WannaCry? You will if you don’t back up!

This blog was written by Jerome Bachelet, Mozy Systems Engineer; and Ela Moraru, Mozy Associate Systems Engineer 1

You’ve no doubt heard about the “Wanna” ransomware virus. Known by various names—including WannaCry, WannaBe, and WannaCrypt—this ransomware outbreak has spread globally and rapidly, affecting more than 250,000 computers in more than 150 countries in just a few short days. Individuals and businesses have been infected by the virus in the UK, Spain, US, and Russia.

What’s it do?

The Wanna ransomware infiltrates Windows machines and encrypts files, changing the extensions (for example, .wnry, .wcry, .wncry and .wncrypt) and makes files inaccessible to end users and applications. It impacts all Windows operating systems, from Windows XP to Windows 10, including the Server editions. Wanna uses a worm executable to spread further through local networks and the Internet, infecting any other Windows computers it can reach via the network. The scale of the attack prompted Microsoft to take the highly unusual step of releasing patches for unsupported operating systems, including Windows XP.

The goal of any ransomware is to incapacitate as many files and applications as possible, thus most ransomware is designed to infiltrate IT systems at the end user and then penetrate application servers.

It’s widespread and ongoing—and it’s paralyzing

Wanna is so devastating because it paralyzes any computer it can access and then causes application failures for systems that have a dependency on Windows OSs—like phone systems, email servers, and Microsoft SQL based applications. As of this writing, Wanna has infected more than 230,000 computers and has been identified in 150 countries. Wanna is so widespread that it has been localized into 28 languages.

Hundreds of victims have paid various amounts of ransom to bitcoin wallets in exchange for a decryption key that might allow them to regain access to their files. Unfortunately, decrypting files does not mean the malware infection itself has been removed from the computer. Even if your files are decrypted, there is no foolproof way to remove the ransomware, other than wiping your hard drive and reinstalling Windows.

How does it work?

Warning! A ransomware disaster usually, but not always, starts with a user clicking something they shouldn’t be clicking; for example, a suspicious attachment in an email.

There is a debate about exactly how the Wanna malware first broke out, but what is undeniable is that once virus gains access to a system it spreads unwittingly across unprotected SMB ports. Frustratingly, there has also been a spike of email phishing attacks based on the panic caused by Wanna. In these cases, a user is directed to open an email attachment or visit a website where the ransomware is presented, masquerading as a legitimate attachment or download.

Upon execution, Wanna will kill several system processes that may be locking files and grants itself full permission to every user account on the system.

Wanna then scans all drives (local and network) for 170+ file types and encrypts all the files with a new extension. Next, Wanna hard-deletes all the original files (bypasses the Recycle Bin). Files that are stored in a share, or synchronized via Google Drive, OneDrive, Dropbox, etc., will also be encrypted. Sync tools will automatically propagate to the cloud storage and appear on any other devices linked to the sync service.

Wanna removes any Shadow Volume Copies, disables Windows startup recovery, clears Windows Server Backup history, and bypasses the Recycle Bin, thus preventing any recovery from the Windows systems itself. Wanna changes the end-user wallpaper and displays a pop-up dialog box with instructions to send $300 worth of bitcoin in exchange for a key that will theoretically decrypt the files. The ransom will increase at a regular cadence, and the end user has 7 days to pay the ransom.

How can Mozy help?

Although Mozy by Dell cannot prevent a ransomware outbreak, millions of customers rely on the Mozy backup service to help avoid ransomware disasters. When a ransomware infection occurs, restoration of an endpoint or server from a backup works best when you can easily select a moment in time from where to restore. Once you have identified the point of infection (user and file) and the time the malware was introduced to the machine, Mozy can restore all of the files for the given user from the point in time just before the malware was introduced.

It’s true that there are a few dollars to be made through ransomware exploiting desktop and laptop computers; however, the primary focus of hackers is to make their money at the application server level. More than 95% of all ransomware attacks occur at the edge (that is, desktop and laptop computers). That’s where Mozy can help victims become productive again.

In the case of the Wanna virus, once the ransomware infection has been removed, Mozy would be reinstalled and re-activated with the original account. From the Restore window, the user would use the calendar to select the last healthy version of the files, select all of the files, and then click Restore. Mozy will automatically restore all the files to their original location in their original state.

To learn how you can use Mozy as a second line of defense for your data and to prevent a ransomware disaster, visit Mozy by Dell.

