- With more healthcare organizations looking to cloud computing and file sharing options, PHI privacy and security cannot be overlooked. Failing to account for how these tools interact with sensitive data or work to keep that data secure could lead to a data breach.
Just under half of surveyed organizations – 49 percent – stated they had at least one confirmed file sharing data breach in the last two years, according to a Ponemon Institute and Metalogix report.
Approximately 1,400 respondents were interviewed for Handle with Care: Protecting Sensitive Data in Microsoft SharePoint, Collaboration Tools, and File Share Applications.
Seventy-nine percent of respondents said they did not think that existing tools are "very effective" at protecting sensitive content from accidental exposure or a targeted breach.
Over half of respondents – 58 percent – added that their entity does not adequately ensure that SharePoint users appropriately interact with confidential or sensitive data.
"SharePoint houses a vast amount of sensitive data, but organizations are not taking sufficient steps to keep it safe," Ponemon Institute Chairman and Founder Dr. Larry Ponemon said in a statement. "The pressure to be productive is causing employees to put sensitive data at risk. Security and SharePoint professionals must understand where this content resides and how it is accessed and shared."
Data loss prevention (DLP) and automation are the top priorities for organizations to properly address security challenges with file sharing options. Sixty-three percent of respondents said having appropriate DLP technologies in place would be the most effective solution for breach prevention.
Nearly three-quarters of those surveyed said the automated discovery of sensitive information would assist them in securing data, while 70 percent stated the classification of sensitive data would help in securing it.
Healthcare organizations need to take extreme care with maintaining PHI security. With 26 percent of consumers having their PHI stolen in a healthcare data breach, entities must understand how all tools – file sharing or otherwise – interact with sensitive information.
This is especially true as cloud-based health IT infrastructure is increasing in popularity, with more entities utilizing it for email, patient care, and file sharing, according to a 2016 survey from SADA Systems.
Forty-five percent of healthcare organizations reported they use between six and 10 cloud-based apps.
“Cloud apps and tools that connect administrators to suppliers, doctors to patients and hospitals to staff are increasingly important – not only because they improve productivity and enhance patient care and satisfaction, but because they distinguish modern organizations from legacy providers, which is attractive to the younger generation of healthcare users,” SADA Systems President and CEO Tony Safoian said in a statement.
Toward the end of 2016, HHS updated its HIPAA cloud computing guidance to assist covered entities and business associates maintain HIPAA compliance while utilizing new technologies.
“When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA,” HHS explained. “Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate.”
HHS added that covered entities and business associates can store or process ePHI in a cloud service.
A Service Level Agreement (SLA) will also ensure that a CSP and its customer specifically address business expectations, such as how sensitive data is handled, stored, or transferred.
For example, HHS outlined the following areas that could be covered in an SLA:
- System availability and reliability;
- Back-up and data recovery (e.g., as necessary to be able to respond to a ransomware attack or other emergency situation);
- Manner in which data will be returned to the customer after service use termination;
- Security responsibility;
- Use, retention and disclosure limitations.
Overall, healthcare organizations must ensure they remain HIPAA compliant as they implement new technologies, whether it is cloud storage or a file sharing option.