Cloud computing - Should radiology trust the public cloud?
November 16, 2016
By Chris Bowen
While state-sponsored cyberattacks have grabbed headlines, a majority of health data breaches actually result from something closer to home: human error. No more than half of all data breaches in 2016 (so far) have been attributed to hacking, while the vast majority are the result of unauthorized access, theft of devices used to store electronic protected health information (e-PHI) or improper disposal of physical records.
The radiology ecosystem is hardly immune to these human-inflicted breaches. Consider just some of the most recent examples, such as the radiologist who hacked into his ex-employer’s patient database to steal patient files. Or the radiology practice that sent stacks of unshredded patient files to a recycling company. Then there was the widely reported instance of the vehicle that was transporting patient radiology files for incineration, with the driver completely unaware that the files were blowing out of the vehicle and onto the road. You just can’t make this stuff up.
Of course, as the rise of ransomware ominously portends, external cyberattacks remain a very real threat. Many radiology providers are discovering that the effort and expense required to maintain an impenetrable IT environment comes at the cost of caring for patients. Yet applying only minimum protections to patient data is ultimately harmful to patients, too. In a move to head off both internal and external cyber risk, many radiology providers and their business associates are deciding to offload hosting and security of valuable patient data to the cloud. But is the cloud environment really secure enough to keep patient records safe and private?
Securing PHI in the cloud
Under the Health Insurance Portability and Accountability Act (HIPAA), health care organizations are tasked with utilizing a broad set of administrative, technical and physical controls to keep patient data private and secure. Contrary to some persistent misconceptions, this can be achieved in a cloud environment. To satisfy HIPAA’s administrative controls, for example, a virtual private cloud configured on a public cloud can be architected so that all activity in the environment is monitored and logged, and any unusual activity is flagged and reported. Data can be encrypted and additionally secured at the application, virtual machine and network levels, addressing some of HIPAA’s mandatory technical safeguards. Finally, a public cloud partner can provide assurances regarding physical access to the data centers that host their clouds.
There are other safeguards that must be architected in a public cloud solution. The good news is that the major public cloud providers have myriad tools that can be brought to bear in an environment to allow customers to comply with each requirement. These tools are necessary to protect health data that, if breached, can be devastating to patients and the providers they entrusted with their private medical information.
Not all clouds are equal
Working with PHI in a public cloud requires a very specific, ever-evolving knowledge set. It’s not something you can pick up from a webinar during the lunch hour. AWS, for example, offers DIY tools like CloudTrail for log monitoring — just one of the security tasks mandated by HIPAA. Obviously, these tools take time to learn, use and automate, and then HIPAA compliance itself is a constant endeavor. Only a health care-exclusive cloud partner possesses the deep experience in complying with HIPAA’s privacy and security standards. And given the high stakes, if patient data is breached, ensure your partners focus on exceeding, not just meeting, HIPAA Security Rule standards.
To that end, look for a cloud partner who is also HITRUST-certified on the Common Security Framework by the Health Information Trust Alliance, the gold standard for PHI security. As for specific security methodologies, seek a partner that practices “defense in depth” security, which safeguards data at multiple levels. Ask about their cloud and general security expertise in such areas as identity and access management; configuration management for operating systems, networks and firewalls; client-side and server-side data encryption; network traffic protection; log management; and monitoring and alerting.
A good starting point for moving to a public cloud is in the area of backup, disaster recovery and long-term archiving. HIPAA requires providers to retain patient records (LIS, PACS, EHR, etc.) for years, to meet regulatory requirements. This can result in petabytes of data. The public cloud can reliably archive patient record data securely at a very low cost. Radiology providers and their business associates can securely store large or small amounts of data, and pay, based on usage, as little as $0.007 per gigabyte per month, a significant savings compared to on-premise solutions.
Public clouds are ideal for infrequently accessed data where a retrieval time of several hours is suitable. And because the cost is low and usage-based, providers need not worry about expiration dates, and can keep images stored indefinitely. The public cloud, used in tandem with information security and health care managed services, is the ideal combination to ensure privacy, security and HIPAA compliance.
By now it is clear that threats to patient data will never fully go away. Radiology providers need to be proactive in protecting this data from breaches that are tremendously stressful to patients, many in the midst of a serious illness. A health care-fortified public cloud could be the remedy.
About the author: Chris Bowen is chief privacy and security officer and founder of ClearDATA. He is a Certified Information Privacy Professional (CIPP/US) and Certified Information Privacy Technologist (CIPT) from the International Association of Privacy Professionals, and Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP) from ISC.
