The cloud and big data hold tremendous promise for healthcare providers, life sciences companies and patients.
From precision medicine to patient-centered care – there is the potential for better care, delivered faster, easier patient access, increased collaboration and ultimately improved outcomes. With so much potential, there is an emotional and financial fervor to rush into the cloud. But, there are dangers to moving PHI to the cloud or big data too quickly. Some of the greatest threats to this data include business associate breaches, unintentional disclosures, and insider threats.
If history is the best predictor of the future, there are a lot of lessons we can learn from Electronic Health Records (EHRs). Over the past decade, EHR deployments grew really fast, in large part to ARRA and HITECH. Fortunately, EHRs, like Epic and Cerner, centralize patient data – and the industry got relatively lucky with their confined architecture. But, as we've witnessed, the security controls were not built-in early – and now threats to medical identities are at an all-time high. Now, imagine this data breaking down in the cloud – propagating outside the walls of the healthcare facility, dispersed across data farms. The odds are, once that data is breached you will never get it back.
According to a recent HIMSS report, "The Cloud Evolution in Healthcare," 59 percent of health IT professionals either currently use or plan to use cloud, and there's been an uptick in back-office cloud applications from 22 percent in 2014 to nearly 47 percent in 2016.
Today, as healthcare providers adopt cloud applications, they have the opportunity to take patient privacy and data protection seriously – from the beginning. They need to look beyond simply complying with minimum necessary HIPAA regulations and realize that patient privacy and data security must be a part of total holistic patient care.
How do they achieve this?
1. Create and inventory of Big Data and Cloud projects underway and pending
2. Find out the security controls of the cloud vendors involved
3. Conduct HIPAA assessments and understand any gaps
4. Monitor employee access to cloud-based applications: Care providers also need to have specifically named, trained and competent personnel who take direct responsibility for actively monitoring who is accessing electronic patient records – whether it is an EHR or a cloud-based application.
5. Enable audit logs: Organizations need to make sure that their IT comes with enabled and effective audit logs – and that these are switched on. Many healthcare providers are severely undermining their ability to safeguard patient confidentiality by leaving audit logs switched off and to not have complete visibility of PHI access across all applications.
6. Increase visibility: There are tools available for providers to have total visibility across their applications to ensure that PHI is secure. You will be able to detect anomalous activity across all applications from your EHR to cloud applications to see who has access what, when and from where -giving you the actionable intelligence to determine if your PHI is at risk of an insider threat or compromised credentials.
Salesforce is a great example of a cloud vendor who is getting cloud security right. They've grown rapidly in healthcare because of their unique value proposition. A few years ago, they rolled-out Event Monitoring and Salesforce Shield to tackle their customers' security and compliance gaps and have empowered its ISVs and partners to create third-party solutions to solve really complex industry and governance challenges.
The healthcare industry is built on trust between patients and care providers, trust that patients can share their most sensitive information about themselves in order to receive the best care possible. Patients' personal, family, financial and historical medical information is shared with care providers, and now patients are being asked to share genome-level information about themselves. Care providers and those who handle patient information hold the very essence of our identities, and increasingly there is great risk in how the industry handles "us." The time is now, while we're still at the beginning of this cloud revolution, to ensure that your patients' data is protected. Build security and privacy into applications at the ground-level. Because unlike EHRs, once your cloud data is breached you may never get it back.
Kurt Long is the Founder and CEO of FairWarning, a global leader in application security intelligence solutions. FairWarning protects patient information in Electronic Health Records for over 8,500 hospitals and clinics around the world, as well as confidential information in financial services companies with over $200 billion assets. Kurt holds multiple patents around the world related to information security. He has also been involved in the founding of several information security companies that have become public or acquired. Mr. Long is a recognized thought leader in information security, privacy and compliance, and has been featured in dozens of articles, published multiple papers, and has been called on to provide expert testimony before governments in the U.S. and Europe.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.