Mozy at Dell EMC World

While in college, I was fortunate to have two internships with EMC. When I came on board to work the summer months, some of my co-workers were just returning from EMC World. I knew these conventions were a big deal, but how big? Last week I had the opportunity to attend the first joint Dell EMC World located in Las Vegas.

When I checked in for the event on Sunday afternoon, I was able to walk the show floor. I have never felt so small in a building! The convention was set to take place in the 1.5 million square foot Venetian convention center, which now looked much more like a construction site than a trade show. There were workers with hard hats, forklifts buzzing around like bees, and people running electrical wires from the rafters to light up the snazzy booths in the coming week.

I woke up Monday morning to attend the Michael Dell keynote that would officially kick off Dell EMC World 2017. I found myself surrounded by roughly 12,000 IT practitioners, business decision makers, analysts, and customers funneling into the conference hall to listen to what Michael had to say.

After the keynote and announcements of future technologies, it was time for the solutions expo to open. Walking on the show floor Monday afternoon was a much different vibe than Sunday during registration. There was booth signage hanging from the ceiling every direction you looked, bright lights flickering in the background, a BMW i8 in the middle of the show floor, and my favorite—an obstacle course for drones!

After quickly checking out the 150+ booths, it was time to staff the Data Protection booth and speak with customers and prospects. Because I work on the marketing team, I don’t speak with customers as often as I would like. However, while staffing the booth, I had the opportunity to speak with Mozy customers, prospects, analysts, and folks from all around the world. It was a very gratifying feeling to speak with Mozy customers and hear their stories about how Mozy has saved the day, or how Mozy is helping in their company’s IT transformation.

On Tuesday night, Mozy hosted a customer appreciation dinner at the Venetian. It was an excellent opportunity to get to know each other better.

All in all, Dell EMC World surpassed my expectations. I now have a much better understanding of Dell’s motto, “Go Big, Win Big.” Dell EMC World 2017 was just that. I’m already looking forward to next year’s Dell EMC World. Maybe I’ll see you at the Mozy booth!

Mozy Employee Receives Deloitte UCC Executive Graduate of the Year Award

It’s always good to hear about team members who have achieved something beyond the ordinary.

Recently, Kris Meulemans, a Mozy senior sales engineer based in Cork, Ireland, and servicing our EMEA customers, received an MBA from the University College Cork and was presented with the Deloitte UCC Executive Graduate of the Year award for finishing at the top of the class.

From left to right: Thomas Healy, Mozy Business Operations Director, Dell EMC; Honor Moore, Partner, Deloitte; Kris Meulemans, award recipient and Mozy Senior Sales Engineer, Dell EMC; Patrick O’Shea, President, University College Cork; and Joan Buckley, Academic Director UCC Executive MBA. Photo by Tomas Tyner, UCC.

The Deloitte UCC Executive Graduate of the Year award is presented to the outstanding student of each graduating class to acknowledge their academic achievement and overall contribution to the MBA program. This is the first instance of a Dell EMC employee receiving this prestigious award.

As part of the celebrations, Kris, his partner Katelijne, and Thomas Healy, a representative from the Dell EMC management team, met with UCC’s president, Professor Patrick O’Shea; Honor Moore, partner at Deloitte; and Joan Buckley, the academic director 2015/2016 of the Executive MBA.

Presenting the award, Moore said, “Deloitte is honored to be associated with this prize, which recognizes excellence in business leadership education.” She complimented Kris’ achievement on getting the highest marks in the class.

Dr. Buckley congratulated Kris for his academic achievements and overall contribution to the class. “With this prize we recognize an executive who has shown exceptional ability,” she said.

Asked about his experience working toward his MBA, Kris said, “The MBA taught me the frameworks and tools to tackle very diverse and complex situations and have proved immediately applicable within my role. But equally, if not more important, the MBA continually challenges you to think on a higher level and broaden your horizon through the interaction with a wonderful team of lecturers and co-students. And perhaps the most important, it makes you realize the value of your family and friends as a support network, without which this achievement wouldn’t have been possible.”

The senior sales engineer role includes consulting with customers on their SaaS strategy together with the sales team, interfacing with Product Management and Engineering functions on the future products as well as training new Sales and Pre-Sales team members. When asked about Kris’ accomplishments, Steven Wood, Mozy’s senior Pre-Sales manager, said, “Kris has an insightful appreciation of customer needs and the challenges they face with modern IT and cloud computing. His attention to detail and dedication to every goal is exemplified by this award.”

