Why it’s Time to Move on if Your Cloud Provider Won’t Sign a HIPAA BAA

68Despite new HIPAA Business Associate Agreement (BAA) regulations going into effect in 2013, many healthcare organizations are still encountering the occasional cloud service provider who refuses to sign a BAA. Although they may have a logical explanation, any refusal to sign a BAA should be seen as a red flag.

Here’s the logic from their angle. There are still many cloud vendors who view themselves more as conduits of Personal Health Information (PHI). They feel their role is more akin to that of a mailman. They’re merely transporting data to others and have no real access to the actual contents.

If the data is encrypted and cannot be read, or If they don’t touch the actual PHI data at all, the cloud service vendor will argue that HIPAA regulations do not apply to them and possibly refuse to sign a BAA.

Fair enough, right? If the data is encrypted and the vendor doesn’t hold the encryption key, what’s the problem? Well, here’s the problem.

File this in the unlikely yet not improbable category. Let’s say that the PHI data wasn’t properly encrypted before it was sent into the cloud or unencrypted data was mistakenly transferred over to the cloud service provider. If the cloud provider has refused to sign a BAA, this jeopardizes your HIPAA compliance and could potentially result in a fine anywhere from $50,000 to $1.5 million.

This is why those in the healthcare sector must move on from any cloud provider that is reluctant to sign a BAA. They are basically refusing to be complaint since the new HIPAA Omnibus Rule clearly defines a business associate as anyone who creates, receives, maintains, or transmits PHI on behalf of a covered entity. By refusing to share accountability for HIPAA compliance, they’re a liability to your organization that you just can’t afford.

CLICK HERE for a free network assessment.

 

2 Steps to Ensure Healthcare Data Availability in the Cloud

66In 2013, major companies like Google, Amazon, and Microsoft experienced outages. Not only were these big name outages disruptive to users, but they also made headlines and proved to be costly to each brand. Google’s hiccup footed an estimated bill of $500,000 while Amazon’s 30-40 minute blackout contributed to roughly $3 million in losses.

2013 was also the year the healthcare industry embraced cloud computing thanks to modifications to the HIPAA Privacy, Security, Enforcement and Breach Rules. With these modifications extending the definition of a Business Associated (BA) to cloud service providers, many of the data breach concerns that had previously kept the healthcare sector from taking to the cloud have been quieted.

But as more patient health data is electronic and residing in a virtual environment, the availability of this data is just as important, if not more important, than securing it. Unlike Google, Amazon, and Microsoft, the disastrous effects of data outages in the healthcare sector can have potentially deadly consequences.

Not only is high uptime mandatory in a healthcare cloud, business continuity and disaster recovery (BCDR) plans are also crucial. The good news is the cloud’s virtualized infrastructure, coupled with the expertise and cloud monitoring of a trusted Managed Service Provider (MSP) can help healthcare organizations maintain uptime and reliability. Here are two helpful steps:

  1. Risk Assessments Are Absolutely Necessary

While risk assessments are critical to protecting patient health information, a 2012 audit conducted by the Office of Civil Rights revealed that many healthcare entities and contracted service providers fail to perform them. These evaluations must be conducted regularly and require an honest assessment of probable risks ranging from malicious cybercrime attacks to acts of nature such as natural disasters, flood, earthquakes and power outages. Analyze both the architectural vulnerabilities relative to data availability and security as well as the effectiveness of the counteractive measures in place. The goal is to minimize the plausible impact of such an event and prevent service disruption.

 

  1. Proactively Monitor for Cybercrime

It is often months before a security breach is detected. By this time, hackers have had ample time to infiltrate your system and feast on its data. Since cybercriminals use an unpredictable array of methods to strike, such as viruses, malware and phishing schemes to steal credentials, the strength of your detection system is key. Alerts should be set up to identify anomalies such as unusual application requests, forced entry attempts, suspicious spikes in traffic, and abnormal data patterns that suggest a breach. The proactive monitoring tools available through a MSP can help scan, pinpoint, and remediate such attacks.

Any BCDR plan must be built upon your organization’s recovery time objective (RTO) and recovery point objective (RPO). Your RTO is the duration of time in which your service level must be restored to avoid dire consequences. Your RPO is the maximum age of the recoverable files in storage to resume normal operations. A MSP can help determine the optimal scenario for your healthcare organization and prioritize the most critical health care information with near real-time replication.

Through this preparation and foresight, your organization can lay the groundwork to not only protect healthcare information in the cloud but potentially save patients’ lives in the event of an unforeseen outage.

CLICK HERE for a  free network assessment.

Healthcare and Cloud Computing Together at Last

65 For years, the healthcare industry was thought to be the very last sector to embrace cloud computing. With HIPAA compliance, storing private patient data in the cloud seemed much too risky from a security and legal standpoint. However, with a government issued mandate to migrate patient data to electronic heath records by 2015, the cost-effectiveness of the cloud was simply too logical to not entice independent practitioners and small healthcare entities now burdened by the need to invest technology and tech-savvy personnel. If only there was a way around the security and privacy concerns.

