It's no secret that cloud-based electronic health record (EHR) technology brings many benefits to healthcare firms, including improved mobility, immediate access to information and streamlined record keeping.
However, such technological benefits also create significant risks, such as EHR systems that can put sensitive health information in jeopardy if not properly managed.
As the healthcare industry is increasingly being targeted in cyberattacks, both the U.S. government and the private sector are putting pressure on healthcare organizations to further bolster their information security programs. Most recently, the Department of Health and Human Services has updated its HITECH rules, which require healthcare organizations seeking federal subsidies for implementing EHR systems to prove that they are addressing the risks inherent to those systems with better data protection measures.
Understandably, the transition to a cloud-based EHR system or other technology is no small undertaking, particularly for healthcare organizations that manage sensitive data for millions of patients. For this reason, it's critical that these companies remain secure while adopting cloud technologies, which requires careful planning and ongoing security efforts from the C-suite down.
By following the seven steps below, healthcare organizations can reap the benefits of new technology while keeping their most valuable data safe and complying with regulatory requirements:
1. Assess Current Information Policies
Ensure that any existing information governance rules may be extended to cloud data. In some cases, it may be desired to apply more stringent controls on data in or intended for cloud storage.
2. Assess Current Usage of Cloud Storage
Determine the protection requirements and status of any data already stored in the cloud. Investigate current personal cloud use by medical professionals or other employees. It may be found that some patient data is already being inappropriately stored in the cloud and creating data loss risks previously not known. An appropriately managed cloud capability will remove the perceived need for any such practices by individuals.
3. Establish Credible Expectations
In the absence of a well-communicated policy, medical professionals may use unsecure cloud services to store patient data to make it more easily accessible via mobile devices or when working remotely. A Data Loss Prevention (DLP) solution will facilitate the application of uniform policy across the enterprise, including the cloud, and will protect the data, as opposed to focusing on the network. In particular, a DLP solution will provide means for educating end users and will prevent unauthorized actions when required by policy.
4. Set Objectives Appropriate for the Organization
After gathering and reviewing existing policies and procedures concerning the handling of sensitive information, develop an agreement on what information is to be placed in the cloud, what that placement should accomplish, and note any information requiring special protection and control. For example, a first step may be to identify and encrypt all records identifying patient names with their Social Security or hospital ID numbers.
5. Involve the Stakeholders
Ensure the participation of those responsible for entering or accessing patient information, and for adhering to HIPAA compliance requirements. All parties should understand the benefits being sought from cloud storage and the requirements for protecting sensitive data expected to be placed there. Managers should understand the benefits and issues of cloud storage, as well as the policy enforcement capabilities provided by DLP. Cloud data protection stakeholders could include compliance and privacy personnel, professional medical staff, Human Resources, IT security, executive management, and third-party consultants.
6. Assess the Costs Involved
If a DLP or other data security solution is being acquired for the first time, resist buying features you will never use. For best practices, conduct a five-year total cost of ownership analysis to compare alternative possibilities, including the costs for: hardware, software, maintenance, training and any professional services that will be required. Additionally, be sure to understand any software licensing payment terms.
7. Test Any Proposed Solution On-Site
Insist on a short demonstration or Proof of Concept to evaluate ease of installation and usage. This should be done in your environment with the organization's own data both inside and outside of cloud storage. A system that requires separate services only for cloud storage will be both inefficient and confusing in operation. Seek a DLP solution capable of comprehensive and consistent compliance management across the enterprise, including the cloud.
In an era where nearly all information is stored in the cloud, an EHR approach makes sense within many healthcare organizations. For this reason, a secure transition to the cloud is critical to meet compliance regulations, maintain a positive reputation and ensure patient confidence and business success, especially as healthcare becomes more digital than ever.
About the Author
Salo Fajer is the chief technology officer at Digital Guardian. He is responsible for driving the company's strategic vision and core innovation efforts while also overseeing product management, product marketing, and product content development.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.