As health care providers look to move their data storage to the Cloud, the importance of maintaining protection over that data grows. Electronic protected health information (ePHI) is one of the most tightly regulated forms of data in the world, with two major U.S. laws - HIPAA and the HITECH Act - both providing substantial protections, as well as defining substantial penalties for data breaches.
Even a single ePHI breach could be disastrous to a health care provider, so it's vital for businesses to ensure they choose Cloud Service Providers that can cater to their needs. Most of the time "Off-the-shelf" Cloud services don't cut it here. Health care organizations need a higher standard of protection.
Keeping ePHI Safe in the Cloud
It is important to know that there has been no substantial evidence to suggest Cloud storage is unsafe or even less safe than on-site data storage. In fact, the opposite has proven to be true in studies.
According to public breach information provided by the U.S. Department of Health & Human Services, most major ePHI incidents have been caused by things like theft or employee mishandling of data, such as putting private records on personal mobile devices. Verifiable instances of Cloud-based data intrusions are far less common.
The Cloud is safe, as long as certain protections are in place. Ask your Cloud Service Provider:
1. Are They HITECH- and HIPAA-Compliant?
If a health care provider asks this question and the answer is anything but an enthusiastic "Yes!" it's time to look for a different provider. A provider should be happy to show proof of compliance upon request.
2. Strong Walls Between Clients
Most Cloud Service Providers handle data for multiple clients, who will all require strong levels of security. The Cloud provider should have detailed descriptions and documentation of the firewalls, auditing systems, and authentication layers that ensure these data sets remain entirely separate.
There haven’t been any incidents on record of a major health-focused data center granting access to the wrong data set, but inter-client isolation still a vital security measure.
3. End-to-End Encryption
Responsibility in the case of a data breach can be difficult to determine, but it is possible for a health care provider to achieve "Safe Harbor" status while using a Cloud system. That is to say, in the event of a breach, they would be able to reasonably argue they'd done everything possible on their end to stop it.
The biggest key factor here is true end-to-end encryption. ePHI should never, ever be transmitted, or stored in any "plaintext" or otherwise unencrypted form. It’s important to use a Cloud provider that can guarantee end-to-end high-bitrate encryption. Data encryption based on the AES standard, such as AES-256, is considered the minimum for adequate security.
And speaking of guarantees...
4. A Business Associate Agreement
Finally, a health care provider should never enter into a partnership with a Cloud-based data company without a BAA in place. As mandated by the HIPAA laws, a Business Associate Agreement is the formal guarantee of services and protections between a health care provider and a subsidiary working with their protected data.
In many ways, this is the first line of defense should a hospital ever face a data breach problem. The BAA will outline what areas are which company's responsibility and their legal requirements for security and protection.
Cloud Systems Handle Health Care Data Securely
The key takeaway here is simply that health care data storage in the Cloud can be safer and more secure than on-site, but only when proper protections are in place. Be cautious, select providers carefully, document separation of responsibilities, and review agreements thoroughly before signing contracts to ensure data is properly and legally secured.