We’ve been working with a number of clients lately who are trying to wrap their arms – and IT policies – around cloud computing and file sharing. You may remember last year when OHSU was fined $2.7 million for “widespread HIPAA vulnerabilities.” Well, part of those vulnerabilities came about because of improper use of cloud-based file sharing services.
Healthcare organizations or not, use of cloud computing to store or share sensitive information comes with risks. OCR regularly reminds covered entities and their business associates of the potential risks, as well as how to use them yet remain in compliance.
Often, human error is at the root of the breaches. All electronically based protections, firewalls, anti-malware programs and so forth may be in order, but one person accessing information without authorization skews everything. Flawed setup of services is another risk, and one usually not detected until it’s too late.
We like to start with the security risk analysis to detect any potential service misconfiguration or un-needful access of sensitive data. The security risk analysis, when combined with IT vulnerability scans, penetration tests and mock phishing exercises, helps organizations identify and address security gaps like missed security patches and software that’s out of date, as well as detecting the most likely potential for human error. (Of course, the security risk analysis is also a HIPAA Rules requirement – but you knew that.)
Check that you’re in compliance with OCR Guidance on cloud computing, particularly around storing ePHI in the cloud, the proper policies and procedures, and the appropriate Business Associate Agreements.
Remember: Cloud computing and file sharing isn’t prohibited by OCR, but you must have appropriate measures in place to secure sensitive data and assure compliance. If you’re not sure whether your use of the services is secure, or your security risk analysis is up to date, then stop and call us!
Our HIPAA privacy, information security, HITECH and regulatory compliance consulting services support the health care industry and the vendors that work with them. We work across industry sectors to help businesses prepare for ISO, SOC II and HITRUST certifications, as well. You can reach Apgar & Associates at 877-376-1981.