In the first half of 2015, the health care sector suffered from more data breaches than any other industry, according to data compiled by the Breach Level Index.
The leading cause of health care data breaches is people doing something that they shouldn’t. This may include employees losing or misplacing devices, sharing their password or access token with unauthorized parties or sending patient data to the wrong recipient. The number of leaks is only expected to rise in the near future since health data is estimated to be worth 10 times more than credit card data on the black market.
Cloud Services’ Treats for Health Care
Cloud solutions have the potential to reduce the negative effects of human error. By storing data in the cloud, there is no need to carry patient data on mobile devices or to send records by fax, post or email. Furthermore, advanced solutions for identity governance prevent unauthorized access to patient data.
Another advantage is that patient data is still accessible when devices are lost or stolen. With cloud solutions, the backup and recovery of data is easier, even if individuals have accidentally deleted emails or altered patient records.
No security technology is perfectly secure. The short life cycle of proposed encryption and authentication techniques, as well as the plethora of research frequently making headlines, could make it difficult to select a solution that is right for a specific health care service. Partnering with a security services vendor relieves health care managers of these highly specialized IT decisions.
Finally, cloud service providers are likely to maintain a state-of-the-art secure environment because that is what gives them a competitive advantage. Selling services with promises for flexibility and cost reductions is no longer a differentiator. Cloud service providers need to be able to take away at least some of the worries about patching, physical security and security certificates. As a result, they have specialized teams who are expertly trained and dedicated to managing all the operational security tasks related to the underlying security infrastructure, platforms and software.
However, these providers cannot take over all responsibility.
The Tricky Parts for Health Care Organizations
Health care organizations that outsource to cloud services still have to acknowledge the obligation they have to security and data governance. In spite of handing over operational tasks, enterprises continue to face difficult decisions about data ownership, data access, sharing of patient records and collaboration with other organizations. On top of that, they need to keep checking that the service provider meets all the requirements as stated in the contracts and data protection regulations. This is not an easy undertaking. It requires the support of additional experts to deal with particulars such as:
- On-site audits;
- Knowledge of privacy legislation in different states and countries;
- Procedures for incident management;
- Preparations for crisis communication in case of a breach.
We have learned from the financial and entertainment industry that the reputational and personal damage caused by a cloud data breach can be disastrous. This not only affects the patients and the health care organization that owns the data, but also the service provider.
The service provider might be held liable for data breaches, which could take them out of business. When health care organizations prepare their business continuity plan, it is wise to include an escape plan for when the provider does not survive or does not deliver according to expectations.
Turning the Tricks Into Treats
A prepared health care organization can turn the tricky bits of data protection into treats by following the best practices for cloud security and by demanding their service provider offer a complete cloud security portfolio — including managed access, data security, monitoring of security breaches and compliance violations and optimized security operations. Cloud services providers are fully equipped to deliver these secure solutions; all health care organizations have to do is find the right partner.
Information Security Researcher
Nicole van Deursen has worked in several industries as an information security consultant and manager. In these roles, she has managed security teams, awaren...