With more healthcare organizations implementing mobile devices, and increasing their digital storage options, cloud computing security is quickly becoming a top healthcare industry issue.
Healthcare cybersecurity concerns can often make covered entities think twice before they opt for cloud computing, but are all of those concerns justified? How can healthcare organizations maintain PHI security, while still ensuring that they do not fall behind from a technological standpoint?
What is cloud computing and how does it apply to healthcare?
Through cloud storage, organizations can have the ability to store information offsite, while the digital data itself is still accessible from multiple locations.
This could also be considered a type of outsourcing for computing needs, as employees can still log in to databases or network systems from a remote location. Healthcare organizations may find this beneficial if employees ever need to work from home, or if staff members need to travel between multiple office or provider locations.
In terms of healthcare regulations, the HIPAA Omnibus Rule states that patient privacy must be a top priority, regardless of where that information is being stored. Whether or not a covered entity actually regularly views the data, the rule states they are still considered BAs and, therefore, must adhere to HIPAA.
For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis. Thus, document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold.
The Center for Democracy and Technology (CDT) adds that previously, there had been confusion over whether or not cloud service providers could be considered a business associate. Not all providers have “routine access” to PHI, even if they maintain it, CDT stated. However, the Omnibus Rule does not refer to “access” in that definition.
“The obligations of a business associate depend on the extent of services and functions it is performing with PHI on behalf of a covered entity,” CDT explains in a Frequently Asked Questions posting. “A CSP that has no capability to access PHI, that provides storage functionality only, and that adheres to HHS standards with respect to encryption should have little liability risk as a business associate (except to ensure that it properly manages encryption).”
- Key Reminders for Strong Healthcare Cloud Security
- Healthcare Cloud Services: 5 Uses You Didn’t Know About
What are the potential benefits of healthcare cloud?
Healthcare organizations can find many potential benefits by implementing cloud solutions. For example, as covered entities start to use more mobile devices, they can begin to offload data collection, as well as the quantification of information from connected devices. Furthermore, application environments can all be kept in a secure cloud environment. The improved bandwidth could also help administrators see real-time critical data points.
Cloud computing could also benefit remote workers, or employees who need to remain mobile and work at multiple office locations.
Secure cloud options also present new opportunities in secure clinical and research data sharing. Just last year, Intel introduced the Collaborative Cancer Cloud (CCC), which allowed large amounts of patient genomic data to be analyzed in a distributed way without compromising health data privacy or security.
Intel Fellow and General Manager of Intel Health & Life Sciences Group Eric Dishman explained to HealthITSecurity.com that CCC aimed to improve data sharing without also giving up control of the data. Imaging and genomic files are often too large, and researchers complained that they couldn’t afford to send them around the country even when it was legally possible to do so. Barriers for using and securing data also created barriers in finding large enough sample sizes to benefit cancer research.
With CCC, healthcare organizations are not giving up control of their patient data, according to Dishman. The information will be de-identified, but the data itself does not actually leave the original site.
“It's still under their control and hopefully they've got the right security in place for the data center,” Dishman said. “And it's also protecting whoever is doing the query. If a researcher is using that, and they have a really interesting algorithm or new drug they're doing research on, they don't want to share with all of these other places. So that secure container is really connecting both parties. But the moment it's left your data center, that secure container then dissipates any data that was used, and just the results go back to the host institution.”
Another benefit from healthcare cloud computing is patching, which is where organizations can consistently update the operating environment and also maintain current technology.
As HealthITSecurity.com contributor Ashley Leonard explained, unpatched vulnerabilities in apps and the OS are often a top target for cyber criminals.
“Cloud-based systems management tools provide a repeatable, efficient and scalable regime to handle the stream of updates from a diverse array of operating systems including: Microsoft, Adobe, Cisco, Java, Apple and third-party vendors,” Leonard wrote.
- Healthcare Cloud Security Concerns Not Impediment to Usage
- How to Keep a Secure Healthcare Environment in the Future
What are healthcare cloud security concerns?
While there are numerous potential benefits with using cloud computing, healthcare organizations should also be well aware of the potential risks.
A common top security concern is with keeping PHI secure and ensuring that HIPAA rules are followed, even with the cloud.
In December 2015, a Bitglass study found that healthcare increased its cloud adoption from 8 percent to 37 percent in the previous year, and that it lags behind other industries in terms of cloud adoption due to HIPAA regulations.
Specifically, privacy concerns, limited applicability of Mobile Device Management solutions, and doctors moving from one provider location to another can all contribute to healthcare cloud security concerns.
Regulated industries, such as healthcare and financial services, increased from 15 percent in 2014 to 39 percent in 2015. Adoption in unregulated industries moved up from 26 percent in 2014 to 50 percent in 2015.
“Security has been a major barrier to cloud adoption in many verticals, but it’s especially critical in heavily regulated industries and plays a major role in such organizations’ decisions to move their data into a public cloud app,” the report’s authors wrote.
Similarly, CloudLock found in a survey that excessive PHI sharing was a top concern for healthcare cloud security. Approximately 72 percent of surveyed practices said they concentrate most on preventing excessive sharing in the cloud, while 38 percent of organizations concentrate on protecting PII.
Patient information, PHI, and medical record information were listed as the key types of data healthcare organizations seek to protect, while other high areas of concern included diagnosis, financial information, medical condition, and Social Security number.
- How DDoS Attacks May Affect Healthcare Cybersecurity
- Optimizing Healthcare Cloud Security, Virtualization