SEC- and HIPAA-compliant businesses face specific risks and stringent regulations when it comes to protecting business data, making them leery of cloud storage solutions.
By Andrea Holved
No company wants their data hacked or their customers’ private information leaked. But for some specialized businesses, a data breach can result in much greater consequences, up to and including multimillion-dollar fines by the federal government. Read how the FTC is cracking down on data security.
Two of the most highly-regulated industries are finance and health care, which are required to adhere to strict privacy and reporting standards established by the U.S. Securities and Exchange Commission (SEC) and the Health Insurance Portability Accountability Act (HIPAA) respectively.
“HIPAA and SEC compliance demand very similar solutions, which include encryption, limited access to data, audit trails and proper ways to communicate with clients and patients,” says Nick Espinosa, CIO of Chicago-based IT consulting firm BSSI2, many of whose clients are HIPAA- and SEC-compliant.
The primary difference between the two regulatory standards, from an IT standpoint, is that SEC-compliance requires record retention for seven years, as well as an audit trail that must be archived, preserved and available on demand to the SEC. “Failure to do this can literally put a financial institution out of business if the lapse is bad enough,” Espinosa says.
n either industry, failure to protect client information from a breach can lead to massive fines, not to mention destroying a company’s reputation.
Understandably, then, many financial and health-care businesses are wary of adopting new technologies for record-keeping and data storage. But should they be?
“There’s a lot of folks that say an internal department and internal infrastructure is the best way to go,” says Stephen Arndt, consulting CIO for Medicalodges, a Kansas post-acute health-care company that must comply with HIPAA. “From what I’ve seen in my experience, it’s quite the opposite.”
IT best practices
Because the privacy standards imposed by HIPAA and the SEC essentially comprise IT best practices, many of the major cloud service providers already offer top-of-the-line, secure and fully-compliant options, both Espinosa and Arndt say.
“Any business that wants to be secure in general, which we hope would be all of them, is typically set up by us to SEC/HIPAA standards, minus the long data retention requirements,” Espinosa says.
Arndt agrees. “I don’t believe HIPAA imposes anything that an IT department shouldn’t be doing anyway,” he says. “We ought to be protecting our data; we ought to be protecting personal information of any kind in company data. So that fact that we have a law that says we have to do it—it’s no big deal to me. That should be foundational to IT anyway.”
Plus, he says, there are key benefits to cloud storage. “The move towards the cloud has been important to us because it puts the responsibility on the servers, and some of the security on a venture partner that has, quite frankly, more staff than we do,” Arndt says. “If you don’t have an IT department that’s 15-20 folks, chances are you’re not doing a good job internally.” Read our guide for hiring IT help.
Outsourcing to a cloud service provider also can be less expensive. “Often times it is cheaper to store archival data in the cloud than it would be to purchase and maintain an onsite archiving solution,” Espinosa says. “Price has come down so drastically over the last five years that most companies run a hybrid solution right now, with more and more going to the cloud over time.”
Do your homework
Of course, not all cloud storage providers are created equal. Any service provider you are considering should be thoroughly vetted, and should be willing to sign a business associate agreement (BAA), which is legally required by HIPAA. And any business that prioritizes protecting its sensitive information should follow the guidelines we laid out in our recent article on how to ensure your data backups are secure.
There is also the security of your on-premise network to consider: You can have all the recommended cloud storage security and still be vulnerable to a breach if a computer on your local network is infected and can be remotely controlled by a hacker.
Transitioning to the cloud may seem like a risky move—and when done by inexperienced or uninformed personnel, it certainly can be—but it can be a smart business solution for high-privacy companies with small IT departments or large amounts of archival data to store. Read how one SMB dealt with a devastating loss of backup data.
“I think you absolutely need to be wary,” Arndt says. “You need to pay attention. But can you do it safely? I believe so, absolutely.”
This article was underwritten by HP: Introducing HP BusinessNow, the right technology to help your business grow.