According to HIMSS, healthcare cloud adoption rates have reached 84% as of 2016. However, secure cloud deployments and their regular management has remained a challenge, as seen by the number of security breaches and compliance issues in 2017.
Cloud technology enables on-demand access to healthcare data for storage and data processing with just a simple internet connection, boosting productivity and improving patient care. Despite the clear benefits of the cloud, data security, data integrity, and data confidentiality remain ongoing issues for healthcare leaders. Data breaches and malicious attacks (both from within and outside your organization) can be avoided when the proper people, technology, and processes are in place. Let’s discuss the most common mistakes in healthcare cloud usage and management so you can plan accordingly.
- Poorly Defined Roles in Data Management
As you introduce new technology to your business, you must account for the potential vulnerabilities that come along with it and determine who is accountable for the implementation and the management of said technology. Cloud deployments are no different. However, it’s not always clear who owns the responsibility … is it your IT team? Your security team? There is no one right answer; it’s usually a cross-departmental effort where roles across departments must be clearly defined and documented. From enforcing policies to managing user access control, it’s important to note who is accountable for what in your operations—eliminating any ambiguity and gaps in your security. We recommend regular communication among departments and your cloud service provider in order to continuously improve policies, discuss concerns, and update procedures as necessary.
Ask you may know, the responsibility of data compliance and security for your healthcare cloud is shared. Business associate agreements with your cloud provider ensure that there’s no confusion about the day-to-day activities associated with compliance. Look for cloud providers that are audited and hold industry-respected certifications such as the HITRUST Common Security Framework.
- Insufficient or Improper Policies and Procedures
To effectively protect your data, you should create and enforce proper security protocols. It’s important to know that you can have countless policies and procedures in place, but if they aren’t based on best practices and tailored your operations, you may still be creating vulnerabilities in your healthcare cloud.
We recommend starting with an audit of your current security measures. You may find that there are some systems and applications used across your organization that aren’t approved by your security or IT department (also known as shadow IT) and may not be secure. Another common mistake is with user access control; this includes giving employees too much access to data or systems and/or not tracking that access (i.e. if an employee leaves the organization, his or her access should be revoked). By dividing your staff into work functions and giving them only the necessary access, you mitigate intentional inside attacks, as well as accidental data tampering. It’s also crucial that every endpoint is secure. For example, API keys should be handled the same way as encryption keys and third parties should be verified before the API keys are released. Policies should cover all possible endpoints—smart beds, laptops, phones—that are connected to your network.
Avoid missteps by developing a strong foundation of policies, controls, and security procedures anyone in your organization can access. Schedule training with all employees, and perform additional training for those who are involved in security and compliance procedures. Keep your provider abreast of any updates to your security and compliance strategy.
- Technology Doesn’t Satisfy HIPAA Requirements
Healthcare cloud providers are required to comply with Health Information Portability and Accountability Act (HIPAA) regulations too, as specified by the HITECH Act. The act states that service providers, such as cloud vendors, must protect the data they store and process. Technology is a critical part of effective data protection. HIPAA’s Administrative Safeguards, Physical Safeguards, and Technical Safeguards offer guidance on addressable and required technology. The most common mistakes with cloud deployments involve faulty data encryption, which must be FIPS 140-2 compliant, poor use of multi-factor authentication keys and key management, and timely vulnerability patching. Audit logs showing access to ePHI and business continuity planning are commonly overlooked, too.
- Lack of Focus on Data Availability
The key to reliability and uptime is in your data backups and disaster recovery efforts. If you don’t have access to the data you need, you can’t be productive. Note, backing up your data is not the not the same as having a disaster recovery plan—this is a common misconception. Data backup is part of business continuity planning, but true disaster recovery requires more planning. Ideally, you can use real-time replication across multiple locations, perform recovery tests, and fail-over to your backup data without disruptions. It’s important to replicate your data across multiple data center locations, located on different power grids and away from natural disaster zones, in order to mitigate risk if there is an outage at one location.
It’s Not Enough to Be Compliant. You Must Prove Your Compliance.
Transitioning your healthcare business to the cloud requires a thorough roadmap with checkpoints for security and compliance along the way. Remember that technology is just the first step in a secure cloud deployment—proper security and compliance also includes the processes that protect your sensitive data and the documentation that proves your compliance efforts. You and your healthcare cloud provider are liable for the documentation that proves you’ve invested in measures to safeguard patient data. When the time comes for your compliance audit, the documentation of your efforts makes all the difference in incurring regulatory fines.
This is by no means a comprehensive list of the obstacles you must overcome in deploying and managing your healthcare cloud. Hopefully, you can learn from your peers’ mistakes and choose a healthcare cloud provider that helps you mitigate these issues to stay on the right side of the law.
This post was originally posted in the EMR and HIPAA section of The Healthcare Scene.