Editor’s Note: Salo Fajer is the Chief Technology Officer at Digital Guardian. He is responsible for driving the company’s strategic vision and core innovation efforts while also overseeing product management, product marketing, and product content development.
It is well known that cloud-based electronic health record (EHR) technology brings many benefits to healthcare firms, including improved mobility, immediate access to information and streamlined record keeping. Unfortunately, these technological benefits can also create significant risks, such as putting some of the most sensitive patient health information in jeopardy if not properly managed.
As cyberattacks continue to target the healthcare industry, touching everyone from physicians’ offices to insurers, both the U.S. government and the private sector are starting to increase pressure on healthcare organizations to bolster their information security programs. For example, the Department of Health and Human Services has recently updated its HITECH rules, which require healthcare organizations seeking federal subsidies for implementing EHR systems to prove that they are addressing the risks inherent to those systems with stronger data protection measures.
The transition to a cloud-based EHR system or other technology can be challenging, particularly for healthcare organizations that manage sensitive data for millions of patients. As a result, it’s critical that these companies work to remain secure while adopting cloud technologies, a feat that requires careful planning and ongoing security efforts from the C-suite down.
The seven steps below can help healthcare organizations to receive the benefits of new technology while keeping their most sensitive patient data safe and complying with regulatory requirements:
1. Assess Current Information Policies
Confirm that any existing information governance rules can be applied to cloud data. In some situations, it may be preferable to apply stricter controls on data in or intended for cloud storage.
2. Evaluate Current Usage of Cloud Storage
Determine the protection requirements and status of any data already stored in the cloud. Look into current personal cloud use by medical professionals or other employees. It’s possible that some patient data is already creating data loss risks through inappropriate storage in the cloud. An appropriately managed cloud capability will remove the perceived need for any such practices by individuals.
3. Establish Credible Expectations
Without a well-communicated policy in place, medical professionals may use vulnerable cloud services to store patient data to make it more easily accessible via mobile devices or when working remotely. A Data Loss Prevention (DLP) solution has the ability to facilitate the application of uniform policy across the enterprise, including the cloud, and protects the data, rather than focusing on the network. DLP solutions provide a means for educating end users and can prevent unauthorized actions when dictated by policy.
4. Set Objectives Appropriate for the Organization
After existing policies and procedures regarding the protocol around sensitive information have been gathered and reviewed, develop an agreement on what information is to be placed in the cloud. Also note the purpose of that placement, along with any information requiring special protection and control. For example, a first step may be to identify and encrypt all records identifying patient names with their Social Security or hospital ID numbers.
5. Involve the Stakeholders
Affirm the participation of those responsible for entering or accessing patient information, and ensure they are adhering to HIPAA compliance requirements. All involved should have a solid understanding of the benefits being sought from cloud storage and the requirements for protecting sensitive data that will be placed there. Managers must comprehend both the benefits and issues of cloud storage, as well as the policy enforcement capabilities that DLP provides. Cloud data protection stakeholders might include compliance and privacy personnel, professional medical staff, Human Resources, IT security, executive management, and third-party consultants.
6. Assess the Costs Involved
If a DLP or other data security solution is being acquired for the first time, hold off on buying features you don’t truly need. It may be helpful to conduct a five-year total cost of ownership analysis to compare alternative possibilities, including the costs for: hardware, software, maintenance, training and any professional services that will be required. Another key step is to ensure understanding of any software licensing payment terms.
7. Test Any Proposed Solution On-Site
Request a brief demonstration or Proof of Concept to evaluate ease of installation and usage. This is best done in your environment with the organization’s own data both inside and outside of cloud storage. A system that requires separate services only for cloud storage will be both inefficient and confusing in operation; instead, pursue a DLP solution capable of comprehensive and consistent compliance management across the enterprise, including the cloud.
In an age where almost all information is stored in the cloud, an EHR approach is sensible for many healthcare organizations. For this reason, a secure transition to the cloud is essential to meet compliance regulations, maintain a positive reputation and ensure patient confidence and business success, especially as healthcare becomes more digital than ever.