Cloud computing manages data, secures it and makes it available when and wherever needed. No wonder the cloud is attractive to organizations burdened with time and budget constraints.
But the cloud is not without its risks. The Cloud Security Alliance (CSA) recently released its “Notorious nine,” a list of the top threats associated with cloud computing. At the top of the charts for 2013: data breaches. With this threat at the forefront, healthcare organizations should determine when, if ever, is an optimal time for placing protected health information (PHI) and personally identifiable information (PII) in the cloud.
Caught in the crosshairs
The cloud offers a “target-rich environment” for those looking to mount cyber attacks, with the intent of either disrupting commerce or more typically monetizing the data through criminal means. It’s logical to assume that cloud providers are better qualified to secure data, given that their job is to provide computing services in a safe and secure manner.
Unfortunately, the more data that cloud providers are entrusted with, the bigger the target they are for cyber criminals. A recent report from ENISA, The European Network and Information Security Agency, titled “Critical cloud computing,” discusses the importance of preventing large cyber-attacks and cyber disruptions.
It notes that while offering significant benefits, the concentration of IT resources in cloud services represents a “double-edged sword…If an outage or a security breach occurs, then the consequences could be big, affecting many citizens, many organizations, at once.”
Such is the risk inherent to cloud computing. Cloud providers who are hosting applications or data with mandated privacy protections, such as PII and PHI, are more likely targets for cyber criminals. Consequently, they are more likely to have the “mother of all data breaches,” if they are penetrated and criminals are able to acquire data without detection, at least for a while.
The other problem is cyber disruption, or cloud outages. The loss of service also puts data at risk. According to Gartner, 47 percent of all documented large outages were caused by cloud services going down. In fact, Jay Heiser at Gartner notes that while data breaches are a concern, cloud outages that lead to data loss are even more likely a risk, a perspective that appears in contrast to that of the CSA.
The cloud in healthcare
The cloud has become — and will continue to be — a favored computing model for healthcare organizations. The Third Annual Benchmark Study on Patient Privacy & Data Security by Ponemon Institute found that 91 percent of hospitals surveyed are using cloud-based services; many use cloud services to store patient records, patient billing information and financial information. However, 47 percent of organizations lack confidence in the data security of the cloud.
A recent article in Government Health IT highlighted an appeal by Deborah Peel, MD, founder and chair of Patient Privacy Rights, to the Department of Health and Human Services Office for Civil Rights “to create cloud-computing guidelines around the issues of secure infrastructure, security standards and business associate agreements.” Peel explained, “Issuing guidance to strengthen and clarify cloud-based protections for data security and privacy will help assure patients [that] sensitive health data they share with their physicians and other health care professionals will be protected.”
5 steps to take before going to the cloud
So what should an organization do before implementing systems that migrate PHI/PII into the cloud?
- Do a risk assessment. Determine your privacy and security vulnerabilities in relation to state and federal regulations, and determine how to best meet those statutory obligations.
- Classify your data. Understand which data are protected by HIPAA Privacy and Security Rules. “If [a] buyer doesn’t know what the security requirements are for a specific piece of data compared to other data, it’s difficult to assess whether the provider can provide adequate security,” Heiser said in a recent article.
- Choose carefully. Healthcare organizations should be "surgical" in making choices for what applications and data they host in the cloud. Given the evolving landscape of cloud risks, a prudent choice would be to not host applications with PHI storage in the cloud at all. Or, if you decide to do so, at least use a private vs. public cloud solution to reduce your risk profile.
- Review the jurisdictional issues. Cloud providers are subject to multiple legal jurisdictions, based on their location and where the data reside. As one expert put it: “Regulations such as HIPAA, national and regional data privacy laws, and the jurisdiction of law enforcement further complicates the use of commercial public and hybrid cloud solutions.”
- Have a plan for breach notification. This should be part of an organization’s incident response planning, and covers notification to affected individuals, appropriate regulatory authorities and the media. The HIPAA Final Omnibus Rule redefined the definition of a notifiable breach, and the plan should be adapted to fit the new meaning.
Should you even go to the cloud? Bryan Ford from Yale University in his paper “Icebergs in the cloud: the other risks of cloud computing” illuminates the fact that privacy risks associated with data hosted in the cloud are likely to evolve over time, but unlikely to be eliminated any time soon. In addition, he notes that there will be many new, unexplored risks to cloud computing in the future.
With this in mind, healthcare organizations must be deliberate in their choice of data to host in the cloud, be aware of the risks and be prepared to assume the liabilities associated with such risks.
Rick Kam, CIPP/US, is president and co-founder of ID Experts. He chairs the “PHI Project,” a research effort to measure financial risk and implications of data breach in healthcare.
Doug Pollack, CIPP/US, is chief strategy officer at ID Experts, responsible for strategy and innovation, including prevention analysis and response services.