The adoption of cloud storage among end users has surged in recent years. With the different options available in the marketplace, the task of managing and ensuring compliance with HIPAA has forced several in IT to take a strong stand against -- and in some cases, completely block -- individual cloud storage options. So what can IT do to take advantage of personal cloud storage while still meeting true HIPAA compliance requirements?
The constant threat of data leaving the safety of the hospital network has made it very difficult for storage cloud providers to gain a wider acceptance in healthcare. Not only is health IT concerned about the compliance of where the data resides, but also fearful that the end users' access to the data through the cloud providers outside the hospital may accidently cause a breach.
Despite the uncertainties around cloud storage options, the online service holds some advantages that can prove useful to end users and deliver cost savings to hospitals and large healthcare organizations. Users are constantly storing much of their data on local machines, and with the risks associated with data loss, most IT departments would recommend users leverage the network storage for the purpose of general work related digital content. This practice typically drives up the demand of storage for the organizations. With benefits such as versioning, remote access and cost savings, choosing a cloud based storage option is much more favorable in comparison with hosted storage.
In the case where users determine that the use of cloud storage is beneficial to them and adopt third-party personal cloud providers such as OneDrive, Dropbox, Box and Google Drive, there is an inherited increase in data breach risks. Without the appropriate data governance and safeguards, these scenarios where users elect to choose a technology service independently can have serious ramifications. By not ensuring that only the appropriate IT best practices are applied, data stored in the cloud may find itself in the wrong hands and cause serious violations of HIPAA compliance requirements and rules.
Hospital IT departments have a number of common best practices and features they look for when it comes to personal cloud storage.
Implementation of a storage authentication model
If external access is needed, it is important to ensure that the users who will have access to possibly sensitive data are who they say they are. There could be cases where physicians and nurses use their home PC for access, but their password may be compromised or known to others. With the implementation of multifactor authentication (MFA), hospital IT can rest assured that only the authorized users have access to the files stored in the cloud.
Data leak prevention
Giving staff members access to folders to store their data is one thing, but being able to control what they store is a whole new ballgame. Historically IT had to settle for training end users on what not to store on their cloud drive and hope for the best, but there are certainly no true mechanisms that can easily monitor and ensure compliance. With some of today's cloud capabilities, IT can roll out specific storage policies to the end user's storage in order to monitor and prevent accidental uploads of sensitive data. IT can also be notified when users upload data that may contain medical records, patient's personally identifiable information and any other data that may be considered highly sensitive.
Cloud storage management tools
While end users are able to manage their own folder structure and what goes into their personal drives most of the time, IT can still help manage the storage and backup of these files centrally. Since different cloud storage vendors have different retention policies, by having IT roll out their preferred cloud storage option, they are able to better manage it and ensure all the appropriate options for backups and compliance are rolled properly. So using the right cloud provider that offers enterprise features for management becomes key.
Controls of folders available online and offline
Personal cloud storage provides the convenience of access to files anywhere and anytime. For that very reason, many professionals have opted to adopt these tools in order to gain flexibility when it comes to working from different locations. But with that comes the challenge of ensuring that files are not synchronized in places where they should not be. As a result, IT generally recommends and only adopts the platforms that allow for controls over what can and can't be available offline.
Enterprise compliance features
One of the last and most critical components that IT look for when selecting enterprise grade online storage is monitoring and auditing capability. Components such as E-discovery, in-place hold, data access reports and activity logs all help ensure that the platform meets the compliance requirements that hospitals must follow. For the use cases where hackers attempt to download sensitive information from countries abroad, if IT is alerted that a local physician's account is attempting to download large amounts of data into a computer abroad, IT can verify that and also challenge the access via MFA or simply block it until it is confirmed that the user needs access from a foreign country.
Security and privacy in the case of personal cloud storage in healthcare are important topics. While the capabilities offered in many of the various products offered in the marketplace seem to be equal, only a few options can truly live up to the standards that will meet HIPAA compliance requirements. End users must work with IT, and IT must recognize and understand the convenience of these options to help meet the business requirements. Having the proper cloud option to store end-user data and make it accessible from anywhere and anytime safely is essential.
Choose the right cloud option to comply with HIPAA
Cloud computing meets HIPAA compliance requirements
Benefits, drawbacks of cloud computing in healthcare