It is widely agreed upon that cloud-based electronic health record (EHR) technology brings many benefits to healthcare firms, such as improved mobility, immediate access to information and streamlined record keeping. However, these technological benefits can also create significant risks, including exposing some of the most sensitive patient health information if not properly managed.
As the healthcare industry continues to fall victim to cyberattacks, affecting everyone from physicians to insurers, both the U.S. government and the private sector are beginning to increase pressure on healthcare organizations to strengthen their information security programs. For example, recently, the Department of Health and Human Services updated its HITECH rules,1 which require healthcare organizations seeking federal subsidies for implementing EHR systems to prove that they are addressing the risks inherent to those systems with stronger data protection measures.
Transitioning to a cloud-based EHR system or other technology is a difficult task, particularly for healthcare organizations that manage sensitive data for millions of patients. Therefore, it’s imperative that these companies maintain security while adopting cloud technologies, an act that requires meticulous planning and security efforts from the C-suite down.
The following seven steps can help healthcare organizations to reap the benefits of new technology while protecting their most sensitive data and complying with regulatory requirements:
1. Assess Current Information Policies
Confirm that any current information governance rules can be applied to cloud data. In some situations, applying stricter controls on data in or intended for cloud storage may be preferable.
2. Evaluate Current Usage of Cloud Storage
Examine the protection requirements and status of any data currently stored in the cloud. Look into personal cloud use by medical professionals or other employees. Some patient data may already be creating data loss risks through inappropriate storage in the cloud. An appropriately managed cloud capability will rid individuals of the perceived need for any such practices.
3. Establish Credible Expectations
Without an explicit and thorough policy in place, medical professionals are likely to use vulnerable cloud services to store patient data to make it more easily accessible via mobile devices or when working remotely. A Data Loss Prevention (DLP) solution has the ability to facilitate the application of uniform policy across the enterprise, including the cloud, and focuses on protecting the data, rather than the network. DLP solutions provide a means for educating end users and can prevent unauthorized actions when dictated by policy.
4. Set Objectives Suitable for the Organization
Once existing policies and procedures around the protocol for sensitive information have been evaluated, establish an agreement on what information should be placed in the cloud. Additionally, take note of the purpose of that placement as well as any information that may require specific protections and control. An example first step would be to identify and encrypt all records identifying patient names with their Social Security or hospital ID numbers.
5. Involve the Stakeholders
Affirm the participation of those responsible for entering or accessing patient information, and ensure they are adhering to HIPAA compliance requirements. All parties should have a firm understanding of the reasons for seeking cloud storage and the requirements for protecting sensitive data that will be placed there. It is critical that managers comprehend both the benefits and issues of cloud storage, as well as the policy enforcement capabilities that DLP provides. Cloud data protection stakeholders to engage may include compliance and privacy personnel, professional medical staff, Human Resources, IT security, executive management and third-party consultants.
6. Assess the Costs Involved
If this is the first time a DLP or other data security solution is being acquired, delay purchasing features you don’t really need. Conducting a five-year total cost of ownership analysis may aid in comparing alternative possibilities, including the costs for: hardware, software, maintenance, training and any necessary professional services. Another key step is to ensure understanding of any software licensing payment terms.
7. Test Any Proposed Solution On-Site
Request a quick demonstration or Proof of Concept to evaluate ease of installation and usage. This would ideally take place in your environment with the organization’s own data both inside and outside of cloud storage. A system that requires separate services only for cloud storage will be simultaneously inefficient and confusing in operation. Opt instead to pursue a DLP solution capable of comprehensive and consistent compliance management across the enterprise, including the cloud.
In today’s technological environment, where almost all information is stored in the cloud, an EHR approach is a logical choice for many healthcare organizations. For this reason, a secure transition to the cloud is essential to meet compliance regulations, maintain a positive reputation and ensure patient confidence and business success, particularly as healthcare becomes more digital than ever.
Salo Fajer is the chief technology officer at Digital Guardian. He is responsible for driving the company’s strategic vision and core innovation efforts while also overseeing product management, product marketing, and product content development.
References:
- Roberts, Paul. “Health and Human Services Raises Bar for Risk Analysis with latest HITECH Rules,” Digital Guardian. Oct. 8, 2015. https://digitalguardian.com/blog/health-and-human-services-raises-bar-risk-analysis-latest-hitech-rules
- Lord, Nate. “What is HIPAA Compliance?,” Digital Guardian. Sept. 28, 2015. https://digitalguardian.com/blog/what-hipaa-compliance
