It's the news no healthcare leader ever wants to hear. A major security breach has exposed protected health information (PHI), and their organization must react swiftly to the bad publicity, their damaged reputation and liability issues.
Unfortunately, this scenario is occurring with greater frequency. In fact, a recent study conducted by the Ponemon Institute reveals that criminal attacks in healthcare are up 125 percent since 2010 and are now the leading cause of data breach. Still, the same study found half of all healthcare organizations have little or no confidence that they have the ability to detect all patient data loss or theft, and more than half do not believe their incident response process has adequate funding and resources. For many IT leaders, adding ever more cloud services appears to pose a serious security risk, and they have concerns about increasing the use of these resources. In spite of this, a 2014 HIMSS survey shows 80 percent of healthcare organizations are either using cloud based IT services or planning to move data and applications to the cloud in the near future.
So how can provider organizations mitigate the risks of cloud IT services and achieve the business benefits? With the right strategies and programs in place, hospitals can realize both goals. Success requires robust risk management and a mature process for selecting trustworthy providers.
Select strong partners
According to the FBI, criminals are targeting the healthcare sector because PHI is more valuable on the black market than stolen credit cards. As healthcare systems become a more lucrative target, they need to work proactively with reliable partners who can supply the sophisticated IT infrastructures that will enhance their overall security posture. Cloud vendors with proven technical track records and capabilities can be the ideal strategic partners to enhance IT security, meet HIPAA compliance as well as provide the low cost, high productivity benefits of cloud computing.
Selecting the right partner means finding a company that will stand should to shoulder with the organization in meeting its compliance, security and business objectives. IT leaders must conduct in-depth due diligence on any provider. This includes:
- Analyze audit reports that provide an overview of the company's policies, procedures and capabilities
- Obtain a 360-degree view of their technical, service delivery and business capabilities
- Contact their customer references
- Review all contracts and Service Level Agreements (SLAs) to ensure they will meet the specific technical needs and requirements of the organization
In addition, any reputable and experienced healthcare cloud provider must be willing to sign a Business Associates Agreement (BAA) and accept the compliance and liability provisions. Vendor due diligence, however, is only half the equation. Hospitals must also develop stronger policies and procedures to protect their own IT infrastructure.
Develop robust risk management and security programs
The HIPAA Security Rule requires healthcare organizations to conduct formal risk analysis. Hospitals should perform risk assessments, at minimum, on an annual basis. Best practices are to perform assessment on an ongoing basis and continuously update policies as relevant changes occur. From an IT perspective, this includes vulnerability scans on all hardware showing the current patching and configuration states as well as penetration testing of internal systems. Assessments must also address people and process, conducting interviews with key department heads, system owners and users to ensure they are familiar with the organization's policies and procedures. Hospitals can enhance the effectiveness of assessments by forming a system-wide security governance committee comprised of compliance, legal, executive, IT and HR personnel who meet quarterly to discuss and review the results of all risk analysis.
Be ready to respond
Hospitals need to formulate and put in place an incident response plan and a team that conducts drills at least quarterly. This strategic planning is critical, allowing an organization to react quickly and appropriately while under pressure. The response team will be most effective when they represent a cross section of people in the organization, including IT, marketing communications and business. When an incident occurs, it's important that a cross-functional team, not just IT, is communicating clearly with all stakeholders. A response plan is a continuous effort. The team should review its plan on a quarterly basis and update policies and procedures based on prior incidents and planned organizational changes.
The cloud is here to stay
Healthcare IT and business leaders can achieve both a strong security posture and the cost and productivity benefits of cloud-based IT services by combining strong policies and procedures with thorough vetting of service partners. Many cloud vendors are investing in hardening their infrastructures, ongoing risk mitigation policies and procedures as well as dedicating resources to enhancing regulatory compliance efforts. Further, hospitals can align with strong partners and maintain an active role in risk management to leverage the lower cost, higher data capacity and fewer IT resources required for this growing technology paradigm.
Jim Hunter is Director of Monitoring and Security at CareTech Solutions, an information technology and Web products and services provider for U.S. hospitals and health systems.