Healthcare organizations are often ill-prepared to protect sensitive data from data breaches, since most IT investment goes towards patient care and not data security.
Research from the Ponemon Institute shows that healthcare organizations were breached at least once a month over the past year, on average, with almost half of the reporting incidents involving loss or exposure of patient data.
This leaves healthcare IT organizations facing unique challenges: they are expected to reduce the impact from the high incidence of breaches, while matching other industries' benchmarks for speed, quality and innovation. In addition, overburdened healthcare IT teams must maintain strict privacy and security standards, so as to comply with industry mandates, like the Health Insurance Portability and Accountability Act (HIPAA). To better meet these needs, many IT teams responsible for managing protected health information have turned to cloud and SaaS technology to increase agility, collaboration, and continuity of care.
SaaS applications like Google Apps, Office 365 and Salesforce can help support those goals, but proper data protection, especially of electronic PHI (e-PHI), remains a top concern. Healthcare organizations know that data breaches often lead to disruptions in patient service, along with potential exposure of e-PHI. It would stand to reason that most would have an incident response plan and data backup and recovery plan in place in case of a data loss emergency or attack.
Unfortunately, that's not the case. According to HIMSS Analytics, data backup and recovery systems are currently in use at only 35 percent of surveyed healthcare organizations. Just 31 percent are currently planning to adopt such systems, and more than 33 percent are not planning to use backup and recovery systems at all.
Earlier this year, operations were severely disrupted at Hollywood Presbyterian Hospital in southern California because of a ransomware attack that locked up its electronic health records. It was forced to use paper files and move more than 900 patients to other facilities before paying hackers ransom to recover its systems. This case, and others like it, underscores the need for healthcare providers to ensure continuity of care via robust data backup and restore systems that enable rapid recovery from data loss.
Determining the Technology Approach
If your organization manages e-PHI in SaaS applications, there are three areas to assess when determining the best approach to keeping your organization compliant and productive.
1. Understand the relationship between your selected SaaS providers and HIPAA compliance
Anyone with access to sensitive patient data should not only be familiar with HIPAA requirements regarding data protection, but also be formally trained and have that training documented, to properly satisfy compliance requirements.
In a healthcare organization, this includes covered entities such as health care providers as well as those who manage health plans or healthcare clearing houses. It also includes business associates who manage data transmission services and routinely access protected health information, including subcontractors who create, receive, maintain or transmit e-PHI on behalf of a business associate and vendors that offer personal health records on behalf of a covered entity.
Each covered entity and business associate responsible for ensuring the security of protected health information must institute safeguards against unauthorized use and disclosure of e-PHI. One of these measures also requires that business associates and covered entities have contracts, known as a Business Associate Agreements (BAA), in place with their partners and affiliates to ensure that these associates will appropriately safeguard e-PHI.
Before adopting a SaaS solution, it's important for teams to understand how your IT systems and those of your organization's cloud and SaaS providers support:
• Encryption of data in transit and at rest
• Ownership of data
• Data portability, with no vendor lock-in
• Enterprise integration, via open interfaces and APIs
• Complete compliance by protecting unstructured data, as well as structured data (EHR)
Any third-party integrations or custom applications for a SaaS environment will also require a BAA, as e-PHI will likely be part of any workloads served.
2. Understand the critical gaps in the native data protection capabilities provided by SaaS application providers
Chosen SaaS application providers may offer some inherent data protection but, in reality, there are several important gaps in the native data protection offered by SaaS platform providers.
Google, Microsoft, and Salesforce are responsible for protecting data lost in accidents or any issue under their control, such as a server failure (with the exception of natural disasters). But when it comes to data loss from customer or user errors, third-party application sync errors, or malicious acts, SaaS providers will often be unable to recover that data, due to limitations or established policies. Instances where SaaS providers will not recover lost data include:
• Human Error – For instance, once an administrator or end user deletes and purges data from Google Apps, it is gone for good, as per Google's customer agreement and privacy policy.
• Sync Errors – Once a SaaS application is integrated with other applications, there is always a chance data will be lost due to a failed sync. This is common and this kind of data loss is not always recoverable by SaaS providers.
• Malicious Insiders – Should an employee maliciously destroy data, the SaaS application provider may be unable to recover the lost data. Once a request to delete data has been received and acted upon, the data is gone per the customer's directive – malicious or not.
• Hacking – Similar to insider threats, data removed or held for ransom by hackers can be unrecoverable if there is no restorable backup in place.
3. Address the gaps in native data protection to ensure compliance with HIPAA and other standards surrounding data protection, retention, and accessibility.
The permanent, unplanned loss of data can put any organization at risk of shutting operations, but it is especially harmful to healthcare organizations. Not only does data loss interfere with patient care, employee collaboration and record accessibility, it can also have serious implications for an institution's ability to maintain compliance standards surrounding HIPAA and data protection and recoverability.
In order to protect against data loss, healthcare providers should have, in addition to a strong cloud security strategy, a HIPAA-compliant backup solution. When determining which SaaS data protection solution to employ for backup and recovery, healthcare organizations should look for the following:
• Cloud-to-cloud SaaS model - By choosing to backup data from the cloud into the cloud, healthcare organizations reduce the cost and IT maintenance requirements of traditional backup, allowing their IT staff to do more with less, while ensuring a secure copy of their SaaS data is easy to retrieve for recovery.
• Automated and on-demand backups – A "set it and forget it" automated solution gives the additional confidence that critical patient data is being backed up, in addition to manual on-demand backups whenever required.
• Fast and accurate recovery and restoration – SaaS data protection solutions must be tested for restore capabilities. Recent research shows that the cost per year to organizations where loss of access to data is within a typical CSP Service Level Agreement (SLA) of 96 percent uptime, can exceed more than $2 million dollars. Combined with compliance risk and related fines, quick and accurate data recovery will not only ensure significant cost savings, but also continuity of service to patients and for the organization.
• Solution provider stability – The protections afforded by a robust, HIPAA-compliant SaaS data protection solution are only as good as the provider's business and operational stability. Trusted names and established companies are more likely to be there for the IT healthcare team tomorrow, as well as today.
Understanding the risks and responsibilities associated with managing e-PHI in SaaS applications is the first step to implementing the best solutions to safeguard against data loss, whether from accidental deletion of files or malicious threats, like ransomware attacks. With proactive approaches, the healthcare industry will see a marked drop in operations interruption and data loss, improving business and patient outcomes, overall.
About Jeff Erramouspe
Jeff Erramouspe is VP and General Manager of Spanning, an EMC company and leader in SaaS data protection for Google Apps, Salesforce and Office 365. Jeff is a graduate of the University of California at San Diego and serves as an adjunct professor of entrepreneurship in the Graduate School of Business at the University of Texas.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.