HEALTHCARE & SECURITY OF DATA IN THE CLOUD

Transcription

1 HEALTHCARE & SECURITY OF DATA IN THE CLOUD August 2014 LYNLEE ESPESETH Marketing Strategy Associate Denver Fargo Minneapolis sundog FAX:

2 In this day and age, there s no denying the importance of cloud technology in the healthcare world. The era of cabinet drawers overflowing with patient files and flustered workers digging for what they need is coming to an end. Healthcare employees desire quick access to patient information from anywhere they may need it, and healthcare consumers want prompt, high-quality and unified care from all of their providers. A 2012 report states that cloud technology in healthcare will grow at an annual rate of 20.5% between 2012 and That same report states revenue in the cloud computing market will go from $1.8 billion in 2011 to $5.4 billion in 2017, with North America being the largest contributor to the market. 1 While the growing place of cloud technology in our modern world is certain, questions remain about the security of data in the cloud. This is particularly concerning for healthcare organizations, as they store incredible amounts of personal information ranging from social security numbers and payment methods to detailed health histories and home addresses. And any breach of this information can be expensive, timeconsuming and even legally damaging. 2 The good news is that cloud technology providers are well aware of the security challenges healthcare organizations face, and they are meeting these challenges head on. It is indeed possible to keep patient data safely stored in the cloud, while still offering the best and most efficient care possible. In this white paper, we will look at how laws both old and new have affected the way data in the cloud is protected. We will then examine best practices and steps to keep information in the cloud safe. Finally, we will explore the case studies of various healthcare organizations that have successfully implemented cloud systems and wrap up with a summary of key takeaways for healthcare organizations. Background of Security in the Healthcare Cloud Reputable healthcare organizations know that there is a great deal of responsibility involved in storing patient information. Data known as protected health information (PHI) or electronic protected health information (EPHI) stored in the cloud must be kept secure under current law. PHI and EPHI includes a patient s past, present or future physical or mental health conditions; the provision of healthcare to a patient; a patient s past, present or future payment for healthcare; and information that identifies an individual including names, addresses, birth dates, service dates, phone numbers, fax numbers, addresses, URLs, IP addresses, social security numbers, account numbers, license numbers, medical-records numbers, health-plan beneficiary numbers, vehicle identifiers, biometric identifiers and photos. 3 What are the most significant laws that dictate how all of this information should be protected? The Health Information Portability and Accountability Act (HIPAA) is a well-known law in regard to information security and is very important to cloud providers. In addition, the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Omnibus Rules that modified HIPAA in 2013 are important, as they help older privacy laws work in the modern electronic world. Having a full understanding of these regulations is critical for successful cloud implementation. HIPAA: The Rules HIPAA was signed into law in 1996 and is generally recognized as the most important law regarding the protection of patient information. According to an article published by IBM on the security of patient data in the cloud, two rules put forth under HIPAA the Security Rule and the Privacy Rule are most relevant to the protection of patient data that is stored in the cloud. 4 Security Rule This rule addresses the administrative, physical and technical safeguards 3 4 2

