Break out the balloons and the confetti—it’s National Cybersecurity Awareness Month. To celebrate, we’ve asked our experts to tackle one of the most difficult cybersecurity issues: storing healthcare information in the cloud.
The flexibility of cloud computing has opened up lots of possibilities for healthcare providers looking to reduce their administrative burden and save money. Cloud storage makes it easier for patients and providers to quickly and conveniently access records, saving precious time for healthcare staff.
However, that ease comes at a price. While the cloud makes life more convenient, it also puts providers at risk. Healthcare organizations that experience data breaches and other security events may face serious ramifications if records are exposed or stolen, which has many providers asking questions like: Is the cloud really worth the risk? Can patient data ever really be safely stored there?
The short answer is yes. In fact, the U.K.’s National Health Service (NHS) actually endorses the cloud as a primary storage option for healthcare organizations. The U.S. Health and Human Service Department, meanwhile, has created detailed guidelines around storing patient health information in the cloud, and was reportedly very impressed with Microsoft’s cloud solutions for government.
Still, storage services must be configured properly in order to reap the benefits—and that’s where this series comes in. Read on for answers to your burning questions about cloud storage for healthcare organizations.
Why would healthcare organizations want to use the cloud anyway?
Any time you move data to the cloud, you put that information at risk. However, many healthcare administrators forget that there are risks with on-premise systems too, and in some cases, a cloud storage option may be safer than the alternative. For instance, cloud providers typically have backups in multiple locations, which means less risk of data loss.
In addition, data in the cloud is usually encrypted, though you’ll need to confirm this before you commit to a provider. Cloud storage services also update operating systems and server software regularly, installing patches to fix vulnerabilities that threaten data. What’s more, data centers have strict physical access controls and regulations to prevent data theft. So, in some ways, cloud storage is safer than an on-premise solution.
What are the data requirements for storing healthcare information in the cloud?
Healthcare organizations must comply with the regulations set forth in the Health Insurance Portability and Accountability Act (HIPAA). These requirements impact how health data can be stored in the cloud and what you’ll need from your IT services provider to comply.
The full scope of the act is huge, so we recommend you read it yourself to get a full understanding. Here are a few of the most important tips to keep you compliant:
- Know the definition of patient health information (PHI) as it pertains to the cloud. If patient information has been de-identified, HIPAA does not consider it to be PHI. Otherwise, PHI must abide by HIPAA guidelines, regardless of whether it is encrypted or not.
- PHI must be available for patient and provider access at all times, so you’ll need to make sure your cloud provider’s SLA guarantees 100% uptime.
- Your IT services provider should have protections in place to guard against data theft and prevent data access in the event of a ransomware attack or other security event. These may include backups, encryption, anti-malware tools and more.
- There should be redundancy in your data center instances to guard against data loss in the event of a natural disaster or other emergency.
What is the biggest threat to healthcare data stored in the cloud?
One of the biggest cybersecurity issues threatening healthcare organizations is the rise of ransomware. In a ransomware attack, a hacker gains access to data and holds it hostage, threatening to delete records unless the target pays up.
The issue is so prevalent that in 2017, almost half of all ransomware attacks targeted healthcare providers—but luckily, you aren’t helpless in the face of ransomware attacks. Your IT services provider can help you encrypt data and set up threat detection services that will allow you to respond to ransomware attacks, as well as configure automated backups for cloud instances so you can stand up to attackers with confidence.
What else do providers need to know?
As if HIPAA weren’t labyrinthine enough as it is, many states have their own rules around healthcare data. For instance, states may maintain different retention requirements for how long data must be stored, and some even require you to store data throughout the entirety of a patient’s lifetime. That can affect the size of your data records and, in turn, the size of your cloud instances.
There may be other rules you need to follow as well, depending on your organization’s role, the types of services you provide and the data you store. Your best bet is to read the full HIPAA guidelines and then reach out to an IT services provider with healthcare experience to help you stay compliant.
To make National Cybersecurity Awareness month count, download our free Ultimate Cybersecurity Bundle today. In it, you’ll get a full picture of the threats you’re up against—and what you can do to face them down with aplomb. Now there’s a reason to celebrate!