HIPAA compliance, patient data security top provider concerns
A comprehensive collection of articles, videos and more, hand-picked by our editors
Chief information officers around the globe are adopting cloud data storage for their enterprises, utilizing it primarily for remote storage, archiving, information sharing and cost reduction purposes. With that comes the concern around its security.
Healthcare cloud storage requires more layers of data security and compliance strategies, making some CIOs reluctant to engage the services of third parties for storing patient data. HIPAA, Payment Card Industry and other regulations govern security and privacy, and their rules must be addressed by any provider who uses a cloud service.
The demand for more cloud storage continues to provide scalability, flexibility and data sharing capabilities for health organizations. More and more vendors are entering the market, and competition is driving down cloud storage costs. However, it is critical to receive adequate information around how a vendor manages health information, and what safeguards are in place to ensure its protection.
In general, evaluate cloud storage vendors on the following criteria:
Encryption questions and concerns: When it comes to shared storage or the use of public cloud providers, data encryption can provide an added level of protection and compliance. While not all providers offer end-to-end encryption capabilities, this line item would be an important aspect when evaluating the cloud storage providers serving a healthcare customer.
Back up your cloud: It may seem redundant to ask a vendor to back up your data in its cloud, but the reality is that it's dangerous to overlook. Discuss retention policies and backup methods upfront with prospective cloud providers. There have been some incidents where data has been lost by top vendors, including Amazon and T-Mobile. In some cases, healthcare clients should evaluate the use of secondary cloud providers or leverage their on-premises storage for added protection in case their cloud provider does not offer adequate, secured data backups.
Data access monitoring: In order to ensure data is protected adequately, cloud providers implement advanced firewalls and intrusion detection systems that can help detect and prevent hackers from accessing their clients' sensitive data. Reviewing and receiving documentation supporting the safeguards implemented by the providers and researching any reported intrusions can help define which cloud providers are more secure than others.
Contract evaluations: HIPAA business associate agreements and other service-level agreements can be a first step toward ensuring healthcare cloud providers are taking data security seriously. But read the fine print and look for nuances in the language. Such close reading can uncover security concerns about a vendor's data handling. Furthermore, sticky matters surrounding a vendor's policy or attitudes toward data ownership and data access can be revealed, which becomes crucial for protecting the organization, especially when the cloud provider might be going out of business. Or you can find out if the organization fails to pay fees and potentially locks users out of their data, which becomes a HIPAA nightmare.
The above tips are a good starting point; some healthcare cloud implementations may require tighter security, and steps must be taken to ensure data protection and regulatory compliance when it comes to clinical data storage in the public cloud. However, as a general practice, any cloud storage deployment for healthcare entities must be followed by strict security checkpoints that begin with these principles.
Reda Chouffani is vice president of development at Biz Technology Solutions Inc., which provides software design, development and deployment services for the healthcare industry. Let us know what you think about the story; email firstname.lastname@example.org or contact @SearchHealthIT on Twitter.