The vision is chilling. It’s another busy day. An employee arrives and logs on to the network only to be confronted by a locked screen displaying a simple message: “Your files have been captured and encrypted. To release them, you must pay...”

How To Reduce Risks In Cloud Computing

How To Reduce Risks In Cloud Computing

Healthcare IT News survey results released recently show that 48% of respondents plan to include cloud computing in their IT projects, while 33% have already done so. However, the survey also found that 19% of respondents had no plans at all regarding cloud computing. The co-founder and president of ID Experts, Rick Kam, has a reason for this: security. The 19% of total respondents fear that cloud computing is not secure enough for their data.

For health care institutions, entities, and providers in particular, it is data security that is of utmost importance, because these organizations must protect health information. Under the Health Insurance Portability and Accountability Act as well as Federal HITECH, health care organizations are responsible for the protection of health information in the cloud.

However, all is not lost for these health care organizations, because it is possible to reduce the risks associated with cloud computing as follows:

  • When tapping the services of a cloud computing provider, a health care entity must fully review the terms and conditions of the Service Level Agreement so that the entity’s risks and liabilities are fully understood. As such, the health care entity must accept that such risks must be fully absorbed by the organization.
  • Once operational, the health care organization must limit access to the cloud computing system. However, small health care entities may have to make do with whatever cloud computing service they can afford. These entities may not be able to limit access; their data and applications may be hosted in the public cloud because it is a lot cheaper than a private cloud.
  • Before signing on the dotted line, the cloud computing applications must be researched fully, because there are federal laws which limit access to protect health information to the very minimum. Only authenticated and authorized users must be able to access the cloud computing applications and there must be a log so that IT can audit each individual instance of access. However, not all applications have this feature; so, it is the primary responsibility of the health care institution to do its homework before acquiring cloud computing applications. Also, the cloud computing application must be designed for interoperability and data must be securely and smoothly moved between software applications which somehow expose health care information to certain risks. Therefore, protocols and standards for interoperability must be developed. When a health care institution procures a cloud computing service, it must ensure that the interoperability feature is present in the application.
  • A small health care organization must ask for third-party validation when taking advantage of a cloud computing application. It can ask its cloud computing provider to present a certification from a medical organization or association confirming that its cloud computing application meets the HIPAA and HITECH security requirements.
  • The health care entity must keep an inventory of the organization’s protected health information and personally identifiable information. This way, it can regulate the way it disposes, stores, uses, and collects the entity’s protected health information, because the said inventory can make known any data breach risks. A health care organization will then be able to plan its security measures so as to reduce the risk of a data breach.
  • The health care organization must create a cost-efficient and effective incident response plan which will help the entity meet the HITECH and HIPAA requirements alongside creating guidelines in case a data breach occurs. The plan assigns roles and offers guidelines, as well as the response team’s actions and responsibilities when a security breach occurs, and offers instructions on how to determine notification requirements, especially to the regulatory authorities.

By Florence de Borja