While state-sponsored cyberattacks have grabbed headlines, a majority of health data breaches actually result from something closer to home: human error. No more than half of all data breaches in 2016 (so far) have been attributed to hacking, while the vast majority are the result of unauthorized access, theft of devices used to store electronic protected health information (e-PHI) or improper disposal of physical records.
The radiology ecosystem is hardly immune to these human-inflicted breaches. Consider just some of the most recent examples, such as the radiologist who hacked into his ex-employer’s patient database to steal patient files. Or the radiology practice that sent stacks of unshredded patient files to a recycling company. Then there was the widely reported instance of the vehicle that was transporting patient radiology files for incineration, with the driver completely unaware that the files were blowing out of the vehicle and onto the road. You just can’t make this stuff up.
Of course, as the rise of ransomware ominously portends, external cyberattacks remain a very real threat. Many radiology providers are discovering that the effort and expense required to maintain an impenetrable IT environment comes at the cost of caring for patients. Yet applying only minimum protections to patient data is ultimately harmful to patients, too. In a move to head off both internal and external cyber risk, many radiology providers and their business associates are deciding to offload hosting and security of valuable patient data to the cloud. But is the cloud environment really secure enough to keep patient records safe and private?
Securing PHI in the cloud
Under the Health Insurance Portability and Accountability Act (HIPAA), health care organizations are tasked with utilizing a broad set of administrative, technical and physical controls to keep patient data private and secure. Contrary to some persistent misconceptions, this can be achieved in a cloud environment. To satisfy HIPAA’s administrative controls, for example, a virtual private cloud configured on a public cloud can be architected so that all activity in the environment is monitored and logged, and any unusual activity is flagged and reported. Data can be encrypted and additionally secured at the application, virtual machine and network levels, addressing some of HIPAA’s mandatory technical safeguards. Finally, a public cloud partner can provide assurances regarding physical access to the data centers that host their clouds.
There are other safeguards that must be architected in a public cloud solution. The good news is that the major public cloud providers have myriad tools that can be brought to bear in an environment to allow customers to comply with each requirement. These tools are necessary to protect health data that, if breached, can be devastating to patients and the providers they entrusted with their private medical information.
Not all clouds are equal
Working with PHI in a public cloud requires a very specific, ever-evolving knowledge set. It’s not something you can pick up from a webinar during the lunch hour. AWS, for example, offers DIY tools like CloudTrail for log monitoring — just one of the security tasks mandated by HIPAA. Obviously, these tools take time to learn, use and automate, and then HIPAA compliance itself is a constant endeavor. Only a health care-exclusive cloud partner possesses the deep experience in complying with HIPAA’s privacy and security standards. And given the high stakes, if patient data is breached, ensure your partners focus on exceeding, not just meeting, HIPAA Security Rule standards.
To that end, look for a cloud partner who is also HITRUST-certified on the Common Security Framework by the Health Information Trust Alliance, the gold standard for PHI security. As for specific security methodologies, seek a partner that practices “defense in depth” security, which safeguards data at multiple levels. Ask about their cloud and general security expertise in such areas as identity and access management; configuration management for operating systems, networks and firewalls; client-side and server-side data encryption; network traffic protection; log management; and monitoring and alerting.
A good starting point for moving to a public cloud is in the area of backup, disaster recovery and long-term archiving. HIPAA requires providers to retain patient records (LIS, PACS, EHR, etc.) for years, to meet regulatory requirements. This can result in petabytes of data. The public cloud can reliably archive patient record data securely at a very low cost. Radiology providers and their business associates can securely store large or small amounts of data, and pay, based on usage, as little as $0.007 per gigabyte per month, a significant savings compared to on-premise solutions.
Public clouds are ideal for infrequently accessed data where a retrieval time of several hours is suitable. And because the cost is low and usage-based, providers need not worry about expiration dates, and can keep images stored indefinitely. The public cloud, used in tandem with information security and health care managed services, is the ideal combination to ensure privacy, security and HIPAA compliance.
By now it is clear that threats to patient data will never fully go away. Radiology providers need to be proactive in protecting this data from breaches that are tremendously stressful to patients, many in the midst of a serious illness. A health care-fortified public cloud could be the remedy.
About the author: Chris Bowen is chief privacy and security officer and founder of ClearDATA. He is a Certified Information Privacy Professional (CIPP/US) and Certified Information Privacy Technologist (CIPT) from the International Association of Privacy Professionals, and Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP) from ISC.