alerts for every one problem that we’d solve. Wiz allows us to understand vulnerabilities much more efficiently. Now, we can concentrate our efforts on problems rather than simply identifying them.
Alex SteinleitnerPresident & CEO, Artisan
Achieving and maintaining HIPAA compliance in the cloud is a shared responsibility between you and your CSP. While your CSP provides a secure foundation and tools, you must configure those tools correctly, implement robust technical controls aligned with HIPAA requirements, and crucially, establish strong governance through policies, procedures, training, and ongoing monitoring.
Wiz can help you govern your technical controls and demonstrate your compliance to your customers, assessors, and auditors. Our customers have access to a wealth of information from our support team including consultation with our CISO Experts to help them on their compliance journeys.
You can learn more about Compliance Posture in this blog post, or read more about HIPAA in this Wiz Academy article. If you are an existing Wiz customer, there is an in-depth guide on HIPAA over on our Docs.
