Despite being guarded by a security team and under video surveillance, thieves managed to steal two password-protected laptops from the administrative offices of AHMC Healthcare Inc. in October 2013. As a result, the data of approximately 729,000 patients at six California hospitals owned by AHMC was compromised.
Isolated incident? A month later, the same thing happened at Blue Cross Blue Shield of New Jersey. Two laptops, both secured by cable locks, were stolen and, with them, the data of 840,000 members.
The Enemy Within
These are just two of the many incidents that have made media headlines in recent months. It seems ironic, then, that many healthcare organizations have been hesitant to move their data and applications to the cloud because of security concerns. In actuality, the bigger threats often reside in their own offices.
That is supported by a report posted on the U.S. Department of Health and Human Services (HHS) website. As required by the privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Secretary of Health and Human Services (HHS) must post a list of breaches of unsecured protected health information that affect 500 or more individuals.
It’s a long list. Topping it is theft and unauthorized access or disclosure.
That’s not to say the cloud is the perfect solution. However, if a laptop or mobile device is stolen, the thieves can’t access patient data if it’s stored in the cloud instead of on a device.
Securing the Cloud
There are legitimate concerns about cloud security, however. Data stored in the cloud typically resides in a multi-tenant environment and shares virtualized server space with data from other customers. An inherent risk of multi-tenancy is the potential failure of isolation mechanisms that separate memory, storage, and routing between tenants.
Fortunately, reliable healthcare cloud services providers (CSPs) will invest in the best-in-breed security systems and highly trained security professionals, spreading the cost over multiple tenants. They want your business ─ and they want you happy ─ and will do what it takes to succeed at both.
Savvy CSPs catering to the healthcare sector is also very much aware of the security concerns of their prospects and are more likely to put the required planning and technology into place to head off security issues.
While the majority of HIPAA violations listed on the U.S. Department of Health and Human Services (HHS) website were committed by unscrupulous or untrained individuals rather than anonymous hackers, that doesn’t mean that healthcare organizations are immune to hacking. It doesn’t happen often, but it happens. Nefarious individuals are always on the lookout for coding errors and security oversights, ready to exploit those vulnerabilities with malware and rootkits and infect cloud components such as hypervisors and operating systems.
One of the more notorious cases took place in 2012 in Utah. Hackers broke into an unprotected Department of Technology Services server by exploiting a weak password. As many as 780,000 people, many of them children, were affected.
Again, the more reputable of the CSPs have processes and procedures in place to thwart attacks, using transparent data encryption, advanced key management, process-based access controls and other sophisticated strategies. These same CSPs are also more likely to engage in vulnerability testing, going beyond security audits and actually conducting physical testing to ensure the integrity and security of their cloud services.
Safe and Compliant
What may be most surprising for many in the healthcare sector is how recent HIPAA changes have helped make the cloud a more secure option. Under what is known as “the final rule,” CSPS now have greater responsibility for meeting HIPAA requirements as they relate to electronic protected health information (ePHI). They are also on the hook for potential fines for data breaches, making them much more interested in employing all necessary controls to protect sensitive patient data.
For healthcare organizations considering moving any aspect of the IT operations to the cloud, working with a CSP that is HIPAA compliant can provide peace of mind, easing some of the burdens of meeting stringent HIPAA requirements and helping to ensure that appropriate mechanisms are in place for keeping data safe.
Healthcare organizations should also insist that their service level agreements (SLAs) with CSPs specify agreed upon security objectives and outline processes for ensuring compliance. It’s not a cure-all, but it can help facilitate more effective data loss prevention.