Blog Archives

The Healthcare Cloud for Data Breach Prevention and HIPAA Compliance

Note: This is blog 4 of 4 in our HIPAA series.

A wave of breaches in 2016 exposed vulnerabilities at the heart of the health care system. This resulted in a new sense of urgency for data security in the industry. Breaches can happen when devices connected to healthcare data aren’t protected, when employees aren’t properly trained, or when data isn’t encrypted or segregated to make it less accessible.

HIPAA compliance is the fundamental building block of better data security for the healthcare industry. This legislation, signed into law during the 1990s and later updated in 2009, provides requirements regarding the confidentiality and privacy of protected health information, or PHI. Of course, it only works if healthcare institutions follow the law and regulations, and implement a compliance program designed to protect the safety of PHI.

The nature and sophistication of cloud computing has the power to revolutionize healthcare and HIPAA compliance. By its very nature, it offers ease of access to patients and healthcare providers, slashes costs for IT departments and improves data security.

Always-on access

HIPAA entitles everyone to access their complete medical record. A cloud environment for a healthcare provider can offer 24/7 access to records, something that’s expected in today’s tech-connected environment.

Many providers offer some form of a patient portal where patients can securely sign on from anywhere. These portals vary in capabilities; some are limited to medical records, while others allow for patient-physician communication and appointment scheduling. The portal should maintain all the security features needed to remain HIPAA compliant.

Slashing costs

Costs can drop dramatically with cloud adoption because cloud computing providers can tailor to health care institutions’ needs and scale up and down with the ebb and flow of their business. This reduces capital expenditure in IT and cuts the salary costs of an IT department. The system changes from being capital-intensive to a pay-as-you-go model that prioritizes agility and scalability over large-scale infrastructure.

If a physician or hospital had their own in-house servers, they’d not only have to pay the initial costs to purchase, but also for maintenance and security. Even then, it is unlikely that their security would be as robust as a cloud solution.

Security

Data security is a critical factor for all cloud service providers, and is a major concern for the healthcare industry. A private cloud with segmented data and limit access is ideal for this purpose. It can handle processes like registration, billing, scheduling and customer feedback, and is a good way to begin a migration to the cloud while the healthcare provider and the cloud company build trust together.

There are many benefits of migrating to the cloud—first-class hardware, sophisticated software resources, and IT professionals. Using a cloud service provider like Mozy by Dell will help healthcare providers in their efforts to safeguard against data breaches, comply with HIPAA, and keep costs under control so that they can focus on delivering health services.

Put a Stop to the Key Data Breach Culprits

Note: This is blog 3 of 4 in our HIPAA series.

During 2016, there were 377 health care data breaches in the U.S., according to ITRC. Between 2012 and 2016, there was an increase in frequency (50 percent), severity (50 percent) and number of records exposed (69 percent). In a single breach of Quest Diagnostics in November 2016, 34,000 people were affected. The threat is escalating all the time and what these statistics point to is the vital role the Omnibus Rule must play around the issues of privacy, security and enforcement under the Health Information Technology Act.

The Omnibus Rule seeks to recognize and deal with the increased threats posed to health care data. Hackers are no longer only nefarious individuals looking to make a quick buck. They’re sophisticated criminal operations with vast resources, capable of doing tremendous damage.

Medical records are valuable to hackers and can be sold for up to 50 times more than stolen credit card numbers because they can be used for insurance fraud, to obtain false prescriptions, as well as extortion and simple identity theft.

Steps to implement

Historically, the health care industry has lagged behind in terms of safeguarding sensitive information. Here are steps that should be implemented immediately:

Employee education

In almost every case, a breach begins with a person who has legitimate access to a system sharing that information, knowingly or unknowingly with a hacker. Through neglect or carelessness, employees often share vital information unwittingly. Educate staff about the ways credentials can be stolen and limit how much data any one staff member can access.

Basic training for new hires goes a long way—annual updates on phishing techniques and other Internet scams make employees more security conscious.

In an all-too-common scenario, employees make mistakes and lose data, or they file things in the wrong place. This sets them up as easy targets for hackers who know where to look. It’s vital that you know where your data is stored and that it is where it’s supposed to be. Isolate your most sensitive data and have additional controls and limited access to it.

Software controls

In a medical environment, any device that goes online is vulnerable and a potential gateway. Laptops, desktops, mobiles and iPads all need antivirus, antimalware and encryption software installed. And just as important, such software must be updated regularly to ensure that your data is being safeguarded with the latest security measures.

Access

If possible, medical institutions should separate guest wireless networks from primary networks, and web filters can be added to restrict widespread Internet roaming on the primary network. Businesses should think about isolating and segmenting data access, ensuring that only those with proper credentials and a need to know can access sensitive and/or electronic personal healthcare data.

The value of the cloud

Companies are using the cloud for both efficiency and security purposes. The National Kidney Registry (NKR) took the decision to outsource their data management and security to a cloud provider with the experience and the resources to safeguard their data. NKR director of Education and Development Joe Sinacore explained to HealthITSecurity: “I want the people who have a vested interest in not just protecting my business, but everybody’s business and their own reputation. Seeing all of the resources that they put in on this, I don’t know how you can do it any better than that.”

