- The standard “we encrypt all of our data” line simply won’t cut it anymore in a healthcare industry that’s riddled with data breaches and massive fines, as evidenced by today’s Office for Civil Rights (OCR) announcement that it had agreed with Prime Healthcare on a $275,000 data breach resolution. Now that healthcare organizations are becoming more aware of security consequences, they need specific answers to questions on areas such how a vendor encrypts their cloud data for them and how those solutions can scale later on.
Many healthcare vendors are starting to see the business potential in hosting cloud data for customers and not having to deal with on-site deployments. Tonic Health’s tablet-based intake application is meant to expedite data collection for patients and providers and funnel that data through the cloud and into an organization’s EHR system. For Tonic to have a competitive cloud offering, it understood early on that it had to encrypt patient data to remain HIPAA compliant and give customers peace of mind.
“Every time we get a new customer, such as New York Presbyterian or Kaiser Permanente, they do an extensive security review and ask for encryption before even thinking about storing data [with us] temporarily before synchronizing with their EMR and it needs to be encrypted at rest,” Boris Glants, Tonic Health Chief Technology Officer, said.
In seeking a HIPAA-compliant product that could encrypt data at-rest in the cloud while managing and storing the encryption keys separate from sensitive data, Tonic chose Gazzang zNcrypt about a year ago. As stated above, healthcare customers doing security reviews are savvier than they used to be and now ask how the algorithm works and you manage the keys. “We needed real answers for those, not just ‘we encrypt data’, because it needs to be encrypted the right way,” Glants said. “Gazzang [was a good fit] because it had the best architecture and provided key management with low impact on our MySQL database.”
Tonic uses Gazzang zNcrypt to secure thousands of its sensitive medical records stored in MySQL, integrated with its LAMP stack architecture, and it manages the encryption keys. It also encrypts data in motion through SSL and firewalls all around with external communication.
Impact on big data security in the cloud
Beyond its usefulness at the moment to healthcare vendors that need to encrypt patient data in the cloud, what makes Gazzang interesting is that it’s an Amazon technology partner and has the potential to be a resource for big data security in the future. Considering its access to the Amazon Web Services (AWS) and experience with Amazon, Gazzang will be worth watching.
Many EHR systems are locked down with encryption and some type of key management solution these days, so that’s not what Gazzang focuses on. It wants to look at organizations taking their big data sets from EHR data and try to get some answers and analytics out of them. Many big data solutions don’t have built-in compliance support, according to Sam Heywood of Gazzang, and that’s where it can come in and encrypt it at rest and do the key management for those large data sets. For example, right now, health insurers are sitting on huge quantities of data and looking for trends and analysis and Gazzang encrypts data for many of those payers.
For example, a healthcare payer that provides an employee portal into their healthcare services will contain sensitive data related to the employees’ use of healthcare services (such as claims data) that has to be protected. “They need to take a large data set, run the analysis, and study it for a few months instead of continually getting petabytes of data each week,” Heywood said. “It makes the most sense to put that data in the classic big data solutions and that’s where Gazzang can come and plug in with the CloudEncrypt offering. The data is encrypted at every step along the way and we’re managing all the keys for them.”
Once healthcare organizations start to concentrate more on big data, products such as Gazzang’s will be worth looking at because the “how” when it comes to data encryption will continue to be a top priority.