ntroductionervices)that can be rapidly provisioned and released with minimal management effort eCloud computing is a model for enabling convenient, on-demand network access to a shareble computing resources(e g, networks, servers,service provider interaction The Cloud Computing model offers the promise of massive costcombined with increased IT agility Itdered critical thatd industryadoption of this technology in response to difficult economic constraints However, cloudomputing technology challenges many traditional approaches to datacenter and enterpriseapplication design and management Cloud computing is currently being used; howeversecurity, interoperability, and portability are cited as major barriers to broader adoptionThe National Institute of Standards and Technology (nist) has defined cloud computing as aodel for enabling ubiquitous, convenient, on-demand network access to a shared poolfigurable computing resources(e g, networks, servers, storage, applications, and servicesbe rapidd with minimaleffort or service providerEssential characteristicsOn-demand self-service A consumer can unilaterally provision computing capabilities, such aserver time and network swith each service providerBroad network access
Capabilities are available over the network and accessed through standardmechanisms that promote use by heterogeneous thin or thick client platforms(e g, mobileblesource pooling The provider's computing resources are pooled to serve multiple consumerstenant model, with different physical and virtual resources dynamically assignednd reassigned according to consumer demand There is a senseation independence in thatthe customer generally has noknowledge over thelocation of the providedesources but may be able to specify location at a higher level of abstraction (e g, country, state,datacenter) Examples of resources include storage, processing, memory, and networkRapid elasticity Capabilities can be elasticad and released in some casesautomatico scalerapidly outward and inward commensurate with demand To the
consumer, the capabilities available for provisioning often appear to be unlimited and can beappropriated in any quantity at any timeMeasured service Cloud systems automatically control and optimize resource use by leveraginga metering capability I at somestraction appropriate to the type of service(e gstorage, processing, bandwidth, and activents) Resource usage can be monitoredcontrolled, and reported, providing transparency for both the provider and consumer of theService modeSoftware as a Service(SaaS) The capability provided to the consumer is to use the providersapplications running on a cloud infrastructure The applies are accessible from variousclient devices through either a thin client interface, such as a web browser(e
g web-basedemail), or a program interface The consumer does not manage or control the underlying cloudinfrastructure including network, servers, operating systems, storage, or even individualapplication capabilities, with the possible exception of limited user-specific applicationconfiguration settingsm as a Service(PaaS) The capability provided to the consumer is to deploy onto thecloud infrastructure consumer-created or acquired applications created using progralanguages, libraries, services, and tools supported by the provider 3 The consumer does nemanage or control the underlying cloud infrastructure including network, servers, operatingsystems, or storage, but has control over the deployed applications and possibly configurationapabilityded to the consumerprocessing, storage, networks, and other fundamental computing resources where the consumerdeploy and run arbitrary software, which can include operating systems ande consumer does not manage or control the underlying cloud infrastructure buthas control over operating systems, storage, and deployed applications; and possibly limitedcontrol of select networking components(e g, host firewalls)Private cloud The cloud infrastructure is provisioned for exclusive use by a single organizationomprising multiple consumers(e g, business units) It may be owned, managed, and operatedby the organization, a third party, or some combination of them, and it may exist on or off
Community cloud The cloud infrastructure is proyed forcificommunity of consumers from organizations that have shared concerns(e g, mission, securityrequirements, policy, and compliance considerations) It may be owned, managed, anddby one or more of the organizations in the community, a third party, or some combination ofthem, and it may exist on or off premisesPublic cloud The cloud infrastructure is provisioned for open use by the general public It maybe owned, managed, and operated by a business, academic, or government organization, or somcombination of them
It exists on the premises of the cloud providerHybrid cloud The cloud infrastructure is a composition of two or more distinct cloudinfrastructures(private, community, or public) that remain unique entities, but are boundtogether by standardized or proprietary technology that enables data and application portability(e g, cloud bursting for load balancing between clouds)ttps: //csrc nist gov/publications/detail/sp/800-145final #tpubs-abstract-heade
Guidance on HIPAA Cloud ComputingWith the proliferation and widespread adoption of cloud computing solutions, HIPAA coveredentities and business associates are questiwhether and how they can take advantagecloud computing while complying with regulations protecting the privacy and security oflectronic protected health information(ePHI This guidance assists such entities, includincloud services providers(CSPs), in understanding their HIPAaCloud computing takes many forms This guidance focuses on cloud resources offered by a CShthat is an entity legally separate from the covered entityate considetheof its services CSPs generally offer online access to shared computing resources with varyinglevels of functionality depending on the users'requirementsomplete software solutions(e g, an electronic medical record system), platforms to simplify thebility of application developers to create new products, andoftware programmers to deploy and test programs
