The Problem with Health IT Storage Today – Patient Data May Be at Risk

Yvonne_Li_Photo

By Yvonne Li, Co-founder of SurMD
Twitter: @mySurMD

Like almost every other industry, cloud computing is changing the way healthcare data is stored, managed and transferred. While healthcare was initially slower than some industries to widely adopt cloud solutions, implementations have risen quickly over the last several years. A June 2014 HIMSS Analytics survey found that 83 percent of surveyed medical practices, hospitals and health care systems are using cloud services, citing lower maintenance costs, speed of deployment and a lack of internal staffing resources.¹

But as cloud implementations have soared, so have reported security breaches across the country. A staggering total of 804 large breaches of protected health information (PHI) affecting over 29.2 million patient records have been reported to the Secretary of Health and Human Services (HHS) since the 2009 HITECH Act (Health Information Technology for Economic and Clinical Health) went into effect.²

It’s no secret that data breaches cause damaging financial and reputational harm to an organization, while also undermining consumer confidence. This is especially true in healthcare, where health organizations are entrusted with large amounts of confidential patient information. With the volume of electronic patient data exploding, this challenge is only going to intensify for physician practices and hospitals in the coming years.

Looking at these trends, one might draw the conclusion that cloud computing is responsible for, or at least related to, the uptick in health-related data breaches. But in fact, that’s not the case at all. More than 83% of patient records breached in 2013 resulted from old-fashioned theft, typically from criminals stealing unencrypted laptops from health providers and their business associates.

For HIPAA covered entities and business associates, theft is a major threat to their obligations under the law’s breach reporting regulation—putting them at risk for costly reparations, penalties, or even legal judgments.

In addition to theft, another major challenge is unauthorized access of PHI—with more than 22% of 2013 breach incidents resulting from unauthorized access. This can be the work of malicious hackers, or equally likely if not more so, business associates (provider employees) gaining and exploiting unauthorized access.

So what is the solution to mitigating health IT security breaches?

Here are five keys for reversing the trend …

  1. Look to the cloud for cost-savings, scalability and security.
    Cloud-based storage and retrieval solutions make data management and recovery far easier for IT departments, while also enabling health practices and institutions to quickly scale as data volumes grow. With the sheer amount of patient data expected to grow exponentially over the next several years, the ability to store more data without purchasing, or managing, costly hardware infrastructure is key for providers.
    Additionally, health providers can ensure extremely high levels of security when working with a third-party cloud-storage partner with expertise implementing ultra-secure storage and retrieval solutions. The average-sized hospital or practice typically doesn’t have data security experts on staff, so why leave it to chance? Work with a partner that is able to meet, or exceed, your security and auditing practices, and ask them to share the security layers they use to ensure the protection of client data.
  2. All patient data should be encrypted – “at rest” and when it is transferred.
    Despite its obvious importance, encryption remains a sore spot for health providers. According to a recent survey from Forrester Research, less than 60% of healthcare IT professionals said they encrypt devices such as laptops, smartphones or tablets—opening up a gaping hole for thieves and hackers.³ To ensure security, data should always be encrypted both when it is being stored as well as when it is being transferred from provider-to-patient and from provider-to-provider.
  3. Pay attention to how patient data is being encrypted.
    While encryption is important, standard methods of encryption are far from a cure-all. More often than not, data is not encrypted in a fail-proof way to guarantee protection. The problem? The majority of encryption methods put server-side data at risk, by placing encryption keys on the server, which is not entirely secure. This means that at any time, an ambitious hacker or the system administrator could steal patient data.
    The only way to guarantee fail-proof protection is to encrypt each file stored in the cloud with a unique non-deterministic encryption key (as opposed to a fixed one used by so many cloud storage providers). In this way, all the encrypted data is still protected if there is a security breach on the server side, as no encryption keys can be accessed.
  4. Insist on a HIPAA-compliant solution—be sure the vendor is officially certified.
    Any vendor can claim their solution is HIPAA-compliant, but very few cloud-based storage and retrieval companies are certified by a qualified agency who follows the rigorous process required to gain certification. Healthcare service providers should fully verify that their chosen cloud storage provider is HIPAA-certified before signing up for the service. Be sure to ask for certification documentation and vet their compliance claims thoroughly. Providers can also request that their provider signs an agreement to share responsibility in the event of a breach.
  5. Don’t be fooled by costly, exorbitant pricing models.
    Secure storage and retrieval of health data, leveraging a cloud model, need not be exorbitant in cost. In fact, one of the primary benefits should be cost savings and scalability. Your cloud-based repository should be scalable as you grow; with pay-as-you-use pricing plans that offer flexibility and eliminate upfront fees and capital equipment expenses.

Remember, cloud storage of healthcare data need not be costly, complex to manage, or insecure. Follow these five keys to enhance security of patient information, reduce risk for your organization and staff, and improve patient care. In doing so, you’ll be ensuring your facility does its part in reversing the trend of healthcare security breaches.

References

¹Greg Slabodkin, “Where Healthcare is Going in the Cloud,” Health Data Management (Aug. 1, 2014)
²“Breach Report 2013: Protected Health Information,” Redspin, Inc. (February 2014).
³Patrick Ouellette, “Report: Healthcare industry must focus on endpoint security,” HealthITSecurity.com (Sept. 15, 2014).

About the Author:  Yvonne Li is a technologist and business development executive. She is an expert in cloud storage, healthcare data exchange, Internet business models, SaaS and content engagement platform design. She is the co-founder of SurMD, a cloud storage technology company and has launched a line of HIPAA- compliant cloud services. Li currently serves as VP of Business Development, at SurMD, and can be followed on Twitter at @mySurMD.