Cloud and HIPAA – Questions You Should Ask

What to Ask Your Cloud-Service Provider

Cloud is establishing a foothold in the industry as the data management system of choice for many healthcare service providers. This means cloud security continues to evolve for the better. However, you must still choose a cloud-service provider wisely and ensure that patient data is secure at all levels of workflow.

We’ve compiled a list of several things you should ask your cloud-service provider regarding EHRs and PHI data.

  1. Who has access to this data and the systems supporting it?

Any cloud service provider should be able to tell you who has access to the physical storage facility, the hardware, operating systems and data.

  1. Is there an audit trail and can unauthorized access to patient data be easily verified?

Is there an auditing mechanism in place tracking all PHI-related system activities, warnings and failures? Any unusual system activity such as suspected unauthorized access should be easily detectable.

  1. Is the data password-protected and accessible to only those authorized?

Are users prompted to enter a unique username and password with each log on? Do active logged-in sessions time out after periods of inactivity?

  1. Is the data encrypted? Is it only viewable to those with proper authentication or accessing it through an application?

Is SSL-based encryption performed at the application level when healthcare sites and the data center communicate? This ensures end-to-end protection from the service access point to the data center and prevents any unauthorized network provider employee from accessing the data. Data also can’t be read while in transit to an end user’s viewing software over the Internet.

  1. What kinds of backup processes are in place to ensure business continuity?

How often is data backed up and what is the method of backup to reduce data loss? Are copies made on removable media and stored off-site if a disaster impacts the data center? Are the two copies continuously synchronized? What authentication processes are in place to ensure data integrity?

  1. How are the threats of viruses and Trojans handled?

Is there anti-virus software running every time files and disks are scanned or accessed? Is the anti-virus software frequently updated with the latest virus signature databases?

  1. What Kind of Physical Security Exists at the Data Center?

Is security at the data center manned 24-hours with appropriate identification required and recorded with each visit? Are security cameras, motion detectors or alarms present throughout the facility?

The necessary investment to buy and maintain physical equipment, hardware and software, and supply personnel with the continuous training they need to deliver top-level data security is unaffordable and overtaxes the resources of smaller healthcare entities. Converting to cloud-based services enable practices and companies of any size to achieve industry-leading HIPAA compliant data security while benefiting from a slew of cost-efficient benefits that liberate them from security problems – bringing them back to caring for patients, not patient technology.

If you’re interested in a cloud-service provider who follows the administrative simplifications referenced under HIPAA, and can satisfactorily assure the safeguarding of electronic patient health information, contact us today.

Call (214)377-4884 or CLICK HERE for a free network assessment.