Cloud computing offers many benefits to healthcare companies, including flexibility, scale ability, and cost-effectiveness. However, one of the potential disadvantages of the cloud for healthcare is the need to comply with HIPAA. By storing and managing health data in the cloud, patients’ personal medical information may become prone to cyber-attacks and constitute a violation of the provisions of HIPAA (Health Insurance Portability and Accountability Act), which can result in thousands (or even millions) of fines.
Cloud Service Providers and HIPAA
In 2009, Congress extended the jurisdiction of HIPAA to trading partners. By law, any service provider with access to protected health information (PHI) of a covered entity is considered a business partner (BA). BAs include cloud service providers and their subcontractors who create, receive, maintain or transmit PHI on their behalf. In addition to extending the jurisdiction of HIPAA to trading partners, the government has also increased the penalties imposed by this law. Initially, the penalties were limited to $100 to $ 25,000. But from 2019, the penalties go from 1$00 to $1.5 million dollars.
Actions that health entities must take to protect their customers’ data in the cloud
The responsibility to protect personal health information must be shared by all parties; the patient, the health facility and the cloud service provider. Indeed, if a violation occurred as a result of the imprudence of a single party, each party was affected. For example, patient data could be used to blackmail them, and the health care center and cloud provider would be fined heavily by the government. Yet the weakest link in the safety of PHI, other than the patient, is the right to health. In most cases, cloud service providers offer greater data security than healthcare organizations. That being said, here are some steps that healthcare organizations must take to complement the efforts of their cloud computing vendors to protect the data of their customers.
1. Privacy and Security
Healthcare facilities must develop, adopt and implement strict privacy and security policies and procedures. In addition, these institutions must document all their procedures and policies, including the steps to be taken in case of violation. This is particularly crucial in this era where cyber security threats, such as a distributed denial of service (DDoS), brute force, and other forms of attack, are becoming increasingly serious. For health care organizations, it is essential to have stronger security guards and appropriate protocols.
2. Understanding of Vulnerability
Even the tightest systems are not 100% secure. It only takes one mistake or a minor oversight to compromise one. As such, health organizations should regularly test their exposure to cyber threats, even if they believe that their systems are the safest and most secure ever developed, and make the necessary adjustments, if necessary.
3. Email essentials
Although the messaging systems of many health care facilities are compliant with HIPAA guidelines, it is worthwhile to make an extra effort to protect the data of encrypted patients. Encryption not only provides additional data protection but also protects these organizations from remote investigations. The best part is that email encryption is now relatively easy, fast and easy to implement. In addition, many email providers provide it for free. Organizations that do not want this service for one reason or another must at least inform their patients that electronically requesting records endangers their personal health data.
4. Mobile Rules
Hospitals need a firm policy on protecting health data on mobile devices, including mobile phones, tablets, and laptops. In addition, the policy must indicate how to manage new devices added to the network of the facility or existing devices that are removed. These devices are prone to theft, which could result in personal health data falling into the wrong hands.
In 2016, Catholic Health Care Services, an entity providing information technology and management services to qualified nurse entities, was fined $ 650,000 following an incident involving in question one of the RPS of their client. This occurred after the theft of an iPhone company, which was neither encrypted nor protected by a password lock.
5. Staff education
Although not all employees in a health facility are expected to have a thorough knowledge of HIPAA guidelines, it is useful for institutions to train their employees in the basic HIPAA guidelines. It has been proven time and time again that employees are the weak link in a company’s cyber security chain. Providing all employees with basic knowledge of cyber security protocols and HIPAA guidelines is a great way to strengthen this link.
6. Establishment of protocols for possible offenses
Finally, health organizations need to have a strong protocol to restore and strengthen the system after an attempt is made to compromise data security. Cyber criminals continue to develop their skills so that they can violate systems they were not able to start with. Organizations should not have too much confidence in their data backups, as even the strongest protections ever put in place could be canceled by hackers. Instead, they need to establish a well-thought-out protocol to make their systems even more airtight after an attempted offense or a real offense.
While the responsibility for protecting personal health information is shared by the patient, the health facility, and the cloud service provider, the workload is the responsibility of the hospital and the cloud service. Yet, many hospitals are not doing enough to complement the efforts of their cloud service providers. Entities providing health care must take the above steps to help their cloud providers effectively protect their customers’ data.