As information becomes digital organizations are implementing new ways of accessing it. A 2014 industry survey by HIMMS found that over 80% of healthcare organizations use some form of cloud services today. Being able to quickly share and access data on a patient can mean life or death; at the same time that sensitive data is also of great value to those looking to use it for lucrative or ill-intentioned reasons.
With high profile breaches such as Anthem and Premera, healthcare CIOs are nervous about cloud hosting and their ecosystem’s data security at large. Not to mention the concern with cloud hosting providers when it comes to meeting HIPAA compliance requirements. Some practical information security steps can help overcome the obstacles to implementing cloud within the organization and allow facilities to take advantage of the benefits this type of hosting service provides for overall enterprise operations.
- HIPAA compliant cloud host providers
Make sure your cloud host provider is implementing the required physical, administrative, and infrastructure controls needed to meet HIPAA compliance. You want to do this before you decide who your cloud provider will be. To ensure compliance you need to conduct an independent assessment. Asking your provider can work, but the only way you’re going to know for sure and avoid any surprises is to assess the situation.
- Assessments of your cloud provider’s security posture
In addition to assessments for compliance purposes, you should also have this planned on a regular basis to ensure your cloud provider is always overseeing their security posture to eliminate vulnerabilities that arise in time due to changes in the network, technology tools used, and hacker penetration techniques.
- HIPAA training and orientation for cloud providers and within your organization
Associates of healthcare facilities are also required to undergo HIPAA training and orientation before being able to work on PHI data. Set up such programs to take place on a regular basis. Ensure associates and your entire organization goes through training. Complying is not the only reason that should push a CIO to do this; the reality is if your organization doesn’t receive training you are leaving a lot of room for internal mistakes and insider threats.
- Continuous monitoring
Organization CIOs are finding that the number of unauthorized cloud apps being used in the enterprise is 15 to 20 times higher than predicted. The implications of this reality are that unidentified vulnerabilities could be lurking in your organization’s network that you don’t even know about and that won’t be uncovered until a breach occurs. Continuous monitoring is a must to diminish these types of risks, as is working with an external security consultant that can bring in their unbiased perspective and risk management expertise.
In addition to the above measures, encrypting data and using data security technology; healthcare CIOs need to consider allocating a part of their IT budget to perform independent risk management assessments of their overall facility’s information security posture, at least from time to time. The same way your cloud provider could miss something when it comes to the status of their system and security vulnerabilities, so could you. Don’t wait for breach to find out.
With a holistic security posture healthcare CIOs and organizations can move forward with cloud adoption, absent of the concerns that are keeping them from adoption at the moment. Being proactive about your risks and investing in security is the only way you are going to maximize the use of the tools available to you in this digital era.
What are some of the challenges you face with cloud information security?
Photo courtesy of Maksim Kabakou