Our web-based software tools are designed specifically to assist our clients in managing data breach risks. Learn More »
RADAR helps you in risk assessment, documentation and reporting for HITECH data breach incidents.
Learn More »
Many entities are thinking about migrating their applications and PHI to the cloud. While there are many benefits to doing this, there are also risks.
Some of the benefits of cloud computing are:
With all of these benefits, entities must also be aware of the risks and how to mitigate them.
In cloud computing, where shared resources — hardware infrastructure, software, and data storage — are constantly changing hands among different users, securing PHI is like shooting at a moving target. With the exception of a private cloud environment, covered entities have little or no control where or how their data is moved, processed, and stored.
This lack of control presents compliance issues for the covered entity. As noted in The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security, a seminal report by the American National Standards Institute (ANSI), The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA), the covered entity is as responsible for the security of its PHI on the cloud as it is for PHI in its own environment. What's more, the report says, both the covered entity and the cloud provider could be subject to penalties under HIPAA and/or state regulations for a breach of PHI.
So what can you do to protect PHI in the cloud?
While covered entities have little control over the security of their PHI in a cloud environment, they can control their response to a data breach. An inventory of Personal Identification Information and PHI as well as privacy and security risk assessments can help demonstrate compliance and mitigate the impact of a data breach. Likewise, health entities should enact an incident response plan that includes roles and responsibilities for team members during a privacy event and provides instructions on determining notification requirements, including to regulatory authorities. And, of course, nothing can replace an organization's commitment to their patients, be it through caring, appropriate notification, consumer education, medical identity monitoring and recovery, and other remediation services.
Your comment may need to be approved before it will appear on the site. Thanks for waiting.
© Copyright 2014 ID Experts
A message from our lawyers. ID Experts, the ID Experts logo, and Breach HealthCheck are registered trademarks of ID Experts. RADAR, FraudStop, YourResponse, Breach Prevent, and Breach Respond are trademarks of ID Experts. All other trademarks used within the ID Experts website are the property of their respective owners.