3 organizations should use to keep patient information safe. In other words, it lays out what organizations need to do to ensure electronic information is protected. It applies only to information in electronic form. 5 Privacy Rule This rule applies to all information, be it in electronic or paper form. It lists the rights patients have regarding their private information, as well as who must adhere to HIPAA regulations, and groups known as covered entities. According to the United Stated Department of Health and Human Services, these covered entities include individual and group health plans, including health, dental, vision and prescription drug insurers; health maintenance organizations (HMOs); Medicare; Medicaid; Medicare+Choice and Medicare supplement insurers; long-term care insurers; health care providers; health care clearinghouses such as billing services, repricing companies, community health management information systems and valueadded networks and switches; and the business associates of these entities. HIPAA: THE RULES Security Rule This rule lays out what organizations need to do to ensure electronic information is protected. Privacy Rule This rule lists the rights patients have regarding their private information, as well as who must adhere to HIPAA regulations, groups known as covered entities. HITECH Act This act decided that a cloud provider is considered a business associate, and now must follow the same regulations that any hospital, clinic or insurer does to make sure patient data stays safe. Omnibus Rules These rules essentially state that any group who is involved in creating, receiving, maintaining, or transmitting protected or electronic protected health information must adhere to all HIPAA and HITECH rules and regulations. 5 HITECH Act More regulations continued to take shape, and in 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law. 6 HITECH moved regulations into the world of cloud services and strengthened the laws set forth in HIPAA, as it gave the Health and Human Services Office for Civil Rights (OCR) jurisdiction over not only those dealing directly with patients, but also their business associates defined as any group that works with patient information on behalf of an organization. Thus, a cloud provider is considered a business associate, and now must follow the same regulations that any hospital, clinic or insurer does to make sure patient data stays safe. Omnibus Rules To further solidify these rules, in January 2013 the OCR published further modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules under the Health Information Technology for Economics and Clinical Health Act. These modifications, also known as the Omnibus Rules, state that subcontractors who work on behalf of business associates are also under the jurisdiction of the OCR. Essentially, any group who is involved in creating, receiving, maintaining, or transmitting protected or electronic protected health information must adhere to all HIPAA and HITECH rules and regulations. These Omnibus Rules clarify the importance of security to any and all parties working on behalf of a cloud provider. How Is Patient Data Being Protected in the Cloud? Now that we have an understanding of how the laws governing patient data have come to affect the cloud, let s examine the specific steps that healthcare organizations and the cloud companies they work with are taking to keep patient data secure. Choose the Right Cloud Provider and Cloud Model for You It is imperative that healthcare organizations choose a trusted and reputable cloud provider. For most organizations, this is the first step toward successful cloud implementation. According to IBM, several items should appear on a Business Associate Agreement 6 hitechenforcementifr.html 3

4 (BAA) that a healthcare provider enters into with a cloud provider, including: Terms and conditions for access and use of services The period of service Conditions for termination Disposition of data upon termination Privacy policy that addresses information-handling practices and how information is collected, used and managed Who is responsible for the creation, implementation, management and modification of access privileges Who is responsible for incident response, encryptions, key management and data monitoring Cloud providers and healthcare organizations should be fully confident in what services are being provided, who is responsible for what tasks and what the risks will be. 7 Types of Cloud Models Once an acceptable cloud provider has been found, organizations should choose which cloud model works for them. There are four different types of cloud models: 1. Public 2. Private 3. Community 4. Hybrid In a public cloud model, the infrastructure is open to everyone, whereas a private model is only open to a single consumer. A community cloud is open to a specific community of people, and a hybrid uses both public and private models across different sets of data. Most healthcare organizations choose a private cloud model as it provides the most security. Some groups, like the Centers for Disease Control, have used public models for data related to disease surveillance, but most healthcare groups will find that anything other than a private model carries too much risk. Keep Data in the Right Hands When data is stored in the cloud, cloud providers and their customers must make sure that a system is in place to prevent anyone from accessing data who doesn t have the right to. HIPAA requires healthcare organizations to store patient data in such a way that anyone trying to gain access to that data must prove they are indeed who they say they are and have permission to access patient information. Generally this is done via a login system where a user must provide a unique username, password or other information that verifies their identity. 8 Beyond a basic login system, there are other technologies cloud providers can offer to keep data safe. Single sign-on (SSO) options like Lightweight Directory Access Protocol can be put in place so users are identified more easily each time they wish to access information, without having to enter a login and password each time. Security Assertion Markup Language (SAML) can also be used. According to the National Institute of Standards and Technology (NIST), SAML: Can convey assertions that a user has been authenticated by an identity provider and also includes information about the user s privileges. Upon receipt of the transaction, the service provider then uses the information to grant the user an appropriate level of access, once the identity and credentials supplied for the user are successfully verified