Congratulations, Kris, from all of us on the Mozy by Dell team!

Kris is one of the many professionals working at Mozy—and working for you!—to make Mozy online backup the most trusted name in cloud data protection.

2017 Ransomware Update

Ransomware, a specific form of malicious software that encrypts files on your computer until a ransom is paid, like other online scams ebbs and flows in fads. In 2017 the ransomware landscape has seen the return of some old tricks as well as the evolution of an old threat. Here’s a look at the current state of ransomware and what you can do to prevent it.

Open-source software

Most people know open-source software for helpful alternatives to Microsoft Office or a music player that reads a plethora of file types unlike iTunes. However, open-source ransomware has become a much more prominent issue in recent months. While most demand a monetary ransom be paid, the open-source nature of the code has given rise to stranger demands. For example, one iteration demands that you achieve a certain level on an online video game before your files are restored. Another recent version simply makes the victim watch a video educating the victim about what ransomware is.

Expanded distribution

Ransomware, like the ones mentioned above, is typically distributed through email with an attachment. The sender may be a cunningly disguised email address that looks like a friend, family, or colleagues address. Often the software is attached and disguised as a document. However, in April 2017, distribution changed shape. Companies in Europe received emails with an included hyperlink that took users to a Dropbox link with a file disguised as an invoice.

Locky returns and Cerber evolved

Locky was discovered in 2016 embedded in a Microsoft Word document. After its discovery users caught on quickly and the threat seemed to be mitigated by most moderately aware users. However, in May 2017, Locky got a makeover and was found embedded in a PDF that has a link that leads to a .docm. Once the .docm file is opened it sends an invisible connection to another server from which it downloads the ransomware.

In the same month Locky was reborn, Cerber evolved. Like its previous versions, however, it is disseminated via spam emails with an attachment. So what has changed? Once the file is open, Cerber 6 is able to download and run another virus that utilizes Windows Firewall’s technology and blocks any attempt at detection while the ransomware is downloaded. As firewalls have been equipped with machine learning, hackers have created new ways of circumnavigating cybersecurity.

Prevention and solutions

No matter the new form of ransomware, there is always one hurdle it must leap before your computer and files are infected, and that’s tricking you into clicking a malicious link or downloading a malicious file. Educate family, friends, and colleagues what scam email addresses look like. Usually, users whose computers became infected with ransomware did not invest any time or effort to verify the origin of suspicious emails or attachments. Furthermore, victims of ransomware also open macros or click on suspicious links. Refrain from opening files or links within unverified emails. If you’re a victim of ransomware, there are decryption tools that can decrypt some strands of ransomware or prevent screen locks altogether. However, prevention should be paramount.

Mozy by Dell knows how to beat ransomware

Data stored in the Mozy cloud is protected from ransomware. Learn why programs, including viruses, cannot execute or run in the Mozy cloud and cannot infect files stored there: Ransomware: Frequently Asked Questions.

You can prevent a ransomware disaster. Check out our white paper.

Is Your Data Protected?

Did you hear about the company that was fined $2.5 million by the feds as a result of a HIPAA breach penalty? A laptop with protected health information for approximately 1,400 patients was stolen. Unfortunately, the computer was not protected with the safeguards required by the Health Insurance Portability and Accountability Act (HIPAA). As a result, electronic protected health information (ePHI) was compromised.

Although threats to business data are everywhere—think ransomware, hard drive failure, theft, user error, and more—you can prevent data loss (and avoid fines for non-compliance!) by backing up your data and ensuring that your backups are occurring on a regular basis.

First, let’s consider some of the threats. Next, let’s briefly discuss how Mozy can help you prevent a data disaster.

What could possibly go wrong?

If any of the following questions cause you want to change the subject or you’re just not sure of a proper course of action, be sure to read the next section!

   •     What would you do if your laptop were stolen? Do you have a process in place that allows you to recover your data?
   •     What would you do if your hard drive failed and you could no longer access the data on your computer?
   •     What would you do if you spilled coffee on your laptop and it suddenly died as a result?
   •     What would you do if you logged on to your desktop and saw a ransomware message indicating that your files were          locked and demanding a bitcoin ransom in return for a decryption key to allow you to regain access to your data?
   •     Do you handle ePHI, and do you know if that information is in compliance with the HIPAA Security Rule?