No system is impenetrable and breaches can and do happen. But knowing where your data resides and who has access to it can help you respond effectively should a breach occur. Be sure to choose a cloud service provider that understands your business. As required by HIPAA, Mozy by Dell offers appropriate safeguards—including those for encryption, password restrictions, and data storage—to help you protect and secure the electronic health information you work with and store.

Next up: The Healthcare Cloud for Data Breach Prevention and HIPAA Compliance

Four Cloud-based Tools that Every Entrepreneur Should Be Using

So what are some of the top cloud-based offerings that are changing the game for entrepreneurs? In many ways, the type of app that you will use depends on the field that you are working in. But there are a few applications that are useful for almost everyone. Let’s take a look at a few examples.

4 tools you should definitely be using

Office 365 or Google Docs: The ability to run an entire office via the cloud is something that many people may take for granted, but it’s made a huge difference to startups that no longer have to pay expensive licensing fees for software that traditionally used to tie them down to one location. Now you can create documents, run business email accounts, share spreadsheets, and collaborate over vast distances with just the click of a button. Furthermore, because so many people are familiar with the interfaces provided by Google and Microsoft, the learning curve is not very steep and new team members can slot into the system quickly and easily.

QuickBooks: Accounting and bookkeeping are very often tough for entrepreneurs who are busy trying to grow their businesses and focus on what they do best, without worrying about keeping good records. A cloud-based accounting program that can track your income and expenses, manage cash flow, and take care of payroll is a life-saver to entrepreneurs.

Mozy: One of the biggest fears of small businesses migrating to the cloud is the idea that they may wake up one day to find all their data has been lost or deleted, and there is no way to get it back. But cloud-based services like Mozy provide rock-solid data protection for growing businesses, offering daily, weekly or monthly backups of critical data, as well as syncing from multiple devices with enterprise-grade encryption and full mobile access.

MailChimp: When it comes to marketing, cloud-based apps have been a godsend for entrepreneurs. Facebook, Twitter, Instagram–all are wonderful marketing tools to get your products and services out in front of customers and build a community of like-minded people who believe in what you do. But at the end of the day, the one marketing tool that is still more powerful than any other is email marketing. Cloud-based bulk email services, like MailChimp or Constant Contact allow entrepreneurs to build intimate relationships with customers and create working sales funnels that produce sales over and over again. The reporting is world-class too; you get to see who read your mail, what they liked and didn’t like, and much, much more.

How to get started
The beauty of cloud computing is that it allows small businesses to compete effectively with the big players. Start small, see what works, pay only for what you use, then scale up when things are going well and down when things are quiet. That’s the secret to getting the most out of the cloud.

Air gapping: What is it and when is it the right security measure for you?

As more and more organizations commit their sensitive resources to the cloud, and consumers demand faster and easier access to their online data, so the issue of data security has become more important and relevant to users. There are many ways to increase digital security measures, from better passwords and multi-level authentication to encryption and segmentation of data. But one of the most foolproof, and least understood, security concepts is that of air gapping.

What is air gapping? According to reference site Whatis.com, an air-gapped computer “is physically segregated and incapable of connecting wirelessly or physically with other computers or network devices.” In addition to that physical removal from a network, a gap is specified between the computer and the outside walls, as well as between the wires servicing the air-gapped system and all the other systems in the physical space. By observing these rather extreme measures, the possibility of data being stolen or extruded via electromagnetic means is removed.

It stands to reason that when a computer is not connected to the Internet, or to a network that is connected to the Internet, the chances of data theft is extremely remote. That’s why air-gapped computers are often used in military applications, or in retail institutions that process large amounts of money via online transactions, and even in industrial situations that control critical infrastructure.

So how does data get into an air-gapped system in the first place? Very methodically, either by USB or by a removable storage device, which is disconnected as soon as the data is transferred. Until quite recently, air gapping was thought of as being an impenetrable form of security, due to the fact that physical access to a machine was the only way to breach its defenses, and that access could be carefully controlled. But the Stuxnet virus, which was designed to breach Iran’s nuclear program, laid waste to that notion. According to Wired magazine, “Computer systems controlling the centrifuges were air gapped, so the attackers designed Stuxnet to spread surreptitiously via USB flash drives. Outside contractors responsible for programming the systems in Iran were infected first and then became unwitting carriers for the malware when they brought their laptops into the plant and transferred data to the air-gapped systems with a flash drive.”

More recently, Israeli researchers found a way to use radio waves and devices to siphon off data from air-gapped machines, effectively proving that no system is utterly impregnable. Yet it is still a first-class security measure.

Are there cases when air gapping would be appropriate for a small business? Certainly. In an average small business that has 15 to 25 computers connected to the Internet, there is a good chance that the business has some sensitive data which it needs to protect closely. There would be a strong case for air gapping one particular machine which contains that sensitive data, and delegating one person to be in charge of importing and exporting data from that particular machine on a regular basis.

The physical distance between an air-gapped machine and a network, coupled with strict access of who interacts with that machine, is one more way to ensure that sensitive data is protected in this day and age.