5 SAML is often complemented with extensible Access Control Markup Language (XACML), which gives organizations the ability to more easily adapt and change who has access to patient information. 9 Encrypting data is also a very important step for organizations to take. When data is encrypted, it means that it is unusable, unreadable or indecipherable to unauthorized individuals. 10 Data is only made understandable by the use of a key that authorized individuals have access to. That key must be kept protected, away from encrypted data, so anyone attempting to illegally access data cannot get the key. The NIST has encryption standards to follow for data that is both at rest and in motion (or being transmitted), and by following these standards, organizations can be in compliance with HIPAA. Have a Plan It doesn t matter if data is being stored in a hightech or low-tech manner, there will always be risks involved. Disasters, theft, hacking, employee error and many other incidents can occur, but they can also be planned for and hopefully prevented. Both HIPAA and HITECH recognize that risks are involved and thus put a focus on the importance of incident response and mitigation of damages, limiting interruptions in critical business operations, and maintaining security and privacy of EPHI. 11 An important part of being prepared is monitoring data. Because of requirements under HIPAA and HITECH, organizations with information stored in the cloud are required to have hardware, software and/or procedural mechanisms in place to record the activity that occurs in the cloud. As far as what activities need to be recorded, there is an extensive list. One item that needs to be continuously monitored and kept up to date is the list of personnel with access rights. As employees come and go, the list of people with rights to view patient data needs to change as well. By conducting frequent audits of this information, organizations can ensure that no one still has access who shouldn t. It is also very important to keep thorough records of activity within the cloud. Reports detailing what information has been accessed and when, what information has been changed and when, and who has been accessing and editing data should all be taken. Cloud systems also need to be continuously tested for security vulnerabilities, and risk assessments need to be conducted regularly. If a vulnerability is discovered, it must be recorded, and organizations and cloud providers should decide if action needs to be taken or changes need to be made. Finally, all data in the cloud must be backed up. Cloud services can provide offsite data backup, but organizations need to determine where this information is stored, how long it should be retained, how it should be accessed and how often the back-ups should occur. Having a back-up allows organizations to keep functioning after any event, from a fire to a natural disaster to a computer failure. After all of this information has been gathered (and continues to be gathered on a regular basis), cloud providers and consumers need to agree on a process to report all of this information. According to HIPAA, it is required that organizations create these reports not only for their own use, but also to prove to regulators that their systems are safe. Audit logs, access reports and incident tracking reports all must be created and produced to the appropriate regulation organizations when needed. In the event that a security threat is discovered, cloud providers and their consumers should have a response plan in place. As stated by IBM: Consumers should outline what they expect from cloud providers in the event of an incident in particular, how the incident will be verified and how the information to analyze the incident will be gathered. Additionally, consumers and cloud providers should discuss recoverytime objectives and recovery-point objectives, as well as ensure that both can respond in a coordinated fashion. 12 Having this response plan in place, as well as all of the gathered data, allows cloud providers and health care organizations to carry out the goals of HIPAA #resources #resources 5

6 Who Is Doing It Right? To further examine the ways cloud implementation in healthcare organizations can be done, let s look at a general report and case studies of various groups who have had success in the cloud. General Findings In a 2013 report titled Targeted Attacks and Opportunistic Hacks: State of Cloud Security Report, Alert Logic looked at the security of cloud operations versus enterprise data centers (where data is stored on physical hard drives). The study found that across various industries, including healthcare, storing data in the cloud was no less secure than using a different system, and security fears should not keep any business from moving information into the cloud. In fact, the study found that cloud providers can often offer much more efficient solutions, along with sophisticated levels of protection, so moving data to the cloud usually impacts businesses in a positive way. 13 Specific Healthcare Case Studies Moving from that general report to more specific cases, it s easy to see how cloud services can have a positive impact on healthcare organizations. According to a case study by Microsoft, CareGroup Healthcare System the corporate parent of Beth Israel Deaconess Medical Center and other hospitals needed a solution to store the electronic medical records of more than 3.5 million patients. As necessitated by HIPAA and HITECH, CareGroup needed to not only protect patient information, but run frequent audits to see who was accessing information, what information employees were looking at, what information was being modified, who was modifying information, and how many (if any) unauthorized attempts to access information were happening. After moving to a cloud provider, CareGroup was able to run these audits quickly, within 5-15 minutes, when they were requested. In addition to providing CareGroup with easy and fast access to all the data needed, CareGroup s cloud provider was able to offer data encryption with intensive levels of security that was still workable for 13 Logic_Cloud_Security_Report_Spring2013.pdf?mkt_tok=3RkMMJWWf F9wsRonuaXMZKXonjHpfsX56%2BsrWKawlMI%2F0ER3fOvrPUfGjI4AT sjgi%2bsldweygjlv6sgft7fmmbrw1lgpwbg%3d the organization. CareGroup can encrypt data without having to occupy extensive amounts of their own IT department s time and without having to get help from an outside source, freeing up time to focus on other areas of business. 14 Two other examples from Microsoft include Tampa General Hospital in Tampa, Florida and Excel Anesthesia, a network of anesthesiologists who work across various locations. In both cases, a system was needed that would allow employees to access data in a secure environment, regardless of where they were. Tampa General Hospital chose to use a cloud system that offered a single sign-on system to employees, who could then access information with ease (and without compromising security) without having to use the IT department s resources for retrieving passwords or usernames. The system was able to give appropriate employees ease of access, while still keeping information secure and meeting or surpassing all HIPAA requirements. 15 Excel Anesthesia also needed to follow HIPAA regulations and was in the unique position of having employees who required access to data from several different hospitals that they were continuously traveling between. By utilizing a cloud provider, the company way able to count on a partner to keep data secure according to HIPAA regulations, making the flexible nature of their business easier to handle. Employees of Excel Anesthesia were still able to access the data they needed, but many stresses were taken off the company, as they could trust that their data was secure and no on-premise servers could now fail or be stolen or lost at any point. 16 Salesforce, a CRM and cloud computing company, also offers various case studies in the healthcare field. Two case studies that deal specifically with HIPAA compliance in the cloud include The Schumacher Group, a healthcare staffing and outsourcing firm, and Visiting Nurse Service of New York. Both organizations were able to increase the productivity and communication 14 Server-2008-Enterprise/CareGroup-Healthcare-System/ Healthcare-Group-Improves-Availability-and-Security-of-Mission-Critical-Databases/ Productivity-Online-Standard-Suite/Tampa-General-Hospital/ Hospital-Moves-Communication-to-the-Cloud-Frees-IT-to-Focus-on- Healthcare/ Excel-Anesthesia/Healthcare-Provider-Gains-Robust-Compliant- - Avoids-83-Percent-of-On-Premises-Cost/

