It’s no longer possible for organizations to stick their heads in the sand when it comes to cloud services — and this includes healthcare organizations.
Like it or not — and planned or not — employees are transferring corporate information to external repositories which may or may not be safe, secure, approved, backed up, stable, available, or monitored.
Below are some starting points for what to keep in mind for your organization.
Article by Alison Diana in InformationWeek.
Emphasis in red added by me.
Brian Wood, VP Marketing
Healthcare IT Cloud Safety: 5 Basics
Healthcare is warming up to cloud services, and that means extra vigilance. Here’s what you should be doing at a minimum to keep data safe.
As more healthcare organizations become comfortable with using cloud services, there’s a risk this familiarity could lead to complacency — and that endangers patient data, networks, and the organization’s very reputation.
Cloud services continue to gain traction across verticals, including other highly regulated industries such as finance, and healthcare organizations can tap existing tools, governance policies, and procedures to preserve integrity and security. To do so, IT must be vigilant and proactive, experts say, and CIOs must work closely with their business counterparts to ensure the cloud is both the best technological and organizational solution to the problem.
The cloud increasingly is the answer to many healthcare organizations’ needs: Almost 83% of 150 industry respondents currently use at least some cloud services, according to the 2014 HIMSS Analytics Cloud Survey, published in June. Another 9% plan to use the cloud, and just 6% don’t plan to try cloud services, the report found.
By 2017, healthcare organizations will spend $5.4 billion worldwide on cloud services, according to MarketsandMarkets. Slow to adopt public cloud products formally, healthcare IT primarily invests in private or hybrid models for security reasons, experts noted.
However, employees do not always abide by IT’s carefully scripted guidelines. The plethora of software-as-a-service software — often free or so cheap it can be charged to an expense account — attracts employees unwilling to wait for an IT-approved approach. Healthcare enterprises used an average 1,180 cloud services, according to Skyhigh Networks’ Cloud Adoption and Risk Report 2Q, which is based on anonymized data for more than 10.5 million users. Enterprises in general use 738 cloud services, the report found.
“There is a massive opportunity for IT to be more proactive and to understand the risk of cloud services,” says Kamal Shah, vice president of products at Skyhigh Networks, in an interview.
Shadow IT, which may or may not resolve an employee’s immediate business need, can have far-reaching implications, Shah says. During an audit of its cloud services, one Skyhigh client found employees used 19 different file sharing and collaboration applications, he says. In addition to increasing security risks, this situation was hurting productivity, because the lack of standardization meant employees had to download multiple collaboration and sharing programs in order to work together, he notes. “It’s hard to collaborate when different groups within an organization are using different applications,” he says.
Also, when a healthcare organization’s network is overwhelmed, cloud access can be limited, an issue for many hospitals at a time when a growing number of devices wirelessly connect for analysis, monitoring, and data collection. Performance is critical, uptime is a requirement, and poor connections are intolerable in healthcare.
When using cloud services, healthcare organizations must be certain that providers meet HIPAA regulations, said Jennifer Christianson, a partner in the law firm Carlton Fields Jorden Burt, in an interview. Healthcare organizations also must consider how local or state laws might affect them, she noted. Scrutinizing business associate agreements to make sure they meet all specifications is crucial, too, Christianson said.
Read on for the five steps all healthcare organizations should take to make sure their cloud security is up to snuff.
Take a Headcount
Before an internal audit, one small hospital believed it had about 20 cloud services in use. After the audit, it knew employees were using about 200 cloud services, says Kamal Shah, vice president of products at Skyhigh Networks, in an interview. “When IT looked at the list they found there were many [apps] they had never heard of before,” he says.
When employees download cloud-based apps for file sharing, storage, collaboration, and other functions, IT should review employees’ favorite apps and consider whether any meet the department’s security and other criteria, he says. If so, the organization can standardize on these apps, educate employees about their availability, and encourage their use, he says.
“By doing that you’re consolidating services, making available services that are in demand, and you’re putting the necessary controls in place to comply with your regulatory, security, and compliance needs,” says Shah.
Read the Contract
Ensure an attorney scrutinizes your cloud services contract and service level agreement (SLA) so it meets your organization’s requirements and includes penalties in the case of failure. Because many states now have their own data security, breach, and personal health information protection laws in place, determine where your data will be housed and how this location could affect your organization’s legal responsibilities.
Strengthen the Network
Without a strong, reliable network, a healthcare organization’s cloud initiative is on rocky ground, and employees will soon figure out workarounds such as unsecured public Wifi.
As more healthcare providers add cloud services, telehealth, video, connected devices, and other network-hungry technologies to their networks, it’s crucial that infrastructures support these additions. Atlantic Health System, for example, upgraded its network when the organization added virtual desktop infrastructure, Imprivata secure text messaging, and Vocera roaming communication technology for nurses, says CIO Linda Reed in an interview.
Protected health information (PHI) has to be carefully safeguarded. Organizations must, therefore, consider who has access to this data, both internally and at cloud service providers; whether it’s centrally stored or scattered throughout an organization; and how it’s protecting the data.
A cloud company that specializes in technology, networks, servers, and security solutions could well provide a much more secure environment than a two-person practice. Healthcare organizations might need to ensure their cloud partners are HIPAA certified, depending on usage or data stored or accessed. A large payer or health system could, on the other hand, prefer to use its larger, more sophisticated internal IT resources to defend PHI and related equipment.
Develop a Plan
All organizations need an incident response plan. Those using cloud services must include contact information and guidelines for partners as well as employees. This plan should include a review of insurance coverage and insurance notification, Jennifer Christianson, a partner in the law firm Carlton Fields Jorden Burt, told InformationWeek. It’s up to organizations to stay current on local, state, and federal laws, she said.