- While more healthcare organizations are considering some form of cloud computing, they might be putting sensitive information at risk by failing to encrypt patient data, according to a recent survey.
HyTrust found that even though healthcare entities list security as a top concern in cloud migration, 25 percent that are already utilizing the public cloud report that they are not encrypting patient data.
Furthermore, over one-third – 38 percent – of respondents that have data deployed in a multi-cloud environment that included Amazon Web Service (AWS) and Azure are not using any form of encryption.
Even with the lack of encryption, 82 percent of those surveyed said that security was their top concern.
The survey also found that 63 percent of healthcare organizations plan to use multiple cloud vendors, with 63 percent also saying they are currently using the public cloud.
Along with considering necessary technical safeguards, healthcare organizations also need to ensure that they are properly training employees and hiring individuals with strong cybersecurity skills.
Earlier this week, Intel Security released findings that showed that the number of individuals with the necessary cybersecurity skills is not keeping pace with cloud adoption. While 93 percent of respondents in that survey use some form of cloud services, the average number of utilized cloud services in an organization dropped from 43 in 2015 to 29 in 2016.
Additionally, 40 percent of cloud services are now commissioned without the IT department, likely driven by the slower IT adoption or from cloud computing becoming a more acceptable option.
“Despite the majority belief that Shadow IT is putting the organization at risk, security technologies such as data loss prevention (DLP), encryption, and cloud access security brokers (CASBs) remain underutilized,” the report’s authors wrote. “Integrating these tools with an existing security system increases visibility, enables discovery of shadow services, and provides options for automatic protection of sensitive data at rest and in motion throughout any type of environment.”
Healthcare cloud security is quickly becoming a top priority for federal agencies as well.
The Department of Health and Human Services (HHS) released updated HIPAA cloud computing guidance toward the end of 2016. The goal was to assist covered entities, business associates, and cloud service providers (CSPs) in understanding how properly utilize cloud computing while still remaining HIPAA compliant.
A key aspect to the guidance is are cloud resources offered by CSPs that are legally separate entities from a covered entity or business associate considering the use of its services.
“When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA,” the guidance stated. “Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate.”
Covered entities or business associates must enter into a business associates agreement with their chosen CSP, as each party will be “contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules,” according to HHS.
The agency added that covered entities and business associates can also store or process ePHI in a cloud service.
The guidance also did not specifically require encryption for cloud computing, but it noted that it can significantly reduce the risk of data exposure.
“While encryption protects ePHI by significantly reducing the risk of the information being viewed by unauthorized persons, such protections alone cannot adequately safeguard the confidentiality, integrity, and availability of ePHI as required by the Security Rule,” HHS explained.
Encryption does not maintain ePHI integrity and availability, HHS added. This includes “ensuring that the information is not corrupted by malware, or ensuring through contingency planning that the data remains available to authorized persons even during emergency or disaster situations.”