Busting HIPAA Compliance Cloud Storage MythsMay 12th, 2017 | By
Cloud storage is the wave of the future – being able to store all of your files off-site without having to purchase expensive servers and keep up with a staff of IT professionals, it all makes for a dream scenario.
Of course, the dream could quickly turn into a nightmare if you’re a health care organization that needs to store sensitive information. Is it HIPAA compliant? Will we get fined if something happens? There are so many cloud service providers, how do we know which one to choose?
Deciding on which way to go could be a challenge, considering the already confusing requirements for HIPAA compliance, and the prospect of making your office more virtual.
That’s not to say you can’t find HIPAA compliant cloud storage. Quite the opposite. Choosing to rely on increasingly outdated legacy systems risks leaving you behind in this current healthcare environment. Just consider the pressure you stare down daily. Health care is increasingly fast-paced, and demands on individual providers are growing rapidly. The natural solution — the only solution, really — is to find ways to be more efficient. The key is doing so in a way that improves, rather than detracts from, patient care.
The cloud offers the ability to access data anywhere, anytime, from any device. What’s more, the cloud comes at a competitive cost, making it a viable option for staying organized and collaborating toward shared goals of improving quality of care in an efficient manner. Here are a few myths about HIPAA compliant could storage that we need to bust.
Myth #1: All encryption is created equally
When thinking about how best to protect sensitive information in accordance with HIPAA compliance, your mind might first go to encryption. That impulse is appropriate for people searching for HIPAA compliant cloud storage options: After all, encryption is an obvious way to protect your most sensitive data by scrambling the contents for unauthorized users.
But it turns out that there’s a fair amount of variety in encryption itself, and when it comes to HIPAA compliant cloud storage, each approach isn’t equally appropriate. The best, by far, is finding end-to-end encryption for your chosen cloud-based file sharing service. File-level encryption protects discrete files and folders with a unique key. That means the file is protected regardless of where it’s stored, because you’re encrypting more than just the place where it resides or travels. Files remain encrypted and are tracked by the cloud service provider — even if they are synchronized by the cloud application to a device. So even if they’re sent via email or downloaded to a device, they remain protected and auditable.
Myth #2: Encryption is enough
Security isn’t so robust if there’s no way to control access to data in real-time or examine what’s happened to information historically. For example, providers should make it possible — and easy — for administrators to track operations made to every encrypted file. Preserving a complete version history of your company’s files can help track and recover any changes made to a file.
Device loss / theft protection
When a device is lost or stolen, you might feel like there’s little to be done to stem a threat in progress. But certain HIPAA compliant cloud storage solutions provide a device block feature, with which users or their administrators can remotely wipe the keys associated with certain devices and users so that it will no longer be able to decrypt sensitive information. Automatic logoff also helps with that, as terminating a session after a period of inactivity can help prevent unauthorized access.
No one wants to think about what threats current or former employees pose, but you need only scan the Department of Health and Human Services site to know that it can happen to anyone. Consider the case of a Colorado-based spine clinic that had to notify patients of a HIPAA breach after a former employee emailed herself a document containing the protected health information—including names, insurance information, and surgical procedure data — of more than 500 patients. The ability to leverage technology to stop such a thing from happening can help legitimize policies you may already have in place about who should and shouldn’t have access to sensitive data. And in situations in which permission needs to be quickly revoked, technology can play a key role.
Myth #3: Any cloud storage provider will do
Even so-called HIPAA compliant cloud storage companies that tout their HIPAA compliance aren’t risk-proof. So, what are the two biggest risks you face with any of the biggest cloud storage services? Two words: Device. Sync.
Here’s the rub: The biggest advantages to the cloud — the very thing leading you to consider it — are actually the biggest threats to your security.
There are a couple of ways to mitigate these threats: First, educate your staff (which you’re doubtless already doing) so they understand the risks and possibly avoid risky behavior. Alternatively, seek out solutions that provide security in these areas. That way, you won’t even have to think about it.
User mistakes remain the No. 1 cause of breaches of protected health information. Indeed, inadvertent HIPAA violations run rampant in health care, which is why it’s helpful to find a solution that’s practically fool-proof.
With Swift Systems, your data is secured thanks to our Compliance as a Service (CaaS) plan. Caas is a packaged service that sets you on the path towards full HIPAA compliance, especially in regards to cloud storage.
Contact us today to find out how we can help you move your practice’s information to our cloud storage.