Wish granted. In January of 2013, the U.S. Department of Health and Human Services introduced a few revisions to the regulations administered under the Health Insurance Portability and Accountability Act of 1996. Labeled the “Final Omnibus Rule,” this update spelled out the legal framework to be used by healthcare organizations working with cloud service providers.

With a signed Business Associate (BA) agreement, a cloud service provider accepts the responsibility to protect patient data under HIPAA law. This expanded definition of BA means that the government can now penalize cloud service providers accountable for data breaches.

Although many healthcare organizations had already entrusted certain cloud service providers with their data, only the HIPAA covered entity (the healthcare organization) was penalized in the event of a breach prior to this ruling. While the HIPAA covered entity is still responsible for oversight, this shared accountability with the cloud service provider has expanded responsibility and has led to an influx of healthcare organizations and cloud service providers working together, worry-free, in perfect harmony.

CLICK HERE for a free network assessment.

Achieving Hipaa Compliance & Data Security In The Cloud

Prioritizing Security & Privacy in Healthcare Sector

Physician offices, hospitals and health insurers take practical steps each day to protect private patient health information (PHI) and comply with HIPAA regulations. Anyone interacting with patients and regularly accessing or discussing confidential medical records is obligated to adhere to certain requirements to uphold privacy and security.

For example, employees must be mindful of what is said aloud pertaining to an individual patient. Doors must be closed when patient conditions, treatments and procedures are discussed in person or over the phone. Staff should never leave voice mails with specifics about patient health conditions or test results. Even simple acts like summoning patients from the waiting room must be carried out with patient discretion in mind.

Failure to do this can result in a reported HIPAA breach that can be accompanied by potentially heavy monetary fines and often-irreparable reputation damage. The industry’s need to prioritize the integrity of patient data is even more pronounced in this time of flux within the healthcare sector.

Transitioning to the Electronic Age

Healthcare service providers today are in the process of converting all paper medical records to electronic health records (EHRs) or electronic medical records (EMRs) to meet the meaningful use requirements outlined in the American Recovery and Reinvestment Act of 2009 (ARRA). The ARRA incentivizes the healthcare sector to accelerate the adoption of enterprise-wide electronic medical data by 2015 or face possible penalties.

We are entering a period in our history where volumes of confidential patient health information (PHI) will be stored, shared, and accessed electronically for the very first time ever. There has never been a more critical time for healthcare service providers to ensure that patient rights are protected, confidential information is safeguarded, and this transition from the immovable locked file cabinets to today’s electronic-system is completely HIPAA compliant and secure.

How HIPAA Breaches Most Commonly Happen

The U.S. Department of Health’s Office of Civil Rights found that there have been 21 million HIPAA security breaches since 2009. These breaches have resulted in an average of 2,769 records being lost or stolen per breach. Among them:

  • 48% were stolen medical files
  • 48% were stolen billing and insurance records
  • 20% were stolen prescription details
  • 13% were stolen monthly statements
  • 24% were stolen patient billing/payment details
  • 19% were stolen payment details

During this period, 66 percent of the reported large-scale HIPPA violations were due to the physical loss or theft of electronic equipment or storage media such as a laptop or flash drive that held unencrypted PHI. Another 8 percent of the large-scale HIPAA breach incidents were the result of hacking and cybercrime.

Physical Theft

Based on the above findings alone, one can come to the obvious conclusion that storing such unencrypted data on a physical hard drive or any portable storage media device elevates the risk of an HIPAA breach. Therefore, eliminating the need to store or transfer this data on equipment such as laptops or flash drives should significantly minimize the risk of many of the HIPAA violations reported today.

Cybercrime

Cybercrime is a growing threat within the healthcare sector since the industry has been slow to adopt new technology. According to the Identity Theft Resource Center, there were 17 reported financial industry data breaches in 2012 compared to a reported 154 healthcare industry breaches during the same time frame. The aging technology commonly used by healthcare service providers is rife with software and security flaws making it susceptible to data breaches resulting from hacking and other cyber-attacks.

Data thieves view private medical records as a high valued commodity – a gateway to identity theft. Safeguarding this data is challenging. With the shift to electronic records, data thieves have upped their game, finding new ways to gain unauthorized access to patient data by exposing vulnerabilities.

Defending against cybercrime requires constant monitoring for intrusion attempts and security upgrades. In this era where the volume of stored data is increasing, new cyber threats seemingly surface every day, and there is continuous demand to comply with regulations; healthcare service providers securing their own infrastructure will inevitably become overburdened and more vulnerable to attacks and HIPAA breaches.

 

The Case for Moving Data to the Cloud

Although many healthcare service providers have shown a reluctance to abandon their in-house IT infrastructure and security measures, on premise data center attacks are proving to be more prevalent, costly, and difficult to rebound from.

Healthcare providers who have resisted the cloud due to privacy and security concerns could be making a grave mistake. Increasing evidence suggests that the cloud can actually enhance data security. It does this while also freeing up manpower and budget dollars that can be better allocated toward the principle objective of improving patient care.

