Cloud Security Alliance Releases Telehealth Risk Management Paper

June 17, 2021 - A recent paper from the Cloud Security Alliance (CSA) provides guidance on HIPAA compliance, cybersecurity, and telehealth risk management. The paper offers best practices for data use, storage, and sharing in order to help healthcare delivery organizations (HDOs) maintain secure telehealth practices.

CSA recommends that HDOs establish a governance program for telehealth management in order to manage stakeholder expectations, ensure compliance, and improve quality of care. The paper points out that the pandemic changed the nature of telehealth governance, requiring organizations to evolve governance practices.

“During the COVID-19 pandemic, the rules governing telehealth changed dramatically, prompting health delivery organizations to quickly update and revise their governance and risk programs,” Jim Angle, the paper’s lead author and co-chair of the Health Information Management Working Group, said in a press release.

“Now, with the rapidly changing demands and regulatory requirements for telehealth, it’s essential that HDOs have effective governance and risk programs to ensure a smooth and seamless transition while improving their current risk postures.”

CSA’s Information Governance Framework consists of strategies, policies, procedures, standards, and guidelines that are meant to give HDOs a template for creating their own framework. The framework covers everything from encryption and data retention to establishing clear desk guidelines and enforcing rules surrounding the use of personal devices to ensure security.

Data lifecycle management is critical, the paper says, due to the fact that the value of data can decline over time while costs and security risks remain. CSA explains the lifecycle of data with simple cloud computing terminology: create, store, use, share, archive, and destroy.

For each term, the paper outlines questions and organization should ask itself to ensure proper governance. From creation to disposal, it is crucial that data is handled in a safe way so that it doesn’t end up in the wrong hands, putting patients and healthcare organizations at risk.

Next, the paper establishes the nuanced differences between cloud security and cloud privacy. While they are interconnected, an awareness of the differences between security and privacy enables HDOs to develop stronger risk management programs.

“Privacy is about selecting how various rights should be implemented; security is about implementing those choices. Separating privacy from security has significant practical consequences,” the paper stated.

“Privacy establishes a framework for deciding who should legitimately have the capability to access and alter information. In healthcare, the invasion of patient privacy is a growing concern due to the emergence of advanced persistent threats and targeted attacks against information systems.”

In accordance with HIPAA regulations, the paper recommends enforcing strict privacy guidelines. HIPAA privacy matters should include three critical roles, the paper states: the recipient, the controller, and the processor.

The recipient receives personal data, the controller determines the means of processing and purpose of sharing personal data, and the processor works with the controller to complete the action of processing the data.

“Maintaining the sanctity and integrity of healthcare data is of paramount importance not just from a regulatory perspective but also from the viewpoint of patient safety,” John Yeoh, global vice president of research at the Cloud Security Alliance, said publicly.

“As data collection continues to increase in speed and scale, the analytic techniques used to process these data sets become more sophisticated, and the use of data becomes more varied. Big data analytics will continue to expand the use of health data used in telehealth, and while this presents a huge opportunity for health research, proper care must be taken to prevent its loss or misuse.”

With COVID-19 increasing the popularity of telehealth, organizations have an increasing responsibility to ensure that personal data stays personal. The Healthcare and Public Health Sector Coordinating Council (HSCC) released guidance in April to support telehealth vendors and providers in mitigating cybersecurity risks. In addition, industry leaders have been speaking out about the importance of data management and the potential cybersecurity concerns of telehealth in light of COVID-19.