- Potential file sharing and healthcare cloud security risks must be addressed in covered entities’ and business associates’ risk analyses, according to the latest OCR cybersecurity newsletter.
These collaboration tools can greatly benefit organizations, but the possible privacy and security risks cannot be ignored. Risk management policies and business associate agreements (BAAs) should also review any file sharing or cloud computing options to ensure PHI security, OCR maintained.
“Misconfigurations of file sharing and collaboration tools, as well as cloud computing services, are common issues that can result in the disclosure of sensitive data, including ePHI,” the newsletter stated. “Too often, access, authentication, encryption and other security controls are either disabled or left with default settings, which can lead to unauthorized access to or disclosure of that data.”
Any errors or misconfigurations should be included in the risk analysis or risk management approach, and should also be part of the entity’s “evaluation process in response to environmental or operational changes within the organization.”
A vulnerability scan can also be greatly beneficial in terms of pinpointing technical issues, such as missing patches or obsolete software.
These considerations should be made before a covered entity or business associate implements file sharing software or cloud computing technology that creates, receives, maintains, or transmits ePHI, OCR stressed.
For healthcare cloud computing, the agency reminded organizations that it released updated guidance in 2016 on how to properly implement the technology.
Cloud service providers (CSPs) offering cloud services were a main focus of the guidance, and will be considered a business associate under HIPAA regulations when its services are engaged from a covered entity, the guidance stated.
However, a business associate agreement will help ensure that each party will be “contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.”
“Among other things, the BAA establishes the permitted and required uses and disclosures of ePHI by the business associate performing activities or services for the covered entity or business associate, based on the relationship between the parties and the activities or services being performed by the business associate,” OCR wrote in its guidance. “The BAA also contractually requires the business associate to appropriately safeguard the ePHI, including implementing the requirements of the Security Rule.”
Along with a BAA, OCR also recommended that a Service Level Agreement (SLA) can also be used to address business expectations between a CSP and its customer. SLAs can address the following areas:
- System availability and reliability
- Back-up and data recovery
- Manner in which data will be returned to the customer after service termination
- Security responsibility
- Use, retention and disclosure limitations.
Even if a CSP does not have an encryption key, it is still considered a business associate, the OCR guidance states. Regardless of whether a CSP can actually view the ePHI it is maintaining, it is considered a HIPAA business associate.
In its newsletter, OCR also noted that it does not “endorse, certify, or recommend specific technology or products.” Covered entities and business associates should ensure that they are HIPAA compliant when implementing new products or technologies.
A recent survey indicated that file sharing is an increasingly common issue within healthcare organizations.
Forty-nine percent of 1,400 respondents stated that they had at least one confirmed file sharing data breach in the last two years, according to Ponemon Institute and Metalogix.
Fifty-eight percent also said that their entity does not adequately ensure that SharePoint users appropriately interact with confidential or sensitive data. Nearly three-quarters of those surveyed – 79 percent – added that they did not think that existing tools are "very effective" at protecting sensitive content from accidental exposure or a targeted breach.
"SharePoint houses a vast amount of sensitive data, but organizations are not taking sufficient steps to keep it safe," Ponemon Institute Chairman and Founder Dr. Larry Ponemon said in a statement. "The pressure to be productive is causing employees to put sensitive data at risk. Security and SharePoint professionals must understand where this content resides and how it is accessed and shared."
The survey also revealed that data loss prevention (DLP) and automation are top priorities for organizations to properly address security challenges with file sharing options.