Secure Business Agility

Why Information Security Need to be Empowered to Manage Data Breaches

Manage Data Breaches 2017 saw over 2 dozen major security breaches in 2017.  While the public may have grown numb to the number and constant stream of data breaches reported, outrage has been building around the delays in accompanying disclosures of those breaches and questionable actions
Trying to Embrace the Digital? Remember You Can’t Drive the Train from the Tender

Trying to Embrace the Digital? Remember You Can’t Drive the Train from the Tender

Embracing new digital technologies, or just moving to the cloud in your work is almost mandatory. Just remember, if you don’t have real buy-in from the top, your odds of success are low. Here are some steps to consider. Digital transformation is hard. Just trying

CONTRIBUTORS

Technology Cloud Contributor

The Competitive Cloud Data Center

The Competitive Cloud The corporate data center was long the defacto vehicle for all application deployment across an enterprise. Whether ...
egnyte

Cost of the Cloud: Is It Really Worth It?

Cost of the Cloud Cloud computing is more than just another storage tier. Imagine if you’re able to scale up ...
The Cancer Moonshot: Collaboration Is Key

The Cancer Moonshot: Collaboration Is Key

Cancer Moonshot In his final State of the Union address in January 2016, President Obama announced a new American “moonshot” ...
Maintaining Network Performance And Security In Hybrid Cloud Environments

Maintaining Network Performance And Security In Hybrid Cloud Environments

Hybrid Cloud Environments After several years of steady cloud adoption in the enterprise, an interesting trend has emerged: More companies ...
Are Cloud Solutions Secure Enough Out-of-the-box?

Are Cloud Solutions Secure Enough Out-of-the-box?

Are Cloud Solutions Secure? Although people may argue that data is not safe in the Cloud because using cloud infrastructure ...
GDPR Compliance

A Quick and Dirty Guide to GDPR Compliance

GDPR Compliance Set a reminder: On May 25, 2018, the new General Data Protection Regulation directive from the European Union ...
Why Your Cloud Project Needs A Strong PMO

Why Your Cloud Project Needs A Strong PMO

Cloud Project Needs A Strong PMO Cloud projects are highly complex. Without a strong project management office, they have a ...
The Lighter Side Of The Cloud - The Crystal Ball
Leo

Medical Professionals Face Unique Challenges Using The Cloud

Medical Professionals Using The Cloud

The presence and value of Cloud tools have seeped into virtually every industry, and the medical profession is certainly no exception. However, because of the special rules regarding patient privacy, specifically those found in HIPAA, people handling patient information must follow specific guidelines that in many cases, are violated by standard cloud services. Of course many services claim HIPAA compliance in order to attract healthcare clients, however, an approved “HIPAA certification” doesn’t exist for cloud services. Therefore, it is important for people working in the medical industry to be aware of the rules and options when utilizing the Cloud for their business.

All medical professionals (and most people who’ve been to the doctor) are familiar with HIPAA, but to lay a foundation for this article, here is a little background. Congress passed the Health Insurance Portability and Accountability Act back in 1996. You have HIPAA to thank for the enforcement of privacy standards (Infographic below by Cardigm)   that protect your personal health records (as well as health insurance portability, though the focus of this article will be the former). HIPAA makes provisions against industry fraud, imposes nationwide standards for the electronic management of records, and consequently ensures that confidential information will be handled in the appropriate manner.

Medical Professionals Using The Cloud

However, technology has come a long way since the act’s initial passage 20 years ago. As a result, it’s now far easier to commit a HIPAA violation than you might think. Businesses working in or with the medical industry must take particular care when it comes to the cloud to avoid the hefty fines that come with such violations. When planning processes and acquiring tools to adhere to HIPAA rules, additional steps often need to be taken to ensure that security is not sacrificed for the sake of the cloud’s convenience.

The Third-Party Service Problem

The primary difficulty of integrating private information with the cloud is that most major cloud services (e.g. Dropbox) are not managed by medical professionals and they reserve the right to access files on hosted on their servers. Therefore, any instance in which these third parties have access to confidential client information would constitute a violation of HIPAA.

There are a few potential solutions to this issue, the first being a Business Associate Agreement (BAA). In this case, the third-party service enters an agreement allowing them to act as the business associate of a medical professional, thus protecting client info and meeting HIPAA standards. Unfortunately, this can potentially increase the provider’s liability and mean penalties for them should a breach occur, which means they’re less likely to submit to such an agreement. (Apple, for example, refuses to sign the BAA that would make iCloud HIPAA-compliant.)

Here are some cloud services that will sign Business Associate Agreements:

  • Document Sharing Services:
    • Dropbox for Business
    • Box Enterprise & Elite
  • Cloud Based Business VoIP
    • RingCentral Office
    • Jive
  • Online Fax Services
    • SRFax
    • SFax
    • FaxAge
  • Online Backup Services
    • Carbonite
    • iDrive Business and Enterprise

If a BAA isn’t available, another option is utilization of a third-party encryption app. These services encrypt files before they are uploaded to the cloud, rendering them unreadable by the cloud service provider. A little research can quickly turn up alternative encryption solutions to products you may already be using, such as CloudLock for Google Apps for Work. Another option is to invest in an entirely separate service, such as Tresorit, which provides encryption as well as additional features, such as the option to “unsend” or revoke access to mistakenly sent data. Encryption also protects against instances of hacking and lost devices (i.e. laptop, phone), which can be potential threats to client security.

Another option is to use a service that offers a HIPAA setting, which essentially encrypts the files in the way a third party application might and will typically remove other features that violate HIPAA like sending files through email. However, without a signed BAA from the vendor, any mishandling of the information would still be a HIPAA violation.

A Note on Email and Fax

Transmitting consumer information via email is a violation of HIPPA, which is why faxing is still very common in the medical industry. While online fax services (e.g. eFax) utilize cloud portals where faxes can be retrieved, they typically also email a copy to the recipient. This constitutes a violation of HIPAA. However, medical professionals can use online fax services that offer special features (often referred to as a HIPAA conduit) like file encryption and fax notification via email only. As mentioned above, a HIPAA conduit setting alone is not as strong of a liability protection as a signed BAA.

In Conclusion

In the conversation surrounding HIPAA compliance, it’s crucial to retain as much information as you can about the status and location of confidential information. As putting any data into the cloud means losing a degree of control, those interested in avoiding violations should know the identity of every person that has access to the information, where the service provider is located, and the exact nature and content of the data itself. The responsibility to ensure patient privacy is ultimately borne by the medical professional. If this includes using the cloud—and in this day and age, it probably does—be sure to plan accordingly.

By Leo Welder

Leo Welder

Leo Welder is the founder of ChooseWhat.com, which guides entrepreneurs through the startup process. Using How-To's, Comparisons, "STARTicles" and a community forum, the site helps people choose cost-effective, often cloud-based, tools to build an easily scalable infrastructure.

View Website

Cloud Community Supporters

(ISC)²
Cisco
SAP
CA Technologies
Dropbox

Cloud community support comes from (paid) sponsorship or (no cost) collaborative network partnership initiatives.