ePHI Security Issues in Cloud Computing

Healthcare businesses around the world have always had a responsibility to protect the privacy of […]

Healthcare businesses around the world have always had a responsibility to protect the privacy of their patients. Today that means securing patient data from prying eyes.
Ever since patient health information became digital, many countries have introduced more stringent regulations to protect patient privacy and secure patient data. In the U.S. the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the standard that medical facilities have to follow.  HIPAA and the HITECH Act (the Health Information Technology for Economic and Clinic Health Act), place full responsibility for electronic protected health information (ePHI) on covered entities – i.e. healthcare providers and clearing houses. This is the case wherever the data happens to be, including in the cloud under the management of one or more external cloud providers.

 

Curiously, cloud computing has attracted widespread data security concerns in the healthcare industry. This despite the fact that a review of the list of major ePHI breaches shows that almost all of the largest security breaches in the US are because of improper paper and hard disk storage and disposal, or the physical theft of laptops and other mobile devices. While cloud computing is one area to protect the others can’t be ignored either including mobile devices and companies that have a BYOD policy. Mobile devices are one of the weakest links in the IT security chain. With increased mobile device access the risks of theft and data misuse grow right along with it.

In light of these statistics and trends, you may reasonably consider storing patient data in the cloud. Nevertheless, patient data can’t simply be moved to the cloud without careful analysis and planning, and an in-depth understanding of and compliance with the HIPAA privacy and security rules.

 

Covered entities will want to add a few data and security rules of their own to fully comply with the law, and perhaps add some extra bells and whistles for complete peace of mind.

 

As a starting point, and before taking on an external service provider, the medical facility needs to investigate and confirm if the cloud provider is HIPAA and HITECH compliant, and has in place the cloud infrastructure, platforms, services, software, backups, and security technology that will give them written guarantees of compliance with the Security Rules and the Privacy Rules.

 

Several cloud providers will provide protections such as firewalls, audits, multiple security layers, and authentication that closely controls separation of the multiple ‘tenants’ in the cloud environment. Individually and collectively, these and other mechanisms are all essential components to strong protection of patient data. Ultimately, however, they will be of limited value should a breach occur or a malicious insider steal or somehow compromise the cleartext data.

 

You will therefore need to do more to achieve ‘Safe Harbor’ status and show that you have implemented all technologies possible to protect patient data.  To claim Safe Harbor in the event of a breach in the cloud or anywhere else, you should be able to show that all your data is encrypted at every level and in all locations, and that the encryption keys are properly secured and managed, so that the attacker was unable to obtain plaintext data.

 

Encryption and encryption key technologies are at the very heart of data protection, certainly in the cloud where they are accepted as the best practice. Yet you’ll also want them to be simple and easy to manage.

 

Data encryption should usually be based on the AES standard (i.e. AES-256) along with tamper protection (for example, using standard XTS-AES) so no unauthorized person can change your data. All communications within the system must be encrypted at all times, with SSL/TLS always being ‘on’.

 

Key management and encryption (the encryption of the encryption keys) is essential, since if an attacker lays hold of the keys then the encryption is broken. Key encryption in the cloud can be based on split key encryption, which combines ease of use with the highest levels of security. Keys should be protected from snooping and tampering using SHA-2 HMACs and Homomorphic Key Management.

 

The US Secretary of Health and Human Services issued guidance on how best to ensure that ePHI is unusable, unreadable and indecipherable to unauthorized persons. It singled out encryption as the best practice for protecting privacy and security and as a safe harbor in case of data loss. That applies to the local family practice with one doctor and the large medical facility with 100 doctors.

 

Finally, when you find the cloud provider that meets all the criteria you need for compliance, remember to sign a Business Associate Agreement (BAA).

 

 

Gilad Parann-Nissany

Gilad Parann-Nissany is the founder and CEO of Porticor Cloud Security. He is a pioneer in the field of cloud computing who has built SaaS clouds, contributed to SAP products and created a cloud operating system. He has written extensively on the importance of cloud encryption and encryption key management for PCI and HIPAA compliance. Gilad can be found on his blog, Twitter, LinkedIn, and Google+ discussing cloud security.

Shares0
Shares0