(Legacy) The Cloud Application Inventory

Storing patient data in a Cloud application or service like an Electronic Health Record (EHR) system or Cloud Storage services like Google Cloud is a great way to manage data, to secure it and provide broad access to the information for team members. But HIPAA compliant cloud hosting requires safeguards to be in place to ensure the confidentiality, integrity, and availability of the electronic Protected Health Information (ePHI) and the Guard has great tools to document where your patient data is stored and the protections in place to safeguard it. The Guard will also analyze your answers and create Remediation tasks to guide on adding safeguards wherever you are missing protections.

In this article, we’ll explain how to use the Guard’s Assets page to document your Cloud Applications.

The Assets Page

The Assets page allows you to document where your ePHI is being stored in your Organization (in your Organization’s devices) and outside your Organization (in Cloud applications). To access the page, click the Assets icon in the Navigation Panel on the left of the screen.

Once on the Assets page, click on the Applications tab to add Cloud applications and document the protections enabled there.

There are two ways to add Applications to the Guard:

• Click the Add Applications button to add Cloud Applications using the Guard’s easy interface.
• Complete the Applications’ Excel Worksheet and Bulk Upload the data (very handy if you have many Applications to add)

The Add Applications button will open an easy interface to collect the required information.  While there are several fields in the window that you can fill out, only the fields with an asterisk (*) are required to complete. These include:

• Application: Enter the name of the Cloud Service that stores your ePHI here.
• Activation Date: The date you began using the Cloud Service. If unsure of the exact date, enter the nearest approximate date.
• User Access: Note who has access to the data. Choose either All Users, Departmental (for example, only the Providers or other specific team or department), Management Only. The notes field beneath the dropdown is a way to explain the answer if more detail if needed.
• Administrator: Who is the Administrator of the Cloud application?  Can often be one of the Officers, the Compliance Officer or Security Officer.
• Associated Site:  Select the Office from which that the Cloud Service is accessed and used. The Guard defaults to All Sites.
• BAA with Vendor: If the Cloud Application stores your patient Data, they are your Business Associate under HIPAA law, so be sure you secure a Business Associate Agreement (BAA) with that Vendor!  Answer Yes if you currently have a BA agreement in place, No if you don’t.
• Security Controls: A list of Security protections that should be enabled and in place to safeguard the ePHI stored in the Application.
  1. Encryption
  2. Antivirus/Malware: Does the Cloud Application vendor have Antivirus/Malware protection?  Generally, they will have this in place if they offer a Business Associate Agreement but when in doubt, you can reach out to your Vendor’s support team to confirm.
  3. Strong Password: Does your team follow a strong password policy to log into the Application (for example, eight character passwords at minimum, a mix of numbers and letter, mix of upper and lower case characters, the ability to use special characters, etc.?)
  4. Multi-Factor Authentication: As a part of a strong login policy, is Multi-Factor Authentication enabled so that the service sends a code to your phone or email upon logging in with your password? This extra step will help prevent access to the data if the password is compromised.
  5. BackUps: Is the patient data backed up so that there is a retrievable exact copy? 

There is also an Other Forms of Protection slider that, when clicked, will display a text box that you can use to add additional protections that are in place.

When in doubt about whether or not a particular protection is in place and enabled, you can reach out to your Vendor’s support team to confirm.

Below are additional fields in the window to document information if available:

• URL: The web address of the Cloud Application
• Version or License Type: The latest version number of the Application or its type of software license
• License Number: The software’s license number
• Deactivation Date: The date when you have deactivated the Cloud application and are no longer using its services.
• Risk Rating: A subjective assessment of the Risks to the patient data based on several factors that include the type of data, the impact if the data were breached, the protections in place, etc. This is a dropdown with a range of numbers from one through ten, with ten being the highest risk to the data. Generally, the more protections you have enabled and in place, the lower the risk number.  The Guard defaults to a medium risk number.

If you have a lot of Cloud Applications to add, the Excel Worksheet is a convenient way to add all of the information at once and Bulk Upload the Applications into the Guard. 

Click the Bulk Upload button to open a window where you can Download a Template to add data and also Upload the completed Worksheet back into the Guard.

The Excel template includes all of the fields from the Add Application interface. The columns that are required to fill out at minimum are all marked with a white asterisk (*) in the Column title.

To upload the completed Worksheet, click the Bulk Upload button and either drag and drop the Worksheet into the gray upload box or click the same gray box to browse your computer to find and select the Worksheet where it is stored. The click the Upload button to complete the upload.

Remediation Tasks

When you complete your Cloud Inventory, the Guard analyzes your answers and creates Remediation tasks wherever you note that you do not have a protection in place. You’ll work on these tasks to document the protections that you add to safeguard the data. 

You’ll find these tasks in the Open Tasks tab on the Assets page.

Here you can filter tasks in several ways:

• Site: this filter can be used for multisite Users if only Tasks from a specific Site want to be viewed.
• Program: this can be used to sort between HIPAA, OSHA, or other Programs that The Guard offers so you can only view Tasks for that specific Program.
• Type: this filter can be used to view tasks by task type. This includes "Remediation" for tasks related to remediation requirements, "Attestation" for tasks related to training, "Question" for tasks related to audits, and "Miscellaneous" for tasks that were added manually using the "+ Add Task" button.
• Date: these filters can be used if you only want to view tasks within a specific date range.
• Status: this filter can be used if you'd like to view only "Complete" tasks, or "Incomplete" tasks.
• Search: this filter can be used to filter tasks using keywords such as "fax" or "security."

Clicking on any Task from the Task list (from Assets > Open Tasks), will open that Task’s detail page. Here, you can select a Target Date assign a Task to a specific User by using the Assignee dropdown menu and add related notes in the Notes section. You can also use the Evidence tab to attach any related documentation. Once you have completed your edits, be sure to click the Save Task button.