Healthcare Security In the Cloud
As more people are transitioning from in office care with their physicians to telehealth appointments something else is moving from physical to digital with them, their personal data. The healthcare field has steadily seen a shift from jotting down patient information on clipboards to a more digital data collection method. Whether it’s forms online or the clinics own iPad devices the pandemic as with a myriad of other fields has vastly accelerated healthcare dependency on the cloud. Which is a good thing, right?
The shift to online started long before the most recent pandemic. In 2009 the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) passed pushing medical providers to adopt electronic health record (“EHR”) software systems in return for federal based incentives. This in turn led to the birth of “patient portals” which allowed patients albeit limitedly to access their own medical data in these EHR systems. With that being said it is a fact that no other sector has been directly impacted as harshly and has had to adapt as quickly as the healthcare sector. There is no option to shutdown or slowdown, the only way is to move forward with speed and security. So how does such a fragmented healthcare delivery system handle such a situation regarding securing patient data? Let’s step through this in 3 parts:
Legislature: There are exact laws in the US pertaining to data privacy both at the state and federal level. So what security/protection legislation considerations are there for these entities and the patients they provide service to. We are first directed towards the federal level to the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, which essentially states that patients are to be dutifully notified within 60 days pertaining to any breach of unsecured protected health information (PHI). Civil penalties can be leveraged against any entities which are found in violation in the form of fines ranging from $100-$50k per violation. In conjunction HIPPA also passed the Security Rule which among other things primarily made business associates of covered entities (health care providers who participated in health care transactions electronically, health plans and health care clearinghouses) directly liable for compliance and also prohibits the sale of protected health information without authorization. Let us also be cognizant of the fact that HIPAA did not start out as a cybersecurity federal law (signed in 1996, in contrast CERN placed world wide web technology into the public domain in 1993) remember the “P” in HIPAA stands for “portability” not privacy.
Security of the cloud: Within the past 5 years we have seen a majority of healthcare providers gravitate towards a private cloud environment with hybrid cloud environments making gains as well respectively due to some entities being hesitant to move fully into the cloud. Although an hybrid environment could potentially fetch lower operating costs health care providers are opting for the tighter security that an private cloud environments offers. For example an healthcare provider utilizing a private cloud deployed in their own data center have much more control over HIPAA compliance and don’t have to rely on an outside vendor to ensure compliance. Some other key benefits of private cloud utilization for healthcare providers are
Applications are deployed in existing security protocols.
Ideal to adhere to regulations due to isolated cloud environment.
Increased level of control with dedicated hardware either on site or at a data center provider.
Extreme privacy due to exclusive access to company resources.
Security in the cloud: A common misconception amongst non-technical people is that they assume that they can just migrate over, throw all their data into the cloud and their native cloud provider will handle the rest. In reality whoever your provider is whether AWS/Azure/GCP etc. they are responsible for security OF the cloud while you’re responsible for security IN the cloud. With new patient portals being utilized more and more PHI needs to be secured, so what are some protocols healthcare providers need to be implementing to ensure best practice is being met. Firstly Encryption. Encryption is one of the most if not the most useful security tool when it comes to dealing with data at transit and at rest. The use of encryption of patient data is a recommendation by HIPAA but NOT mandatory in the Security Rule. The reason being is because when the law was enacted it was acknowledged that “technology advances”. It does specify that this safeguard or any alternatives should be implemented if available. Another best practice is to correctly configure and implement an HIPAA compliant firewall. Lets look at a couple different firewalls and their use cases in regards to protecting PHI.
Hardware Firewalls are utilized in the cloud environment to implement isolated network segments to dictate who does and doesn’t have access to PHI. These are located outside of an entities network.
Software Firewalls are primarily for mobile devices accessing PHI remotely. These reside between where the PHI data is located and all other systems.
Web Application Firewalls (WAFs) specialize in monitoring and blocking web based traffic such as DDOS attacks. These sit in front of the patient portal to monitor, detect and prevent web-based attacks.
These are some of the topics healthcare providers new and old must constantly consider regarding patient data. In this rapidly changing setting new best practices must be adhered to for the sake of patients protection. It is no secret that healthcare patient portals and PHI are constantly a prime target for attacks by hackers looking to flip patient information on the black market for a profit. As we moved into an increasingly digitized society patient privacy and security must be in the forefront of every healthcare entities priority list or else they risk losing confidence but more importantly capital.