Horror stories such as the 2015 breach of millions of member records associated with the healthcare company Anthem bring to the forefront how very important security is when healthcare records are involved. Fortunately, no medical information was stolen and thus the breach did not result in a Health Insurance Portability and Accountability Act (HIPAA) violation. However, the next successful cyberattack involving the healthcare industry might. For these very reasons, it is important to understand what “secure cloud services” entails for the healthcare industry and how it impacts personal health information (PHI).
User login and static password information is simply not strong enough to secure PHI and other sensitive healthcare data in today’s modern digital landscape. Multi-factor authentication is stronger, requiring at least two different means of authentication (aka, two-factor identification) before a user is granted access to the system. Two-factor identification has been mandated by HIPAA for the protection of PHI, and must be implemented in any secure cloud service targeted to the healthcare industry. There are a variety of approaches to two-factor identification, but they all boil down to authentication by providing something the user should know (login and password) with something they have (such as a passcode delivered to their device). Because healthcare workers may use a variety of devices to access PHI, one approach which is particularly useful involves authentication of the device being used as well as the user. That means that even if a hacker has the login and password, they will have a very difficult time accessing the system without the user’s personal device.
Endpoint Device Validation
When it comes to modern secure cloud services for healthcare, the security of endpoint devices is extremely important. The term “endpoint devices” refers to the devices being used to access the secure system. Such devices can include laptops, desktop computers, tablets, iPads, smart phones, and even bar code readers. It is crucial that all endpoint devices comply with security policy before they can access the system. In the instance that a device fails to meet the established security requirements (which might involve the installation of antivirus software or certain operating systems), its access could be severely limited or denied. An otherwise secure system can be compromised by an insecure device accessing it. No healthcare-related secure cloud service would be complete without some type of endpoint device validation in place.
When it comes to healthcare systems, another key characteristic of a secure cloud service involves web filtering. Web filtering prevents access to blacklisted sites based on known malware, keywords, and categories. Sites known to harbor viruses and malware, as well as sites with security vulnerabilities that make such attacks possible, would be blocked. This is an extremely important measure for a secure system. Again, as with endpoint device validation, an otherwise secure system could be compromised by a user accidentally visiting an insecure site – putting private and sensitive PHI at risk. While web filtering might seem extreme, it is a necessary part of a truly secure system. The use of keyword blocking allows for more customized enforcement of company acceptable use policies, allowing them to be more strictly enforced. Categorical blocking, on the other hand, can prevent access to social media, pornography, online shopping, and other sites that would adversely affect productivity and result in patients being inadvertently subjected to online content that is offensive.
One of the features that HIPAA regulations require is audit trails of who is accessing data related to PHI and what they are doing with said data. To a certain degree, it is up to the organization itself to determine how detailed of a log needs to be kept and thus the audit tracking can vary in granularity. Because patients can ask that their records be subject to additional protections, the audit tracking process needs to be somewhat flexible. In addition, because of the plethora of devices in use, a rigorously secure system will also keep track of the devices being used to access the information.
Facilitation of User Access
The inability to access a patient’s critical medical information could put that person’s life at risk. That’s why one important aspect of security involves not just keeping the wrong people out but making sure the right people have reasonable access to it. Such access includes integration with commonly used applications and continued compatibility with user devices. Another recommended characteristic involving user access would also be a single secure digital hub that provides the user with everything they need, including data, applications, and documents.
Backups and Disaster Recovery
The loss of PHI and similar medical information can be extremely dangerous (maybe even fatal) for the patients involved. Having data properly encrypted, backed up, and redundantly stored is an important first step. Seven-year file retention is another important aspect, especially from a compliancy standpoint. However, having the data backed up does not address the critical needs of patients if healthcare professionals cannot access that data after a disaster. A strong, secure cloud service will include a disaster recovery system that will put the data back into the hands of those who need it as quickly and seamlessly as possible. “Hot disaster recovery” is the preferred option in such cases and involves minimal downtime when moving to the backup site and system. It typically includes a complete (and almost instantaneous) copy of the data as well as the operating system, network, and anything else key to system functionality. No secure cloud system involving information as important as one’s healthcare records can afford to have less than hot disaster recovery in place.
Contact IT Services Group
At IT Services Group, we understand the needs of the healthcare industry when it comes to a truly secure cloud system – including characteristics such as multi-factor authentication, endpoint device validation, web filtering, audit tracking, facilitation of user access, audit tracking, and backup and disaster recovery. Contact us today to find out about the options we offer that provide the rigorous, secure, compliant solutions that meet your needs, and those of the people whose healthcare you are responsible for.