4 Steps to Keeping Patient Data in the Cloud Protected

Once patient data has been migrated to the cloud securely, it will require ongoing protection against loss or unauthorized access. Follow these four steps to keep cloud-based data protected in an ongoing basis.

My first post in this series offered 7 steps for preparing to move patient data to the cloud. In my second, I covered 6 steps for moving patient data to the cloud securely using a cloud DLP solution. Of course, a security team’s work isn’t done once data has been migrated to the cloud. Once this process has been completed, security teams are tasked with keeping that information secure against loss or unintended exposure and securing any additional data that is created in or moved to the cloud. Here are steps to help guide this ongoing processes using your DLP solution:

1. Conduct Internal Audits

At any time, conduct a mock HIPAA compliance audit of the information in cloud storage. Not only will the organization be ready for any external audit demands, but this will force questions to be asked regarding where to focus next on risk mitigation strategies.

2. Filter and Audit New Information as it is Moved to the Cloud

As you continue using cloud storage and services, there will undoubtedly be new data that you need to move to the cloud. Apply DLP capabilities to inspect all data before it leaves the enterprise network and heads to the cloud. DLP tools will identify regulated information automatically and allow it to be removed, encrypted on the fly, or stopped for remediation according to policy for the particular information. This enables for information to be inspected at the final stage prior to migration rather than some previous point where there is still a window in which protections could be removed. These automatic processes reduce opportunities for error and audit trails provide visibility into information being transmitted.

3. Scan File Systems Planned for Cloud Storage

For efficiency it may sometimes be appropriate to scan entire file systems when there are uncertainties regarding content. Or, the file systems may be so large that it is desirable to scan them prior to the uploading transmissions, which will look at each record at a time. Employ your DLP solution to inspect all data poised for sending to the cloud. Sensitive data discovered will be controlled according to policies established by the enterprise:

  • Before release to the cloud sensitive information may be denied passage or automatically encrypted
  • Or, other prescribed remediation may be applied

4. Apply Remediation Selectively at Each Step

Depending on your own situation, it may not be most effective to encrypt everything sent to the cloud. Use your DLP solution to apply the appropriate remediation automatically according to your established policies for that particular information and where it is being stored or transmitted:

  • Policies dictate action for specific data elements
  • More efficient, speedier processing
  • Alternatives may add burden of needless repetitive encryption and decryption

Read more from this series

Brian Mullins

Data Protection Security Audit Checklist

Are you ready for your next security audit? Our checklist has 12 questions to help you prepare.

Download Now

Related Articles
Medical Data of 500,000 Reportedly Leaked Online

France’s data protection authority is looking into reports this week that a data breach of a "particularly significant magnitude" may impact half a million French citizens.

Georgia Clinic Pays $1.5M to Settle HIPAA Noncompliance

An investigation by HHS OCR at this clinic uncovered "longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules."

Phishing Attacks at Hospice Expose PHI, PII

A hospice in Tennessee didn't realize until months after suffering a phishing attack that it may have resulted in the access of sensitive protected health information.

Brian Mullins

Brian Mullins is vice president of product marketing at Digital Guardian. His team is responsible for strategic marketing at the product line level. Brian has over seven years of security executive experience in both data protection and identity and access management. He is a patent holder and winner of a Business Week International Design Excellence Award.

Please post your comments here