Four years ago, ransomware was just a blip on the healthcare industry's radar. Today, it's one of the biggest threats to the market – with 88 percent of all ransomware attacks targeting hospitals.
What's clear is that the types of threats are changing, leaving the healthcare industry even more vulnerable to data breaches than before. Even a minor mishap, such as a lost or stolen employee device, can compromise privacy and security for hundreds to thousands of patients. And with the ability and expectation to get to data and applications from many different locations, the potential risks are only growing.
In today's threat landscape, it's critical that healthcare providers comply with the 2013 HIPAA Omnibus Final Rule to protect patient information. According to the Rule, any entity that "creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity" is a business associate. This means that cloud providers are now subject to privacy and security requirements under HIPAA.
Let’s say a data breach occurs. Under the HIPAA Breach Notification Rules, you are required to immediately notify the U.S. Department of Health & Human Services Office for Civil Rights (OCR), and in many cases, triggers an investigation. The OCR comes in and requests a list of your third-party providers and executed Business Associate Agreements (BAAs) with them. Would you be comfortable with your responses to this line of questioning?
Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) recently went through this process when an employee's iPhone was stolen, compromising the PHI of more than 400 patients. Fined $650,000 and committed to a corrective action plan, CHCS's predicament makes one point perfectly clear: The federal government is extremely serious when it comes to safeguarding consumers' health information.
To protect your organization and ensure you can support HIPAA compliance, there are four main questions you should ask your third-party cloud providers.
1. Will the cloud provider sign a Business Associate Agreement?
Under the HIPAA Rules, a BAA is required when using any third-party provider that could have access to your patients' PHI, whether or not they actually access it. HIPAA regulates all information that can be used to identify a person – from their name and address to their social security number and healthcare history, such as procedures and process codes. For example, if you're using a cloud provider for email, file-sharing or voice services and plan to send and store PHI on your patients through these services, then you need a BAA with the cloud provider. Surprisingly, many organizations don't have BAAs in place with their third-party providers. This has led the OCR to announce that it is increasing the number of audits of healthcare providers, focusing specifically on BAAs and risk assessment. For organizations that fail to implement BAAs, they will potentially be subject to actions and large fines that can reach the millions.
2. Has the cloud provider had an independent audit?
A thorough, independent HIPAA risk assessment means that a third party with expertise in HIPAA compliance has evaluated your cloud provider's operations against the physical, technical and administrative safeguards specified under HIPAA. Therefore, if your cloud provider has completed an independent audit, they have done their due diligence to support signing a BAA with you. An independent audit should look at all the privacy and security controls that your cloud provider has in place, including business processes that control who has access to your patients' PHI, who is monitoring the flow of this information, and the environment where this data resides. There are a lot of different guidelines to check. An independent auditor can make sure your cloud provider has the right processes in place to manage your patients' sensitive information while supporting privacy and security requirements under HIPAA. If the cloud provider has never had an independent audit, you should consider looking elsewhere.
3. How can the cloud provider help with risk assessment?
Cloud providers should help you mitigate risk. You should identify the range of solutions they offer to address the different elements of HIPAA. Do they support disaster recovery and business continuity? Can they help you retain documents? Can they encrypt emails if they contain PHI? How do they handle voicemail that might include patient information? The more services your cloud provider offers that comply with HIPAA, the easier it will be for you to have a more complete risk assessment solution. If a cloud provider only helps you comply with one service, say email, then you will have to figure out the rest internally or through various other third-party providers, complicating how you manage these services and make sure they are compliant.
4. How easy will the cloud provider make HIPAA compliance?
When partnering with a cloud provider, it's important to select a solution that makes it as easy as possible for an administrator or compliance officer to support HIPAA compliance. For example, if a cloud provider includes a HIPAA email encryption template with its email solution, then all you have to do is turn it on and it works. To retain important emails, make sure there isn't a huge time or resource drain, such as needing to move emails into different folders so they're protected. This is especially important in meeting disaster recovery requirements. Under HIPAA, you're required to provide patients with their health data upon request; there's no excuse. Imagine telling patients you can't give them updates around their critical procedures because of system failures. Backup is one way to ensure this information is readily available, but you have to ensure information is backed up completely and in real-time.
Failure to comply with HIPAA regulations is a serious offense, for both healthcare providers and third-party vendors. As we recently saw with CHCS, healthcare providers can get hit with hefty fines. Not to mention the negative press that follows, impacting reputation. To make matters worse, if healthcare providers don't address disaster recovery scenarios, as we saw with Hollywood Presbyterian Medical Center in February, it can also result in financial losses and frustrated patients, as they needed to turn away patients to other hospitals to receive care when systems went down.
Traditionally, we think of patient information being shared in emails and file attachments. However, with remote patient treatment on the rise and the introduction of telehealth, healthcare providers now need to account for stored voice and video files as well. HIPAA requires ongoing risk assessment for a changing environment of staff, systems, services and threats. As technology continues to evolve and threats keep transforming, you'll still be responsible for thinking ahead and making sure that you are HIPAA compliant, both today and in the future.
By Craig Woods, Director of Industry Solutions, Intermedia
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.