From the November 2016 issue of HealthCare Business News magazine
By Chris Bowen
While state-sponsored cyberattacks have grabbed headlines, a majority of health data breaches actually result from something closer to home: human error. No more than half of all data breaches in 2016 (so far) have been attributed to hacking, while the vast majority are the result of unauthorized access, theft of devices used to store electronic protected health information (e-PHI) or improper disposal of physical records.
The radiology ecosystem is hardly immune to these human-inflicted breaches. Consider just some of the most recent examples, such as the radiologist who hacked into his ex-employer’s patient database to steal patient files. Or the radiology practice that sent stacks of unshredded patient files to a recycling company. Then there was the widely reported instance of the vehicle that was transporting patient radiology files for incineration, with the driver completely unaware that the files were blowing out of the vehicle and onto the road. You just can’t make this stuff up.
Of course, as the rise of ransomware ominously portends, external cyberattacks remain a very real threat. Many radiology providers are discovering that the effort and expense required to maintain an impenetrable IT environment comes at the cost of caring for patients. Yet applying only minimum protections to patient data is ultimately harmful to patients, too. In a move to head off both internal and external cyber risk, many radiology providers and their business associates are deciding to offload hosting and security of valuable patient data to the cloud. But is the cloud environment really secure enough to keep patient records safe and private?
Securing PHI in the cloud
Under the Health Insurance Portability and Accountability Act (HIPAA), health care organizations are tasked with utilizing a broad set of administrative, technical and physical controls to keep patient data private and secure. Contrary to some persistent misconceptions, this can be achieved in a cloud environment. To satisfy HIPAA’s administrative controls, for example, a virtual private cloud configured on a public cloud can be architected so that all activity in the environment is monitored and logged, and any unusual activity is flagged and reported. Data can be encrypted and additionally secured at the application, virtual machine and network levels, addressing some of HIPAA’s mandatory technical safeguards. Finally, a public cloud partner can provide assurances regarding physical access to the data centers that host their clouds.
