By W. Hord Tipton, CISSP-ISSEP, CAP, CISA, Executive Director, (ISC)²
A few weeks ago, I was at my doctor’s office, and the topic of the cloud came up. You may think this is a strange topic of conversation between a man and his doctor, but given my background in security and recent pressures from the Federal Government for doctors to switch from paper to electronic records (a requirement he and his colleagues are less than thrilled about), it turned out to be a very timely and interesting discussion.
The reason I found it timely is that last month, I had several in-depth conversations with people about information security trends for 2011, and I kept finding myself coming back to the topic of cloud computing. Almost every industry is upgrading to the cloud for their data management needs, with the exception of one industry - healthcare, which is purposefully lagging behind because of their many uncertainties with the security and privacy of the cloud. Healthcare providers have control over massive amounts of data in patient records, which some may say is the most sensitive data of any industry. Hospitals and medical offices need to feel assured that there is adequate security coverage for their records. Currently, they are skeptical – hence, both their reluctance and displeasure in complying with digital regulations. Fortunately, cyber security education can help.
To begin, I’ll elaborate on the main concern healthcare providers have about upgrading to the cloud. Not surprisingly, their main hesitation stems from the age-old debate between electronic and paper records. Most think that with all the recent security breaches, paper records are the safer alternative to electronic records. This is not the case. In fact, patient records are far safer in a secure cloud than lying around in paper format. But again, understanding this relies on having adequate cyber security education.
Let’s look at this controversy from a patient’s point of view. Patients see news stories about massive security breaches in Fortune 500 networks every day. But how often do we hear that a patient’s records are left out on a table, printer or fax machine in a doctor’s office and stolen or copied? The fact is that we don’t hear those stories nearly as often. This phenomenon demonstrates how public opinion is formed. Numerous patients are against the transformation to electronic records because the risks of paper records are not as apparent. The risk is equally high, but patients just don’t hear about that. However, we must acknowledge it is much easier to steal 100,000 digital records on a flash drive than to steal the same 100,000 paper records in 1,000 different locations and off-load in a semi-tractor trailer.
There are some valid concerns surrounding medical devices, however, and healthcare providers should be educated about them. Small devices, like insulin pumps, for example, are miniaturized and do not have room for robust security measures like encryption. The security risk, however, is far less than the benefits, and as an industry, we’re already getting better at developing technologies that can better handle these limitations.
Over the next few years, between incentives for Electronic Health Record (EHR) implementations, HIPAA security and privacy guidelines and the computerization of most medical devices, health care providers will have to find a way to digitalize their information and ensure the security of their patients records, many of them through the cloud. Making the transition as smooth as possible by pushing cyber education is the job of the security professionals around the country and the responsibility of healthcare providers, be they doctors or staff, to understand.
Here are a few tips on what every healthcare provider should know and do before moving to the cloud:
- Educate yourself on your cloud provider and its security measures.
- Ensure that all members of the healthcare team, from doctors to nurses to office managers and receptionists, are educated on security measures surrounding patient data in the cloud.
- When engaging a cloud provider, involve the appropriate legal, procurement, and contracts teams within your organization. The standard terms of service may not address compliance needs, and would need to be negotiated.1
- Obtain professional assistance to help select the appropriate provider. It is too much to expect doctors and healthcare workers to understand the complexity and danger of cyberspace.
- Make sure you have adequate and complete provisions in the contract(s). This will be a very comprehensive document.
- Be careful in your hiring practices. In the rush to fill positions in your office, perform adequate background checks and check references to try and prevent hiring a malicious insider.
- New security controls are needed in your new “digitized” office as well as your cloud provider. Do you have an IT security plan and policies to govern and monitor your digital environment?
- When using electronic devices, ensure they are equipped with the most up-to-date software and security updates.
The fact of the matter is that some healthcare providers are simply not looking forward to scanning their paper documents into the cloud, and that is understandable. But with an initial time investment, healthcare providers can soon learn that secure electronic records via the cloud can in fact improve their businesses and allow them to help more patients in a single day. Believe it or not, healthcare and the cloud are beginning to form a great partnership. But you have to “get it right”.
1 ©2011 Cloud Security Alliance. Securing Guidance for Critical Areas of Focus in Cloud Computing V3.0. https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf