Tutorial

Sep 30, 2024

Cerebrium supports HIPAA compliance: A guide for health applications

Kyle Gani

Senior Technical Product Manager

We understand that patient-centered care is the center of your universe and you’re driving the health tech industry forward through the use of innovative technology. But with great innovation comes great responsibility, especially when it comes to protecting sensitive health information. While Cerebrium supports HIPAA compliance and provides a robust and secure platform for your applications, ensuring HIPAA compliance is a shared responsibility. Let's explore how you can maintain HIPAA compliance while building performant, secure and innovative applications on the platform.

Understanding your role in compliance

Cerebrium provides the serverless infrastructure that powers your machine learning apps, but as the developer and operator of your applications on the platform, you're responsible for how you handle Protected Health Information (PHI) that gets processed by those applications. It's crucial to understand your obligations under HIPAA and implement appropriate safeguards within your application and processes.

Steps for HIPAA Compliance on Cerebrium

1. Data minimization and de-identification

One of the most effective ways to reduce your HIPAA compliance burden is to minimize the amount of PHI you handle:

  • Collect only the PHI that's absolutely necessary for your app's functionality.

  • Where possible, de-identify data before storing it on your persistent volumes.

  • Use techniques like data masking or tokenization to protect sensitive information.

How Cerebrium supports you: We offer encryption for data at rest and in transit, adding an extra layer of protection for any data you store.

2. Encryption and Access Controls

Implement additional safeguards within your application:

  • Encrypt sensitive data where possible.

  • Implement strong access controls within your application.

How Cerebrium supports you: Cerebrium has built-in authentication on all of your application endpoints. In addition, you’re able to manage users who have access to your applications (And thus their data) through your application settings

3. Audit Logging and Monitoring

Maintain a trail of PHI access and use:

  • Implement comprehensive audit logging within your application.

  • Regularly review these logs to detect any unusual activity or potential breaches.

  • Set up alerts for suspicious activities to enable quick response to potential issues.

How Cerebrium supports you: Cerebrium has application logging built in, so you never miss a beat. Head to your dashboard to see both your app and run logs - all from a central convenient location. Moreover, should there be any suspicious activity on the platform (Users attempting to deploy potentially dangerous code), we automatically prevent access to these projects and disable these users so that they cannot deploy on the platform. We continuously monitor application activity to ensure that PHI and your intellectual property on our platform remains safe.

4. Data Backup and Disaster Recovery

Develop your own backup and recovery strategies:

  • Regularly backup your data, ensuring that backups are also encrypted and securely stored.

  • Develop and test a disaster recovery plan specific to your application and data.

How Cerebrium supports you: We offer automatic, encrypted backups and a comprehensive disaster recovery plan, ensuring your data is safe and accessible even in worst-case scenarios.

5. Employee Training and Policies

HIPAA compliance isn't just about technology—it's also about people and processes:

  • Provide regular HIPAA training to all employees who might handle PHI.

  • Develop and enforce clear policies on PHI handling, including guidelines for using the Cerebrium platform.

How Cerebrium supports you: We provide documentation and resources to help you understand how to best utilize our platform in a HIPAA-compliant manner. In addition, our team regularly completes HIPAA training, so as to keep our security and data protection standards high and up-to-date.

6. Business Associate Agreements

As a critical step in HIPAA compliance:

  • Ensure you have Business Associate Agreements (BAAs) in place with any third-party services or partners that may handle PHI on your behalf.

  • Establishing a BAA with Cerebrium is absolutely necessary for HIPAA compliance.

How Cerebrium supports you: We've streamlined the process of establishing a BAA:

  1. To initiate the BAA process, send an email to compliance@cerebrium.ai.

  2. In this email, you can either request our standard BAA or send through your own BAA for review.

  3. Our compliance team will promptly review your request or the BAA you've provided.

  4. We'll work with you to finalize the agreement, addressing any specific requirements or questions you may have.

7. Regular Risk Assessments

Stay proactive in your HIPAA compliance efforts:

  • Conduct regular risk assessments of your application and processes.

  • Use these assessments to identify and address potential vulnerabilities or compliance gaps.

How Cerebrium supports you: Our platform undergoes regular security audits and updates, providing you with a secure foundation for your applications.

Leveraging Cerebrium's Features for Compliance

While HIPAA compliance is a joint responsibility, our platform offers features that can support your efforts:

  • Robust infrastructure security: Our platform is built on a foundation of security, with state-of-the-art encryption for data at rest and in transit.

  • Access controls and authentication: We provide granular access controls and multi-factor authentication options.

  • Audit trails and logging: Comprehensive audit trails are automatically generated.

  • Data backup and disaster recovery: We offer automatic, encrypted backups and a comprehensive disaster recovery plan.

  • Isolation: Take advantage of Cerebrium's workload isolation features to separate different components of your application as needed.

  • Business associate agreement: We provide a streamlined process for establishing a BAA, ensuring that your use of our platform aligns with HIPAA requirements.

  • Ongoing compliance support: Our team stays up-to-date with the latest HIPAA regulations and industry best practices, regularly updating our platform to address emerging security threats and compliance requirements.

Incident Response and Breach Notification

In the event of a security incident:

  • Follow your established incident response plan.

  • Conduct a thorough investigation to determine if a breach of PHI has occurred.

  • If a breach is confirmed, follow HIPAA's breach notification requirements.

How Cerebrium supports you: We have a comprehensive Incident Response Plan in place. We' While we don't handle PHI directly, we're prepared to support you in the event of a platform-related security incident that could affect your data.

Staying Informed and Adaptable

HIPAA compliance is an ongoing process, not a one-time achievement. Stay informed about changes in HIPAA regulations and be prepared to adapt your practices as needed. Regularly review and update your compliance strategies to ensure they align with both HIPAA requirements and your evolving application.

Deploy your apps with confidence

By understanding your role in HIPAA compliance and implementing these best practices, you can innovate with confidence on the Cerebrium platform. Remember, protecting patient privacy isn't just about avoiding penalties—it's about building trust with your users and contributing to the advancement of health tech in a responsible manner.

Don't forget the crucial step of establishing a Business Associate Agreement with Cerebrium by emailing compliance@cerebrium.ai. This formal agreement is imperative to our commitment to supporting your HIPAA compliance efforts and is an essential component of using our platform for health-tech applications involving PHI.

Ready to take your HIPAA-compliant health-tech application to the next level? Get started by signing up today. You’ll receive $30 in free credits, access to our engineers and support team and world-class ML app deployment and inference platform to get you started!

PS: We love startups! If you need more than the $30 in credit to get your application running on the platform, reach out to us at support@cerebrium.ai for additional support!

© 2024 Cerebrium, Inc.

© 2024 Cerebrium, Inc.