Avoiding Healthcare Data Loss in the Age of Ransomware

With the rapid rise of ransomware attacks across industries, including healthcare, it’s not surprising that the Health Insurance Portability and Accountability Act (HIPAA) regulations now require ransomware attacks be reported, given the impact they have on the organizations and clients they serve. Losing data–whether temporarily or permanently–constitutes an unacceptable risk to healthcare organizations and interferes with patient care, employee collaboration, and record accessibility.

For healthcare organizations that are already saddled with increasing demands for better, faster, more affordable care and the implementation of the latest technologies while still maintaining strict privacy and security standards, adding an additional compliance checkbox can seem overwhelming. This is particularly so for those that are taking advantage of SaaS apps like G Suite, Office 365 and Salesforce to increase agility, connectivity, and accessibility. And yet, maintaining compliance and implementing processes designed to ensure the safety of protected health information (PHI) while minimizing security risks is critical to the survival of every healthcare organization.

Using SaaS Services with e-PHI

The US Department of Health and Human Services mandates that covered entities – defined as health care providers, health plans or healthcare clearinghouses – and their business associates – including selected cloud service providers (CSPs), like Google or Microsoft, or SaaS application providers such as Salesforce – must comply with HIPAA. Covered entities and their CSP / SaaS vendor are required to sign a Business Associate Agreement (BAA) if they plan to manage e-PHI in the cloud.

For any healthcare organization using G Suite, Office 365 or Salesforce, they must first learn how each of these providers individually manages e-PHI and helps the organization fulfill HIPAA requirements. For instance, some cloud providers restrict organizations to a subset of their application services so that e-PHI can be properly safeguarded, and IT administrators must configure their cloud and SaaS environments accordingly.

Next, healthcare organizations need to recognize that these applications don’t guarantee full restoration of lost data if an issue occurs on the user’s end. It could be a costly assumption that all cloud-based data is automatically backed up and can easily be restored to its original state. In reality, it’s often the responsibility of an organization’s IT department to fill in the data protection gaps by implementing a backup and recovery solution themselves. Here are a few notable gaps in the native data protection provided by cloud providers where SaaS providers will not recover lost data:

  • Deletions: Whether accidental and caused by human error or intentional and caused by a malicious insider, once a request to delete has been received and acted upon, the data is gone per the customer’s directive (and the application’s customer agreement and privacy policy).
  • Hacking: Similar to insider threats, data removed or held for ransom by hackers can be unrecoverable if there is no restorable backup in place.
  • Sync errors: Once a SaaS app is integrated with other applications, there is always a chance data will be lost due to a failed sync. This common error is not always recoverable by SaaS providers.

Ensuring Proper Data Protection and Compliance with SaaS Services

The permanent, unplanned loss of data can be disastrous for any organization, but is especially harmful for healthcare organizations. Along with the impact on patient care, employee collaboration and effectiveness, and record accessibility, it can also have serious implications on an organization’s ability to maintain compliance and ensure proper data protection, especially of PHI.

In addition to a strong cloud strategy, healthcare organizations should have a HIPAA-compliant backup solution in order to fill those gaps and protect against data loss. Here’s what to look for when considering SaaS data protection solutions for backup and recovery:

  • Cloud-to-cloud SaaS model – Choosing to backup data from the cloud into the cloud enables healthcare organizations to reduce the cost and IT maintenance requirements of traditional backup. As a result, IT staff can do more with less, while ensuring a secure copy of their SaaS data is easy to retrieve for recovery.
  • Automated and on-demand backups – In addition to manual on-demand backups whenever required, having an automated solution provides further confidence that critical patient data is being backed up.
  • Fast and accurate recovery and restoration – Recent research shows that the loss of access to data can cost more than $2 million per year to organizations even when the CSP meets their uptime Service Level Agreements (SLA). Quick and accurate data recovery will not only ensure significant cost savings, but also continuity of service to patients and the organization.
  • Solution provider stability – The protections afforded by a robust, HIPAA-compliant SaaS data protection solution are only as good as the provider’s business and operational stability. Trusted names and established companies are more likely to be there for the IT healthcare team today and into the future.

Healthcare organizations remain under pressure to provide better, faster, more affordable care, while also maintaining strict privacy and security standards. Those that have turned to cloud and SaaS technology to increase agility, collaboration and continuity of care in service of these goals must not only understand the risks and responsibilities associated with managing e-PHI in SaaS applications, but also take a proactive approach to safeguard against data loss. By implementing robust data protection plans that enable rapid recovery from data loss, these healthcare organizations will see a reduction in operations interruptions and data loss while also ensuring continuity of care.

Learn how Millar, Inc. Achieves Compliance in the Cloud with Spanning Backup for Office 365

An earlier version of this article first appeared in Health System Management.


GOT SOMETHING TO SAY?