This post is part of the #HIMSS15 Blog Carnival series, which is designed to get your wheels turning about the future of health IT. Today’s trending topic is on security.
The idea of putting data and applications in the cloud is changing the game across all industries and beginning to take hold in healthcare. Healthcare is moving to a digital platform and becoming more patient-centered and data driven. The upside of this transformation is greater sharing and accessibility of information when and where it is needed. But, from an IT standpoint, this evolution poses threats to security. Striking a balance between privacy and convenience underpins the healthcare cloud dilemma. On one hand, cloud services can boost productivity at a lower cost than some on premises IT solutions. At the same time, healthcare providers must rethink their strategies for keeping patient health information safe in the cloud. Below are a few considerations for hospitals and practices looking to adopt cloud technology.
1. HIPAA Business Associations Agreement (BAAs)
Although HIPAA was created almost 20 years ago, applying its standards to our new world of cloud, apps, and mobile devices pose new challenges.
It’s important that healthcare organizations obtain BAAs from their cloud vendors to help outline the responsibilities for compliance. A HIPAA business associate agreement (BAA) is a contract between a HIPAA covered entity and a HIPAA business associate (BA) that is used to protect personal health information in accordance with HIPAA guidelines.
2. Data Ownership
One of the key advantages of enlisting a cloud service provider is the ability to offload the management aspect of the IT system. Rather than maintaining the physical infrastructure in house, the cloud provider is responsible for keeping everything in tip-top shape offsite. With information being stored at a separate location, it’s important to be clear about who owns the data and ensuring the information can be accessed and audited when necessary.
3. Encryption Technology
There’s no doubt that the industry is trending towards increased collaboration, which means more sharing of information. The proper encryption and tokenization is an absolute must in safeguarding data in transit and in storage. As outlined by the HHS, to avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. What this ensures is that even if a data breach somehow occurs, the information will be unreadable, unusable or indecipherable to the attacker.
4. Access Control and Permission Management
Access management, which grants authorized personnel the right to use a service while keeping non-authorized users out, should extend to your cloud solution(s). Many cloud vendors can integrate with your active directory for authentication purposes and can apply additional login security measures. In addition to authentication and login controls, it’s important to manage the permissions that various users have access to once they are logged into the cloud platform. A “role-based” permission system is a scalable way to define what activities a user is allowed to execute. Essentially, this approach to managing users makes it easy to apply granular control over “who gets to see what, and when.”
5. BYOD and Mobile Devices
In the past, organizations put a blanket ban on accessing confidential clinical information on personal portable devices. However, as doctors and nurses become more attached to phones and tablets, it’s becoming harder and harder to control. The rule of thumb for mitigating risk when embracing BYOD is to focus on securing the data, not the device. Just as important, patient health information should never be stored on personal computers, phones, or tablets. In this scenario, the device is used to display information only; while the information itself is stored in an HIPAA safe environment externally. Again, access management and encryption technology should extend to mobile devices to ensure proper audits can be performed.