A major trend in healthcare IT is the transition to electronic health record (EHR) technology, many of which are cloud-based or leverage cloud technology. While cloud-based EHR systems and other technology bring many benefits to healthcare firms - improved mobility and information access as well as streamlined record keeping among them - these systems can also put sensitive health information at risk. As healthcare organizations are increasingly being targeted in cyber attacks, both the U.S. Government and the private sector are putting pressure on healthcare companies to bolster their information security programs. Last Tuesday saw the release of updated HITECH rules from the U.S. Government's department of Health and Human Services which require healthcare organizations seeking federal subsidies for implementing EHR systems to prove that they are addressing the risks inherent to those systems with better data protection measures.
Of course the transition to a cloud-based EHR system or other technology is no small undertaking, particularly for healthcare organizations that manage sensitive data for millions of patients. Staying secure while adopting cloud technologies requires careful planning and ongoing security efforts to ensure that healthcare organizations can reap the benefits of new technology while keeping their most valuable data safe and complying with regulatory requirements. Here are 7 steps to help healthcare organizations prepare to move patient data to the cloud securely.
1. Assess Current Information Policies
Ensure that any existing information governance rules may be extended to cloud data. In some cases it may be desired to apply more stringent controls on data in or intended for cloud storage.
2. Assess Current Usage of Cloud Storage
Determine the protection requirements and status of any data already stored in the cloud. Investigate current personal cloud use by medical professionals or other employees. It may be found that some patient data is already being inappropriately stored in the cloud and creating data loss risks previously not known. An appropriate managed cloud capability will remove the perceived need for any such practices by individuals.
3. Establish Credible Expectations
Cloud storage changes the available means of data visibility and control. In the absence of a well communicated policy, medical professionals may use unsecured cloud services to store patient data in order to make it more easily accessible when traveling with their mobile devices. A DLP solution appropriate for cloud storage protection will facilitate the application of uniform policy across the enterprise, including the cloud. In particular, an appropriate DLP solution will provide means for educating every end user and preventing unauthorized actions when required by policy.
4. Set Objectives Appropriate for the Organization
After gathering and reviewing existing policies and procedures concerning the handling of sensitive information, develop an agreement on what information is to be placed in the cloud, what that placement should accomplish, and note any information requiring special protection and control. For example, a first step may be to identify and encrypt all records identifying patient names with their Social Security or hospital ID numbers.
5. Involve the Stakeholders
Ensure the participation of those responsible for entering or accessing patient information and those responsible for adhering to HIPAA compliance requirements. All parties should understand the benefits being sought from cloud storage and the requirements for protecting sensitive data expected to be placed there. Managers should understand the benefits and issues of the cloud storage as well as the policy enforcement capabilities provided by DLP. Cloud data protection stakeholders could include:
- Compliance and privacy personnel
- Professional medical staff
- IT security
- Executive management
- Third party consultants specializing in data security
6. Assess the Costs Involved
If a data loss prevention or other data security solution is being acquired for the first time, resist buying features you will never use. Do a 5-year total cost of ownership (TCO) analysis to compare alternative possibilities, including the costs for: hardware, software, maintenance, training, and any professional services that will be required. Understand any software licensing payment terms.
7. Test Any Proposed Solution On-Site
Insist on a short demonstration or Proof of Concept to evaluate ease of installation and usage. This should be done in your environment with the organization’s own data both inside and outside of cloud storage. A system that requires separate services only for cloud storage will be both inefficient and confusing in operation. Seek a DLP solution capable of comprehensive and consistent compliance management across the enterprise including the cloud.
Following these steps will go a long way in preparing your healthcare organization for a secure cloud transition. Stay tuned for future posts on moving patient data to the cloud securely and providing ongoing protection for healthcare data in the cloud.
Read more from this series
Brian Mullins is Vice President, Content and Programs Strategy at Digital Guardian.
Data Protection Security Audit Checklist
Are you ready for your next security audit? Our checklist has 12 questions to help you prepare.
Related ArticlesHealthcare Security: Understanding HIPAA Compliance and its Role in Patient Data Protection
After the "year of the healthcare breach," many healthcare organizations are taking steps to improve their data protection strategies to meet regulatory requirements and secure health information against costly data breaches. Here's an overview of the data protection requirements for compliance and beyond.Time to Stop the Bleeding on Medical Device Security
There has been much discussion recently around the insecurity of medical devices, yet attackers are still determining how to best leverage these devices once compromised. What does this mean for device manufacturers and the medical facilities that use them?A Hospital and its Technology Partner Share $90k HIPAA Fine
The tech giant EMC was named along with a Connecticut hospital in a $90,000 fine after losing patient data.