Many healthcare providers face the decision on if they should store protected health information (PHI) in the cloud. There are benefits and concerns to storing PHI in the cloud, and the decision to do so should be analyzed.
PHI is any health-related or insurance payment information that is stored or managed by a healthcare provider that can identify a specific individual. Examples of PHI are patient names, addresses, Social Security numbers, X-ray images, lab results, insurance payment information and medical records. Even information about a patient’s planned future procedures is PHI. Government regulation of PHI is covered in the HIPPA Privacy Rule, and all healthcare providers in the United States must adhere to it or face fines.
+ Also on Network World: The tricky, personal politics of cloud security +
PHI data is some of the most valuable data on the black market. Many hackers prefer PHI data over standard credit card data due to the amount that they can earn through health insurance fraud. With many banks having limits on account transfers or alerts for frequent transactions, bank account and credit data has become even less attractive.
Health insurance fraud is more difficult to trace by law enforcement than unauthorized credit card usage. This fraud can enable criminals to obtain access to prescription medications, get medical services or even purchase expensive medical equipment that can resale at a much higher price on the black market. Healthcare data is even being used a lot to file false tax returns. Most times, the cost on the black market for healthcare information is multiple times higher than credit card records.
Benefits of storing PHI in the cloud
Storing healthcare data in the cloud gives users the ability to access it across a variety of electronic devices while eliminating the costs and technical challenges associated with maintaining an infrastructure system on site.
Many health providers would prefer to move their infrastructure to the cloud so they can focus on what they perform best, which is provide healthcare services. Also, the capital cost of managing a data center can vary each year due to hardware refreshes. But hosting data in the cloud can provide more static cost each year, which makes the budget for managing it simpler and more predictable.
Cloud services allow data to be stored in multiple locations. This can be beneficial if there is a fire, natural disaster or power outage and can provide reassurance that critical business functions or operations will not be interrupted.
Having options for data being stored in multiple locations can contribute to increasing the speed that users can access it. For example, if a health provider has a data center in New York but most of its customers are in California, then this would degrade application performance due to increased latency because of the long distance. If a cloud provider has a data center in California, then the organization can work toward hosting their critical applications within that data center without having to pay the up-front capital costs of a building a new data center. Having most of its users closer to the data center can contribute to reduced latency and better application performance for it users.
Another possible benefit of storing data in the cloud is a healthcare provider would have a business associate agreement (BAA) with the cloud provider, which can include a shared responsibility in cases of a PHI breach. The level of responsibility shared would be written out in the BAA and could reduce the impact of a PHI breach on the cloud customer. Fines and other costs associated with the breach can be shared with the customer and cloud provider.
Risks of storing PHI in the cloud
The cloud is an off-premise system in which data needs are outsourced to a third-party provider. These providers are trusted to perform updates, maintenance and manage security. The downside is you are placing responsibility for your data with someone else. The key point to remember is that no business is ever going to be as passionate about looking after your data as you.
Another risk of storing data in the cloud is insider threats. Security breaches from the inside are on the rise. Once an employee or an attacker posing as an employee gives others access to your cloud environment, everything from customer data or intellectual property is up for grabs. The cloud makes this problem a lot worse, since administrative access can be shared across multiple platforms.
In a cloud environment, you must be concerned with government intrusions or surveillance. If you store data on a shared drive or the same devices as another organization and that organization is under surveillance or requires the drive to be confiscated, it can affect your data that is stored on the same drive or server.
There is also a lack of standardization within the cloud. There is no clear guideline that unifies the various cloud providers, and thus it becomes more challenging with various sectors for which these providers offer services. Remember, one cloud provider’s definitions of “safe” may not be the same as another provider.
Customer service is another risk of moving your data to the cloud. If there is ever a data breach or security update you need immediately applied, you will need to speak to the provider as soon as possible. If the provider’s customer service or technical representatives are unavailable at the time or do not respond in a timely manner, it can affect the availability or security of your data.
If your systems are not considered mission-critical, you need not worry so much about security and availability. But if you have PHI or other mission-critical systems, be prepared to invest in cloud provider that can provide a level of service that meets your needs.
The biggest risk for cloud computing is you never know how the provider will perform. Hackers aren’t going away and will keep trying to access your data. As technology advances, so do the risks that come with adopting them.
Securing PHI in the cloud
It is important to verify your cloud provider’s security standards are appropriate. Make sure they have up-to-date procedures on patching and actively upgrade their equipment. Also, review their security policies as they pertain to the cloud environment. Your provider should have an actively managed compliance program that verifies their adherence to the various regulatory requirements and security standards.
Data protected by law, such as PHI or personal identifiers, should never be stored in the cloud unless it is encrypted while in storage. Only certain members of your organization who are required access should be able to decrypt the data. Your organization should create policies that detail the circumstances that this information can be decrypted. All of this should be reviewed and agreed upon in the terms of service within your agreement with the cloud service provider.
Encrypting data in transit
Your data should also be encrypted when being uploaded to or downloaded from the cloud. It is your responsibility to make sure this is always done. Your applications should require an encrypted connection before anything is transferred to it.
Many cloud providers allow you to share access to your online folders. Be familiar with the details on how the sharing works. You need to be aware of who can view these folders and how this is monitored. You will need to know who is the last person to modify a file and at what time. Monitoring this activity is critical when storing PHI in the cloud.
You must know where all PHI data is stored. Your provider should be able to give you the exact locations of your data. Also, you should consider not having your data stored on shared storage resources with another cloud customer. If it is shared, there is a possibility of confiscation by law enforcement. Verify that your cloud provider supports an appropriate data loss prevention solution that will allow uniform application of information policies across its environment.
An important point to remember about information security is that it has always been about finding a balance between ease of access and the sharing of data versus locking down a system. The more you have of one, the less you have of the other. The key to securing PHI is to always find the right balance that is the most beneficial to your organization and customers’ needs.
The decision to use the cloud to store PHI should not be made until substantial due diligence has been performed on the cloud service provider. It is best to migrate non-mission critical applications into the cloud first so you can analyze their performance with availability, security and customer service before deciding to migrate applications that contain PHI. You must make sure that their performance regarding security and compliance is up to the standards required of your organization and customers. You want complete confidence in the provider’s ability to keep this most critical data safe and secure.