Welcome to Tales from the Unencrypted.
Beware: these stories of medical data breaches are so chilling they may make your blood run cold.
- In 2012, a laptop belonging to a Texas cancer center went missing from the home of a physician-researcher. Its contents? Ten years' worth of unencrypted PHI belonging to more than 30,000 patients, including names, social security numbers, and clinical information.
- August 2017: An addiction center in Georgia discovered suspicious emails being sent from an employee's account. The incident was the work of a hacker, who had gained access to the employee account and used it to send spam, while being privy to the personal information of nearly 1,300 patients.
Established in 1996 to safeguard patients' health information and history, The Health Insurance Portability and Accountability Act - or HIPAA - is serious business. And there are countless stories like these that reinforce the need for such scrutiny.
The cloud is no exception.
Healthcare plans and providers seeking to store or transmit patients' electronic protected health information (ePHI) via the cloud must follow rigorous and revolving compliance regulations that HIPAA set forth.
Encrypting client data, both in transit and at rest, is critical, and establishing dual levels of protection - such as sending encrypted files over an encrypted connection - is considered best practice.
Agencies covered under HIPAA should consider the following when enlisting a cloud hosting company to handle sensitive data:
- Before hiring a cloud service provider (CSP) to store or process ePHI, a BAA (business associate agreement) should be established, outlining how this information can be disclosed and used.
- Expectations regarding system availability, reliability, backup, data recovery, and more should be outlined separately in a Service Level Agreement (SLA) between the hiring agency and the CSP.
- If a CSP experiences a security incident, it must notify the hiring agency, take steps to mitigate any adverse effects, and document the events and their outcomes.
- Seek a provider whose services are readily scalable, and whose expertise can meet your agency's unique needs.
Taking the proper measures to protect sensitive personal health information can protect your agency from the following scares:
- Considerable HIPAA-related fines.
- A tarnished reputation in the eyes of patients and peer organizations.
- Costly litigation and lawsuits.
Choosing a cloud service provider who offers the appropriate controls and processes is critical. GovDataHosting's services have been the subject of comprehensive audits, which subsequently verified proper implementation of required HIPAA controls and stability of the company's cloud infrastructure.
GovDataHosting is one of a few cloud IaaS solutions to offer HIPAA cloud compliant hosting exclusively for government customers. We can help your agency protect its ePHI. Reach out today to request a consultation or quote.