7 critical steps to securely move patient data to the cloud

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.beckershospitalreview.com/healthcare-information-technology/7-critical-steps-to-securely-move-patient-data-to-the-cloud.html

It's no secret that cloud-based electronic health record (EHR) technology
brings many benefits to healthcare firms, including improved mobility,
immediate access to information and streamlined record keeping.

However, such technological benefits also create significant risks, such as
EHR systems that can put sensitive health information in jeopardy if not
properly managed.

As the healthcare industry is increasingly being targeted in cyberattacks,
both the U.S. government and the private sector are putting pressure on
healthcare organizations to further bolster their information security
programs. Most recently, the Department of Health and Human Services has
updated its HITECH rules
<https://digitalguardian.com/blog/health-and-human-services-raises-bar-risk-analysis-latest-hitech-rules>,
which require healthcare organizations seeking federal subsidies for
implementing EHR systems to prove that they are addressing the risks
inherent to those systems with better data protection measures.

Understandably, the transition to a cloud-based EHR system or other
technology is no small undertaking, particularly for healthcare
organizations that manage sensitive data for millions of patients. For this
reason, it's critical that these companies remain secure while adopting
cloud technologies, which requires careful planning and ongoing security
efforts from the C-suite down.

By following the seven steps below, healthcare organizations can reap the
benefits of new technology while keeping their most valuable data safe and
complying with regulatory requirements:

*1. Assess Current Information Policies*

Ensure that any existing information governance rules may be extended to
cloud data. In some cases, it may be desired to apply more stringent
controls on data in or intended for cloud storage.

*2. Assess Current Usage of Cloud Storage*

Determine the protection requirements and status of any data already stored
in the cloud. Investigate current personal cloud use by medical
professionals or other employees. It may be found that some patient data is
already being inappropriately stored in the cloud and creating data loss
risks previously not known. An appropriately managed cloud capability will
remove the perceived need for any such practices by individuals.

*3. Establish Credible Expectations*

In the absence of a well-communicated policy, medical professionals may use
unsecure cloud services to store patient data to make it more easily
accessible via mobile devices or when working remotely. A Data Loss
Prevention (DLP) solution will facilitate the application of uniform policy
across the enterprise, including the cloud, and will protect the data, as
opposed to focusing on the network. In particular, a DLP solution will
provide means for educating end users and will prevent unauthorized actions
when required by policy.

*4. Set Objectives Appropriate for the Organization*

After gathering and reviewing existing policies and procedures concerning
the handling of sensitive information, develop an agreement on what
information is to be placed in the cloud, what that placement should
accomplish, and note any information requiring special protection and
control. For example, a first step may be to identify and encrypt all
records identifying patient names with their Social Security or hospital ID
numbers.

*5. Involve the Stakeholders*

Ensure the participation of those responsible for entering or accessing
patient information, and for adhering to HIPAA compliance requirements
<https://digitalguardian.com/blog/what-hipaa-compliance>. All parties
should understand the benefits being sought from cloud storage and the
requirements for protecting sensitive data expected to be placed there.
Managers should understand the benefits and issues of cloud storage, as
well as the policy enforcement capabilities provided by DLP. Cloud data
protection stakeholders could include compliance and privacy personnel,
professional medical staff, Human Resources, IT security, executive
management, and third-party consultants.

*6. Assess the Costs Involved*

If a DLP or other data security solution is being acquired for the first
time, resist buying features you will never use. For best practices,
conduct a five-year total cost of ownership analysis to compare alternative
possibilities, including the costs for: hardware, software, maintenance,
training and any professional services that will be required. Additionally,
be sure to understand any software licensing payment terms.

*7. Test Any Proposed Solution On-Site*

Insist on a short demonstration or Proof of Concept to evaluate ease of
installation and usage. This should be done in your environment with the
organization's own data both inside and outside of cloud storage. A system
that requires separate services only for cloud storage will be both
inefficient and confusing in operation. Seek a DLP solution capable of
comprehensive and consistent compliance management across the enterprise,
including the cloud.
In an era where nearly all information is stored in the cloud, an EHR
approach makes sense within many healthcare organizations. For this reason,
a secure transition to the cloud is critical to meet compliance
regulations, maintain a positive reputation and ensure patient confidence
and business success, especially as healthcare becomes more digital than
ever.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!