Healthcare IT & Cloud Security: Top 4 Data Considerations

The healthcare industry is changing how it delivers patient care. With technology that enables greater collaboration for patient care, and with patient care delivery models shifting toward telemedicine and self-served healthcare, healthcare IT (HIT) finds itself thrust into the world of online collaboration platforms, SaaS, and cloud computing.

As a highly regulated industry in which individual’s data demands the utmost security, this move isn’t always comfortable. But as recently noted in a statement by the Cloud Standards Customer Council, “Around the globe, healthcare reform has mandated that it is time for healthcare IT to be modernized; and that cloud computing is at the center of this transformation.” The benefits and cost efficiencies gained from moving to the cloud are many, including:

  • The ability to share information easily and securely
  • More seamless collaboration among geographically dispersed healthcare entities and patients
  • Scalability and flexibility
  • The ability to secure and back up your data inexpensively

Microsoft Office 365 is a great example of a feature rich, unified collaboration and communication cloud-based service that is being adopted by healthcare entities – from clinics to medical device manufacturers. With Office 365, for example, caregivers can work together and connect virtually with patients more efficiently and cost effectively.

Millar Quote

Considerations for leveraging cloud services

Office 365 is built to meet HIPAA security and privacy regulations. However, healthcare entities should be aware that most cloud vendors operate under the rubric of shared responsibility, in which both the cloud service provider and the customer are responsible for ensuring data protection and business continuity. Though Microsoft provides for security and data protection from hardware and software failure, natural disaster and power outages, it does not cover other data loss scenarios including:

  • Ransomware and viruses
  • Human error
  • Programmatic errors (such as configuration errors)
  • Malicious acts
  • External hackers

In each case, it is the customers’ responsibility to provide data protection against these very real and common threats. Did you know that 58 percent of companies that use SaaS applications have suffered a data loss incident over a 12-month period? These are odds that HIT departments and healthcare entities cannot afford.

In order for health care providers to securely leverage SaaS or Cloud services and take shared responsibility for data management and protection, the following considerations should be made:


Cloud Considerations

Privacy and Security
  • Establish strong Service Level Agreements with the cloud service provider with regard to security and privacy.
  • Healthcare organizations must be informed of where and how electronic protected health information is moved or stored by the provider.
Regulation and Compliance
  • Implementation of security controls and compliance measures should be required by the cloud vendor, but ultimately, responsibility for compliance always resides with the healthcare entity.
  • Cloud vendors must provide solutions that are HIPAA compliant.
  • Organizations must consider whether data entrusted to a cloud provider carries legal/regulatory protection and breach notification requirements, such as protected health information (PHI) governed by HIPAA and HITECH, and personally identifiable information (PII) governed by state privacy laws.
Data Backup and Protection
  • Healthcare industries should implement a cloud-to-cloud backup provider to ensure their data is always accessible and not vulnerable to data loss events such as accidental deletions, ransomware attacks or human error.
  • Cloud backup solutions must comply with recovery time objectives (RTO) and must provide full access to backup data.
  • Data backup and protection must comply with HIPAA regulations.
  • Backups should occur daily or on demand.
Data Restore Requirements
  • Individuals’ data should be restored in the same format it was in prior to backup – not encrypted.
  • Restore functionality should be granular and provide a point-in-time snapshot of data.
  • Backups should be easily monitored and data restoration should happen easily and into a consumable format.

Case study: Millar, Inc.

Millar, Inc., a medical manufacturer of neurological and cardiac catheters, recently migrated to Office 365. Like any other healthcare entity, Millar must meet strict standards surrounding data protection and accessibility. IT director Todd Miller knew Millar, Inc. needed a backup and recovery solution that would ensure their critical data could be retained indefinitely and conveniently restored to its original state in the event of data loss. Millar implemented Spanning Backup for Office 365 to provide daily, automated backup and peace of mind to continue innovating in the cloud. The installation took place in a few hours, and the easy-to-use GUI made it a “set it and forget it” data protection service that works seamlessly with Office 365 via a Microsoft API. Millar also chose Spanning Backup for Office 365 because it is HIIPA compliant and provides granular backup and restore capabilities for Mail, One Drive for Business and Calendar.

As your healthcare organization moves more of its HIT to the cloud, it should ensure that patient data is secure and recoverable. Backup and restore cloud solutions are a must when determining your cloud data protection strategy.

An earlier version of this article was first published on Microsoft’s healthcare blog.

Protect the Health of Your Cloud Data