Prevent a data disaster

I just didn’t expect that
Maybe your laptop was stolen during a business trip, or maybe you forgot you placed it on the roof of your car while searching for your keys and then drove off. Maybe you liquidated your laptop with a large latte. Or maybe your hard drive just failed. With the Mozy backup service you can use Mozy’s restore manager to download all of your files (to your new computer!) from the safety of the Mozy cloud.

“Your personal files are encrypted! Pay!”

The last thing anyone wants to see on their computer screen is a message like, “Your personal files are encrypted! Pay!” In the event that your computer is infected by ransomware, Mozy offers a second line of defense. Mozy ensures that backups are frequent and reliable, so in the event of a ransomware attack, you can recover data to a point in time prior to the attack.

ePHI and HIPAA

If your business handles ePHI, you have a legal obligation to keep that information confidential and protected from those not authorized to view it. Mozy safeguards ePHI with strong encryption (which includes a required encryption key); your data is encrypted during backup and at rest. Your corporate encryption key or personal encryption key is known only by you.

We’ve got your back (up)

Using enterprise-grade encryption, Mozy protects the data you rely on to keep your business up and running and allows you to recover lost, damaged, or stolen data quickly. (A note about ransomware: It’s important to remember that simple backup is not enough to ensure your files are protected from ransomware. Mozy keeps up to one year of file versions. If you have identified the point of infection and the time the malware was introduced to the computer, Mozy can restore all of the files for the given user from the point in time just before the malware was introduced.)

For more information, visit Mozy by Dell.

Without cloud backup, customer would have experienced a data disaster

Our job is to back up and protect your data. But that’s not the whole story. We strive to provide the best customer support and do all within our power to ensure that our customers have the absolute best experience with Mozy as possible. And in some ways, the best experience you can have is to forget that we’re backing up your data. After all, Mozy backup is automatic. No-worry, hassle-free backups that you schedule based on your needs.

Of course, we’re always pleased to hear from our customers, whether it’s to tell us why they love using Mozy by Dell, or even to let us know how we can improve their experience with our software and service.

Recently we received the following unsolicited email from one of our customers. We’re sharing it because (1) we’re proud of what we do for our customers, and (2) we’re both humbled and delighted when Mozy can save the day by helping a customer avoid a data disaster.

“Within the past few months, we have had a couple of emergencies that necessitated a restore of files that were located on our company’s main storage server. One of these emergencies was a ransomware virus that, had we not had automatic, off-site backup, would have resulted in disaster. The customer service representatives at Mozy worked with me throughout the restore process, and even after, to make certain that the needed files were never truly in any danger. They made sure that the Mozy backup software was set up just right going forward to see to it that we would be up and running in no time should a similar emergency occur again. I cannot recommend Mozy software, or its employees, highly enough.” 
—Jeff Garfinkel, Reliant Health Care Services

Thanks, Jeff, for your email. We are pleased to have you as a Mozy customer!

Jeff is one of our many customers and one of many we’ve heard from since our humble beginnings. We’ve been backing up our customers’ data since 2005. Today we back up and protect mission-critical data for more than 6 million users. We also back up more than 100,000 businesses and 1,000 enterprise customers.

Check out what our customers say about us in these Mozy testimonials.

To each of our customers, thank you for using Mozy by Dell!

The Healthcare Cloud for Data Breach Prevention and HIPAA Compliance

Note: This is blog 4 of 4 in our HIPAA series.

A wave of breaches in 2016 exposed vulnerabilities at the heart of the healthcare system. This resulted in a new sense of urgency for data security in the industry. Breaches can happen when devices connected to healthcare data aren’t protected, when employees aren’t properly trained, or when data isn’t encrypted or segregated to make it less accessible.

HIPAA compliance is the fundamental building block of better data security for the healthcare industry. This legislation, signed into law during the 1990s and later updated in 2009, provides requirements regarding the confidentiality and privacy of protected health information, or PHI. Of course, it only works if healthcare institutions follow the law and regulations, and implement a compliance program designed to protect the safety of PHI.

The nature and sophistication of cloud computing has the power to revolutionize healthcare and HIPAA compliance. By its very nature, it offers ease of access to patients and healthcare providers, slashes costs for IT departments and improves data security.