7 between employees, offer better and more efficient care, give employees smoother access to necessary information while minimizing paperwork, and increase satisfaction among customers and employees while still keeping information secure. This was a direct result of the efficiency, safety and reliability that the cloud service was able to offer them. A case study provided by OffsiteDataSync profiles Rochester Gynecologic & Obstetric Associate, P.C. The clinic needed a cloud solution to manage the data of 40,000 patients visiting multiple offices across the Rochester area. The clinic was concerned about having access to data even in emergencies or outages of any kind, and having a back-up of all data should any of it be lost. Utilizing a cloud provider gave them not only peace of mind that information would always be available, but also provided the clinic with a way to control who accessed patient data and the ability to encrypt data so it stayed secure, even when it was being wirelessly transmitted between locations. 19 A final case study by Becker s Hospital Review discusses Yuma District Hospital, a critical access hospital in Yuma, Colorado. Before moving to a cloud-based system, the hospital was using paper records that were stored everywhere, took up a great deal of space, and didn t allow for efficient patient care. Security was a concern when switching to a cloud-based service, but the hospital was able to implement several of the measures discussed in this white paper to ensure HIPAA compliance and keep records secure. These measures included specialized controls over who can access, print and edit files. All information was also made password protected, and encryption was used to keep data secure while being transmitted. These efforts have resulted in better service and happier patients, all while keeping data safe. 20 Successful cloud implementation secures patient data making it easy to access by those who need it and protecting it from those who d abuse it. 1. Organizations should first understand HIPAA and HITECH regulations, and use those regulations to guide the security measures they put in place. Each step in the cloud process must be made with safety and security in mind. 2. The right cloud provider should first be selected, and from there a secure cloud model can be chosen. 3. As data is put into the cloud, it should be protected behind secure login systems and encrypted, so it is made unusable to anyone attempting to illegally access it. 4. Organizations must constantly monitor information in the cloud, creating reports detailing who has access to information, how information in the cloud is being used, and what security threats occur along the way. 5. Finally, data must be backed up, so healthcare organizations can rest assured that their operations can continue as quickly as possible, no matter the disaster they may face. As evidenced by the regulations in place, the number of businesses using cloud services, and the security and efficiency cloud providers can provide, this technology is no longer the future of healthcare data storage. It is the now. Conclusion & Key Takeaways Moving patient information to the cloud is an intimidating process for many healthcare organizations, but one that can be very beneficial to both patients and employees case_study.pdf