At a time of some highly publicized security breaches that have been reported in the media, it’s fair to ask how well prepared are healthcare provider organizations that store vast amounts of personal health information. If the answer is that there is room for improvement, how can cloud service providers improve the picture?
According to “Security Trends in Healthcare,” a survey released by Microsoft on May 1, 50 percent of hospitals and 40 percent of ambulatory practices reportedly are implementing self-service portals, and a 75-percent increase in cybercrime over a two-year period. The increase of “self-service” portals may offer an opportunity for criminals to steal sensitive private medical information, it suggests.
Among the findings:
- 23 percent of surveyed healthcare organizations have immature security policies;
- 26 percent of organizations have ineffective controls for removing or changing access when employees leave or are reassigned;
- 39 percent of organizations do not use standardized data classification;
- 52 percent conduct system-wide data back-ups that are tested regularly;
- 28 percent do not have asset management policies and conduct asset discovery manually;
- 31 percent have a disaster recovery program; and
- 23 percent cannot prevent a power outage from affecting their organization.
The findings were based on data collected from 12,000 respondents to a survey that was conducted between November 2012 and February 2014. One of the conclusions of the report is that is that healthcare organizations can improve its security profiles by shifting to cloud service providers the responsibility of assuring safe, secure computing practices.
More healthcare organizations are migrating to the cloud. According to a story by Healthcare Informatics Associate Editor Rajiv Leventhal, healthcare organizations globally are projected to spend $5.4 billion by 2017. Security and privacy concerns are responsible for the relatively slow uptake of the cloud in healthcare so far, but a large number of organizations are planning to allocate funds for migrating to cloud computing in the next five years.
Yet provider organizations need to be careful when choosing a cloud vendor. During a presentation at the HIMSS conference in Orlando in February, Steven J. Fox, an attorney with Post & Schell, P.C., advised provider organizations to take a hard-nosed approach when choosing a cloud vendor to work with, and to make sure that the contract is iron clad. “Vendors are not your friends, they are your business partners,” he told the well-attended session.
Fox offered specific advice to healthcare organizations considering a move to the cloud:
- Outsourcing data does not mean hands off for the organization that owns the data.
- Understand what the deal is about, and make sure it is reflected in the contract. Beware of generic contracts.
- Do a background check of the vendor.
- Know where your data will be stored, and if it will remain within U.S. borders.
- Know how easily can your data be accessed or moved if the vendor goes bankrupt or you want to move the data to a different vendor.
- Check if the vendor has third-party certification.
As reported by Editor-in-Chief Mark Hagland at the HCI Executive Summit in San Francisco on May 2, Mac McMillan, national chair of the HIMSS Privacy and Security Task Force and CEO of Cynergis Tek, cited a growing wave of medical identity theft, noting that more than 70 percent of identity theft and fraud in healthcare comes from insiders. He said the industry needs sophisticated responses—behavior modeling, pattern analysis, anomaly detection—to the surge of medical fraud. “Traditional audit methods and manual auditing are totally inadequate,” he said.
Can cloud service providers be a partner in helping protect data? I would say yes, but it really all depends on choosing the right cloud vendor and maintaining complete access to data no longer under direct control of the healthcare provider organization.
I think healthcare providers have a lot at stake when it comes to protecting data at a time of rising incidents. One can take a page from the retail industry: on May 5, Greg Steinhafel stepped down as CEO of Target, the nation’s third largest retailer, five months after a breach involving stolen credit card and debit information from millions of customers was announced. Stocks plunged and its reputation suffered. If it happened in retail, it can certainly happen in healthcare as well.