By Lindy Benton
New information may help health IT leaders identify new alternatives for managing and securing their data.
Healthcare data is always going to be at risk. Breaches continue to grab all of the headlines, and dental providers are exposed to the same risk.
Hackers want the information providers must collect. Despite continued efforts to address security loopholes, simply “taking action” to mitigate damage is not an effective strategy and it won’t work long term.
Patient data is being increasingly targeted, according to an Identity Theft Resource Centerreport from early 2014, stating the healthcare sector accounts for 43 percent of major data breaches, overtaking the business sector in the number of breaches for the first time. The recent jump in healthcare breaches could be the result of tougher reporting requirements.
“It is more difficult, perhaps, for that industry to brush something under the rug and want to chance not disclosing it because the ramifications for being found out are pretty significant,” the report authors claimed. However, healthcare breaches are increasing likely because of the value each of the records brings.
As you’ve likely heard, stolen or hacked patient charts sell for $50 each on the black market, according to multiple recent reports. Obviously, the data included in the records is valuable – in most cases they contain names, addresses birth dates and Social Security numbers. This information alone makes them attractive and highly sought after.
For some perspective, since federal reporting requirements kicked in, the U.S. Department of Health and Human Services’ database of major breach reports (those affecting 500 people or more) has tracked 944 incidents affecting personal information from about 30 million people. A majority of those records are tied to theft (17.4 million people), followed by data loss (7.2 million people), hacking (3.6 million) and unauthorized access accounts (1.9 million people), according to a Washington Post analysis of the data.
Breaches come in a variety of forms, though. Not all of them can simply be classified as a loss of patient record, or identity theft. Unfortunately, a breach can be something as simple as an administrative member of the practice losing a laptop or other mobile device that contains patient data or even a loss of a physical patient record.
As breaches continue to occur and sensitive patient data becomes more highly sought after, some organizations are beginning to realize the importance of the cloud and mobile storage solutions to protect their data from loss or breach while others continue to maintain more traditional approaches of keeping their information “safe” onsite.
The move to the cloud is supported by the fact that if health information is stored remotely in a secure and protected manner there’s no need for the transfer or collection of data on laptops, portal hard drives or other mobile and physical devices. Fear of breach of data stored in the cloud, however, is the exact reason many have not evaluated it as a solution.
Even as breaches continue to make headlines, the cloud also continues to generate news about its vulnerability to hacking. However, in some cases, practices are now identifying HIPAA-compliant secure cloud storage methods that allow them to safely transfer documents, in addition to storing them. For the most part, they are finding that these solutions require minimal time and training to implement, and less to maintain and manage their on-premise counterparts.
While the data needed to power a practice is off-site, at the same time the data is secure, they feel, in the event of a catastrophe, for example, the information also is easily exchangeable and retrievable. Additionally, records can be loaded or attached and sent as required; for example, attaching records and documents to support claim verification and adjudication at the request of payers, in some cases.
Despite the flexibility and ease of the cloud solutions, an overwhelming question pervades: “Is the cloud as secure as dedicated, on-premise infrastructure?” This very question was recently addressed in detail in a RackSpace report.
According to the report, the cloud is no less secure than on-premise solutions. Cloud solutions are typically created with built-in security controls and features. Worth noting, though, is that the number of attacks is increasing for both cloud and on-premise solutions, so there is equality no matter the solution. From 2012 to 2013 vulnerability scanning attacks jumped from 27 percent to 44 percent for cloud-hosted environments, and from 28 percent to 40 percent for on-premise datacenters.
Practices moving to the cloud are likely to face similar threat levels as if their data and technology were stored onsite. At this point, it would be foolish to proclaim that the cloud is less safe than on-premise solutions or that on-premise solutions are impenetrable to breach.
In fact, on an unrelated note, the cloud is creating better information backup options for health organizations in the event that they ever lose their data or their systems crash; which also supports the call for organizations to rely on more than one mechanism for data backup for their security efforts. This is a dense-of-depth approach, which is becoming a healthcare must especially as vulnerabilities, such as hackers making 24/7 attempts to gain access to the information the hospital or health systems hosts.
Organizations can’t rely on a single approach to security nor can they expect that they’ll always be in control of their data. However, just because data is on site doesn’t make it safer and just because it’s in the cloud doesn’t make it more vulnerable to breach. Though this little fact won’t bring the headlines to a halt nor will it help protect data in any way, this insight may help health leaders realize there are alternative approaches or solutions to where data can kept and how it is secured and managed.
Next, they need to take the steps to secure the data, using commonsense methods and establishing partnerships with others who can do some of the heavy lifting protection when it’s needed.