Proactive Remote Monitoring

Leading cloud-service providers offer an around-the-clock remote monitoring service that maximizes uptime while monitoring each node in the cloud infrastructure, each access point, and the data center platform as a whole. This is an extremely important function that detects and addresses potential issues before they become serious breach incidents. Metrics are collected and alerts are triggered whenever faulty conditions such as a data backup failure or an authorized attempt to access data are detected.

CLICK HERE for a free network assessment and see how your sensitive information can remain secure in the cloud.

Cloud and HIPAA – Questions You Should Ask

What to Ask Your Cloud-Service Provider

Cloud is establishing a foothold in the industry as the data management system of choice for many healthcare service providers. This means cloud security continues to evolve for the better. However, you must still choose a cloud-service provider wisely and ensure that patient data is secure at all levels of workflow.

We’ve compiled a list of several things you should ask your cloud-service provider regarding EHRs and PHI data.

  1. Who has access to this data and the systems supporting it?

Any cloud service provider should be able to tell you who has access to the physical storage facility, the hardware, operating systems and data.

  1. Is there an audit trail and can unauthorized access to patient data be easily verified?

Is there an auditing mechanism in place tracking all PHI-related system activities, warnings and failures? Any unusual system activity such as suspected unauthorized access should be easily detectable.

  1. Is the data password-protected and accessible to only those authorized?

Are users prompted to enter a unique username and password with each log on? Do active logged-in sessions time out after periods of inactivity?

  1. Is the data encrypted? Is it only viewable to those with proper authentication or accessing it through an application?

Is SSL-based encryption performed at the application level when healthcare sites and the data center communicate? This ensures end-to-end protection from the service access point to the data center and prevents any unauthorized network provider employee from accessing the data. Data also can’t be read while in transit to an end user’s viewing software over the Internet.

  1. What kinds of backup processes are in place to ensure business continuity?

How often is data backed up and what is the method of backup to reduce data loss? Are copies made on removable media and stored off-site if a disaster impacts the data center? Are the two copies continuously synchronized? What authentication processes are in place to ensure data integrity?

  1. How are the threats of viruses and Trojans handled?

Is there anti-virus software running every time files and disks are scanned or accessed? Is the anti-virus software frequently updated with the latest virus signature databases?

  1. What Kind of Physical Security Exists at the Data Center?

Is security at the data center manned 24-hours with appropriate identification required and recorded with each visit? Are security cameras, motion detectors or alarms present throughout the facility?

The necessary investment to buy and maintain physical equipment, hardware and software, and supply personnel with the continuous training they need to deliver top-level data security is unaffordable and overtaxes the resources of smaller healthcare entities. Converting to cloud-based services enable practices and companies of any size to achieve industry-leading HIPAA compliant data security while benefiting from a slew of cost-efficient benefits that liberate them from security problems – bringing them back to caring for patients, not patient technology.

If you’re interested in a cloud-service provider who follows the administrative simplifications referenced under HIPAA, and can satisfactorily assure the safeguarding of electronic patient health information, contact us today.

Call (214)377-4884 or CLICK HERE for a free network assessment.

The Future of Healthcare event Nov.15th – all proceeds go to HELPS Intl

Brookhaven Business Alliance cordially invites you to a keynote speech; panel discussion and value add breakout workshops on “The Future of Healthcare”.   Check out our all-star lineup of industry thought leaders.  

[button url=”http://www.brookhavenbusinessalliance.com/events.html” ]Register Now![/button]

 Keynote Speakers: 

  • Brigadier General (Ret) Richard Ursone
  • Dr. Mike Cowan –  former Navy Surgeon General

 

 Moderator: Raymund C. King, MD, JD

 Distinguished Panelist: 

  • Dr. Eric Bricker – CMO, Compass Professional Health Services
  • Cary Clayborn – CEO ATB Global
  • Mark Lambright – CEO HealthPoints
  • Dr. Greg Powell – Associated Orthopedic Surgeons        
  • Henry Talavera – Hunton & Williams LLP

 

Additional Breakouts with Industry experts leading sessions on the following topics.   Develop questions to ask panelist.   Learn important information that affects us all.

401K – Changes in Fiduciary Responsibilities

Future of Patient Billing

Healthcare Reform

Legal Implications

Technologies Role/EMR

Wellness

[hozbreak]

When: Nov. 15th 8:00A – 10:30A

Where: Brookhaven Country Club – 3333 Golfing Green Dr., Dallas, TX 75234 

Cost: $50 for Guest or $35 for sponsor members – pay at door

Sponsors:

ABT Autologous Blood Tech

Alliance Insurance Services

Cigna

CI Web Group

ClubCorp

Cognoscape LLC

Compass Professional Services

Dallas Business Journal

Dallas Regional Chamber

Dillion Gage

DSG Benefits Group, LLC

Farmers Branch Chamber

Dr. John Maxey

Health of the Nation on KLIF hosted by Dr. Mitchell Brooks

HealthPoints

Hunton & Williams, LLP

Lanvera

Munck Carter, LLP

Oasis Outsourcing

One America

Southwest Age Intervention

Dr. Steve Harris

Success North Dallas

Vatter Financial

WeScanFiles.com – A service of GuideStar Consulting

  Add to my calendar

  Driving Directions