By Scott Walters, Director of Security, INetU
Currently, technology companies – whether they’re cloud providers, EHR services firms or SaaS providers – are directly liable to the U.S. Department of Health & Human Services for securing any PHI they’re entrusted with. This is a significant change from the previous policy, where technology companies were only required to sign agreements assuring that they were employing best practices, and that they would provide breach notifications to help customers maintain compliance.
This policy change (which went into effect last September) not only puts more accountability on technology companies, but also introduces the risk of fines that could be in the million-dollar range. Take the Massachusetts Eye and Ear Infirmary (MEEI), for example. After a MEEI doctor’s laptop was stolen while traveling in Asia, PHI was exposed, and MEEI was ordered to pay $1.5 million in fines. Blue Cross Blue Shield of Tennessee was also ordered to pay $1.5 million after 57 unencrypted hard drives were stolen from a leased training facility, resulting in 1 million patient records being compromised.
In addition to demonstrating the potential costs of a breach, both MEEI and Blue Cross Blue Shield of Tennessee show that many of the biggest healthcare and HIPAA breaches are caused by unencrypted data and local storage of PHI. This pattern provides an opportunity to technology providers offering services to manage this type of data, because with some planning, SaaS and EHR providers can offer cloud services that are more HIPAA ready than their customers’ on-premise solutions.
So, how can SaaS and EHR providers offer HIPAA ready solutions? First, they must have adequate security measures within their own cloud infrastructure. With insecure local storage of information serving as one of the main sources for HIPAA breaches, technology providers should work to eliminate potential breaches by designing their architecture to inhibit local storage of PHI on the devices used to access that information in the cloud.
Second, they must enable strong encryptions for data-in-motion. In other words, they must classify customer data and segment networks and systems containing sensitive PHI away from lower-risk parts of their infrastructure. Technology providers should also be enabling the strongest forms of encryption on these sensitive PHI databases, and ensuring control over who can access the information – both within their healthcare clients’ organizations and with the administrators at their own company via strong privileged access controls.
The ability to log and report on data to prove compliance is also crucial. SaaS and EHR providers should provide their customers with strong and flexible access control connectors in order to determine who is looking at what data. They should have a method for collecting their logs in order to demonstrate compliance for both clients and auditors.
Providing HIPAA ready cloud services may seem like a daunting task. Luckily, there’s help. Hosting providers can often provide counsel on architecture for SaaS and EHR companies. They’re well-versed in HIPAA and HITECH requirements and can work with technology providers to ensure compliance so that they can focus on growing their own business, rather than getting bogged down with rules and regulations.
That said, I urge you to carefully evaluate any hosting provider you may choose to work with to architect for HIPAA compliance. Inquire about their network security and network controls. Ask about their patch management services for hosted assets, their systems and applications monitoring and their reporting capabilities (in case of an audit). Lastly, ask about hosting providers’ teams’ expertise in HIPAA, their willingness to provide counsel and how willing they’d be to get involved in the case of an OCR audit.
As a SaaS or EHR provider, it’s a terrifying thing to realize you’re liable in a breach. Luckily, proper architectural changes can help, and hosting providers can serve as expert allies here. So I urge you to view HIPAA compliance not as a scary or overwhelming concept, but rather, as an opportunity. Optimizing your architecture for HIPAA readiness can drive new revenue streams for your business and provide your customers with an invaluable security advantage.