Cloud Encryption Not Used Enough in Healthcare
A quarter of healthcare organizations do not use encryption to protect data in the cloud, leaving the electronic protected health information (ePHI) of patients at risk of exposure, according to a recent survey by HyTrust, a cloud control company in Mountain View, CA.
Thirty-eight percent of respondents said they had a multicloud environment and 63% of respondents said they were planning to use multiple cloud service providers in the future; 63% of healthcare organizations said they were using the public cloud to store data.
Data security was cited as the No. 1 concern by 82% of surveyed healthcare organizations, but even so, encryption is not always employed, says Eric Chiu, founder and president at HyTrust.
“For these care delivery organizations, choosing a flexible cloud security solution that is effective across multiple cloud environments is not only critical to securing patient data, but to remaining HIPAA compliant. However, the lack of encryption is a cause for concern.”
Comprehensive Risk Assessment Needed
HIPAA rules permit the use of cloud services for storing and processing ePHI, but covered entities are required to conduct a comprehensive risk assessment to assess threats to the confidentiality, integrity, and availability of ePHI.
Covered entities must make sure that appropriate technical safeguards are employed to ensure the confidentiality of cloud-stored ePHI is preserved, and data encryption must be considered, Chiu notes. If a decision not to use encryption for cloud-stored data is made, the reason for that decision must be documented along with the alternative controls that are put in place to provide a similar level of protection.
The U.S. Department of Health and Human Services (HHS) pointed out in last year’s cloud computing guidance for HIPAA-covered entities that encryption can significantly reduce the risk of ePHI breaches. That said, HHS also explained that encryption alone is not sufficient to ensure the confidentiality, integrity, and availability of ePHI stored in the cloud.
Encryption may cover the confidentiality aspect, but it will do nothing to ensure that ePHI is always available, nor will it safeguard the integrity of ePHI. Alternative controls must be in place to ensure ePHI can always be accessed, while access controls must be used to ensure the integrity of ePHI is maintained. The use of encryption alone to safeguard ePHI may, therefore, constitute a violation of the HIPAA Security Rule, Chiu explains.
“Healthcare organizations that choose to use cloud services provided by a separate entity must ensure that the cloud service provider is aware of its responsibilities with respect to ePHI. Cloud service providers are classed as business associates of covered entities, and as such, they are required to abide by HIPAA rules,” Chiu says. “Healthcare organizations must obtain a signed business associate agreement from each cloud service provider used, if the service is used to store any ePHI. HHS has also explained that even if ePHI is stored in the cloud and the cloud service provider does not hold a key to decrypt the data, the cloud service provider is still classed as a HIPAA-business associate.”
A quarter of healthcare organizations do not use encryption to protect data in the cloud, leaving the electronic protected health information (ePHI) of patients at risk of exposure, according to a recent survey by HyTrust.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.