HIPAA Blog

[ Tuesday, January 12, 2021 ]

 

The HIPAA Security Rule requires covered entities to adopt safeguards to protect PHI.  To be specific, the Security Rule (mirroring general data privacy principles) requires covered entities to adopt three types of safeguards (administrative, physical, and technical) to protect three PHI qualities (confidentiality, integrity, and availability).  Thus, a HIPAA covered entity must structure its operations so that PHI remains confidentiality, is not distorted, and is available when needed. If the covered entity uses a cloud provider to host its PHI and data operations, the covered entity must be sure the PHI (and its business operations with respect to the PHI) will be confidential, not manipulated, and available.

One of the biggest data security risks these days is ransomware.  The primary problem with ransomware is that is impacts the availability of PHI (ransomware that exfiltrates data also hurts confidentiality, and the scrambling effect of ransomware technically is an integrity problem, but that's the least of your worries).  When a basic ransomware attack occurs, it's a security risk because it prevents the covered entity from having access to its data, which prevents it from using the data in a way that helps the patient.  It's an availability issue.  That should seem obvious.

You are probably aware that last week there was trouble in DC blamed on Trump (I'm not going to get into a fight with you about whether Trump was to blame, nor whether this was a riot, an insurrection or a "mostly peaceful" protest that got out of hand), and Trump was kicked off Twitter.  You may or may not be aware that Twitter is considered to be hostile to conservatives and solicitous of liberals (Ayatollah Khamenei's Twitter account remains active).  You may or may not be aware that there are a couple of alternatives to Twitter, namely Parler and Gab, with Parler being the most preferred by conservatives angry with Twitter (full disclosure, I have both a Twitter and a Parler account, and may have a Gab account as well, I can't remember).

Importantly, Parler touts itself as a free speech site.  It claims to take efforts to remove accounts that actually incite violence, but it does not regulate speech as heavily as Twitter or Facebook, much less clearly targeting conservative voices as Twitter and Facebook do.  Thus, Parler has come into favor with conservative voices seeking an alternative to other outlets that certainly appear (if not being actually) much more hostile to conservative viewpoints.  As far as I know, nobody has accused Parler of actually promoting or espousing "bad" opinions (nor is there the least bit of evidence of that), just that Parler failed to police "bad" actors.  Again, which may or may not be true.

What you may not be aware of is that Twitter, Amazon, and Apple appear to have initiated a concerted effort to knock Parler off the air.  Specifically, Apple has kicked Parler out of the Apple app store (on the day that Parler was the most-downloaded app).  But more relevant here, Amazon Web Services (AWS), the cloud hosting site run by Amazon where Parler's data was stored, kicked Parler off the system and locked the company out of its data.  Amazon defended its decision to freeze out Parler, blaming Parler for abetting the trouble in DC.  Parler is currently dark and non-operational, its business entirely halted while it tries to find another cloud provider to host it.

AWS has made a subjective value-based judgment that Parler is dangerous and should be shut down, because Parler is used by people that AWS deems to be dangerous.  AWS has shut a large customer out of its operations because AWS does not approve of the customer's customers.

AWS could make the same determination regarding Parler's law firm.  AWS could make the same determination regarding a law firm representing the people who post on Parler, who AWS has determined are so dangerous that Parler must be shut down for hosting them.  AWS could make the same determination regarding a healthcare provider who provided care to those people.  AWS could make the same determination regarding an insurer that offered health plans to those people.

It's not a far stretch to think that a healthcare system in a red state would be at risk of being shut out of AWS, because its patients are the types of people AWS associates with Parler.  It's certainly not a stretch to think that AWS could shut down cloud access to a health plan for a gun manufacturer.  Oil companies, Catholic charities, beef farmers, anyone not liberal is at risk.

"Oh, come on," you say, "these are odious people on Parler, all good people would agree they are terrible folks and deserve to be shunned."  Well, wait until it happens to you.  Once your vendors start making value judgments (and "picking sides," which is what they're doing), all bets are off.

There's no avoiding the obvious conclusion here: if you use AWS cloud services, you run the risk of AWS shutting you out of operations if AWS decides it does not like the patients or beneficiaries you serve.  

Thus, as a HIPAA covered entity, you fail to ensure "availability" of PHI if you use AWS.  HIPAA requires you to have reasonable safeguards to protect availability of PHI; if you are hosted by AWS and get shut out, your PHI is not longer available; it's not reasonable to not protect against that possibility.

Final result: using AWS may be a violation of HIPAA, because it an unreasonable risk to availability. 


Jeff [11:35 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template