Common cloud serviceinternet access to computing(eg, networks, servers, storage, applications)services, Wencourage covered entities and business associates seeking information about types of cloudcomputing services and technical arrangement options to consult a resource offered by theNational Institute of Standards and Technology; SP 800-145, The NIST DefiIof CloudComputing-PDFThe HIPAA Privacy, Security, and Breach Notification Rules(the HIPAA Rules)establishinformation or phited, received, maintained, or transmitted by a HIPAA coveredity or business associate), including limitations on uses and disclosures of such informationsafeguardsappropriate uses and disclosures, and individuals rights with respecteir health information Covered entities and business associates must comply with theapplicable provisions of the HIPAA Rules A covered entity is a health plan, a health careclearinghouse, or a health care provider who conducts certain billing and payment relatedtransactions electronically a business associate is an entity or person, other than a member othe workforce of a covered entity, that performs functions or activities on behalf of, or provideertain services to, a covered entity that involve creating, receiving, maintainPHI a business associate also is any subcontractor that creates, receives, maintains, or transmiton behalf of another business associateWhen a covered entity engages the services of a CSP to create, receive,ePHI (such as to process and/or store ePHI), on its behalf, the Csp is a business associate under
HIPAA Further when a busiociate subcontracts with a csP to createor transmit ephi on its behalf the csp subcontractor itself is a business associate This is trueeven if the csp processes or stores only encrypted ePHI and lacks an encryption key for the dataLacking an encryption key does not exempt a CSP from business associate status and obligations(or business associate)and the csPHIPAAgiant b(BAA), and the Csp is bothcontractually liable for meeting the terms of the baa and directly liable for compliance with theapplicable requirementsHIPAA Ruless guidance presents key questions and answers to assist HIPAa regulated CSPs and theirustomers in understanding their responsibilities under the hiPaa rules when they creatreceive, maintain or transmit ePHI using cloud products and servicesMay a HIPAa covered entity or business associate use a cloudPHIded the covered entity or business associate enters into a HIPAA-compliant businessassociate contract or agreement(BAA)with the CsP that will be creating, receivingmaintaining, or transmitting electronic protected health information(ePHi)on its behalf, andtherwise complies with the HIPAa Rules Among other things, the BAa establishes thetted and required uses and disclosures of ePHi by theate performingctivities or services for the covered entity or business associate, based on the relationshipbetween the parties and the activities or services being performed by the business associate TheBAA also contractually requires the business associate to appropriately safeguard the ePHIcluding implementing the requirements of the Security Rule
OCr has created guidance on theelements of BAAs 2A covered entity (or business associate) that engages a CSP should understand the cloudcomputing environment or solution offered by a particular CSP so that the covered entity(orbusiness associate) can appropriately conduct its own risk analysis and establish risknagement policies, as well as enter into appropriate BAAs See 45 CFR SS164308(a(1(i)(A): 164308(a)(1(i1)(B); and 164502 Both covered entities and businessssociates must conduct risk analyses to identify and assess potential threats and vulnerabilitiesto the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, orransmit For example, while a covered entity or business associate may use cloud-base
ly configuration(public, hybrid, private, etcters into a baa withthe csP, the type of cloud configuration to be used may affect the risk analysis and riskmanagement plans of all parties and the resultant provisions of the baaIn addition, a Service Level Agreement (SLA)[4 is commonly used to address more specifictations between the csp andalso may be relevant to HIPAAcompliance For example, SLAs can include provisions that address such HIPAA concerns asSystem availabilityck-up and data recovery(e g, as necessary to be able to respond to a ransomware attack orMannerhich data will be returned to the customer after service use terminationecurity responsibility; andUse retention and dif a covered entity or business associate enters into a sla with a csP it should ensure that theterms of the sla are consistent with the baa and the HIPAa rules For example, the coveredentity or business associate should ensure that the terms of the sla and baa with the csp depreventolation of45CFR§§164
308(b)(364502(c)(2),andl64504(e)(1)[6addition to its contractualations, the CsP, as a business associate, has regulatorybligations and is directly liable under the hipaa rules if it makes uses and disclosures of Pht are not authorized by its contract, required by law, or permitted by the privace A CSPa business associate, also is directly liable if it fails to safeguard ePHI in accordance with theSecurity Rule, or fails to notify the covered entity or business associate of the discovery of abreach of unsecured phi in compliance with the breach notification riFor more information about the Security rule, see OCr and onc toolsOCR guidance on SR compliance [18
2 If a CSP stores only encrypted ePhI and does not have a decryption key, is it a HIPAAYes band maintains(e g, to process and/or store)electronic protectedhealth information (ePhld coveed entity or another business associate Lacking anencryption key for the encrypted data it receives and nns doesCSP frobusiness associate status and associated obligations under the HIPAA Rules An entity thatmaintains ePHI on behalf of a covered entity (or another business associate)is a businesshe ephi
9 Thus, a csp thaencrypted ePHl on behalf a covered entity(or another business associate)is a business associate,convenience purposes this guidance uses the term no-viewservices to dewhich the CSP maintains encrypted ePhI on behalf of a covered entity(or another businessssociate)without having access to the decryption keyWhile encryption protects epHi by significantly reducing the risk of the information beinviewed by unauthorized persons, such protections alone cannot adequately safeguard thetiality, integrity, and availability of ePHI as required by the Securitydoes not maintain the integrity and availability of the ePhas ensuring that the informationis not corrupted by malware, or ensuring through contingency planning that the data remainsavailable to authorized persons even during emergency or disaster situations Further, encryptiondoes not address other safeguards that are also important to maintaining confidentiality, such asadministrative safeguards to analyze risks to the ePHl or physical safeguards for systems andervers that may house the ePhIAs a business associate, a CSP providing no-view services is not exempt from any otherwiseapplicable requirements of the HIPAA rules However, the requirements of the rules areflexible and scalable to take into account the no-view nature of the services provided by the cspSecurity rule considerationsAll CSPs that are business associates must comply with the applicable standards andimplementation specifications of the Security Rule with respect to ePHI However, in caseswhere a CsP is providing only no-view services to a covered entity(or business associatebe satisfied for both parties through the actions of one of the parties In particula