Always-on access

HIPAA entitles everyone to access their complete medical record. A cloud environment for a healthcare provider can offer 24/7 access to records, something that’s expected in today’s tech-connected environment.

Many providers offer some form of a patient portal where patients can securely sign on from anywhere. These portals vary in capabilities; some are limited to medical records, while others allow for patient-physician communication and appointment scheduling. The portal should maintain all the security features needed to remain HIPAA compliant.

Slashing costs

Costs can drop dramatically with cloud adoption because cloud computing providers can tailor to health care institutions’ needs and scale up and down with the ebb and flow of their business. This reduces capital expenditure in IT and cuts the salary costs of an IT department. The system changes from being capital-intensive to a pay-as-you-go model that prioritizes agility and scalability over large-scale infrastructure.

If a physician or hospital had their own in-house servers, they’d not only have to pay the initial costs to purchase, but also for maintenance and security. Even then, it is unlikely that their security would be as robust as a cloud solution.

Security

Data security is a critical factor for all cloud service providers, and is a major concern for the healthcare industry. A private cloud with segmented data and limit access is ideal for this purpose. It can handle processes like registration, billing, scheduling and customer feedback, and is a good way to begin a migration to the cloud while the healthcare provider and the cloud company build trust together.

There are many benefits of migrating to the cloud—first-class hardware, sophisticated software resources, and IT professionals. Using a cloud service provider like Mozy by Dell will help healthcare providers in their efforts to safeguard against data breaches, comply with HIPAA, and keep costs under control so that they can focus on delivering health services.

Put a Stop to the Key Data Breach Culprits

Note: This is blog 3 of 4 in our HIPAA series.

During 2016, there were 377 health care data breaches in the U.S., according to ITRC. Between 2012 and 2016, there was an increase in frequency (50 percent), severity (50 percent) and number of records exposed (69 percent). In a single breach of Quest Diagnostics in November 2016, 34,000 people were affected. The threat is escalating all the time and what these statistics point to is the vital role the Omnibus Rule must play around the issues of privacy, security and enforcement under the Health Information Technology Act.

The Omnibus Rule seeks to recognize and deal with the increased threats posed to health care data. Hackers are no longer only nefarious individuals looking to make a quick buck. They’re sophisticated criminal operations with vast resources, capable of doing tremendous damage.

Medical records are valuable to hackers and can be sold for up to 50 times more than stolen credit card numbers because they can be used for insurance fraud, to obtain false prescriptions, as well as extortion and simple identity theft.

Steps to implement

Historically, the health care industry has lagged behind in terms of safeguarding sensitive information. Here are steps that should be implemented immediately:

Employee education

In almost every case, a breach begins with a person who has legitimate access to a system sharing that information, knowingly or unknowingly with a hacker. Through neglect or carelessness, employees often share vital information unwittingly. Educate staff about the ways credentials can be stolen and limit how much data any one staff member can access.

Basic training for new hires goes a long way—annual updates on phishing techniques and other Internet scams make employees more security conscious.

In an all-too-common scenario, employees make mistakes and lose data, or they file things in the wrong place. This sets them up as easy targets for hackers who know where to look. It’s vital that you know where your data is stored and that it is where it’s supposed to be. Isolate your most sensitive data and have additional controls and limited access to it.

Software controls

In a medical environment, any device that goes online is vulnerable and a potential gateway. Laptops, desktops, mobiles and iPads all need antivirus, antimalware and encryption software installed. And just as important, such software must be updated regularly to ensure that your data is being safeguarded with the latest security measures.

Access

If possible, medical institutions should separate guest wireless networks from primary networks, and web filters can be added to restrict widespread Internet roaming on the primary network. Businesses should think about isolating and segmenting data access, ensuring that only those with proper credentials and a need to know can access sensitive and/or electronic personal healthcare data.

The value of the cloud

Companies are using the cloud for both efficiency and security purposes. The National Kidney Registry (NKR) took the decision to outsource their data management and security to a cloud provider with the experience and the resources to safeguard their data. NKR director of Education and Development Joe Sinacore explained to HealthITSecurity: “I want the people who have a vested interest in not just protecting my business, but everybody’s business and their own reputation. Seeing all of the resources that they put in on this, I don’t know how you can do it any better than that.”

No system is impenetrable and breaches can and do happen. But knowing where your data resides and who has access to it can help you respond effectively should a breach occur. Be sure to choose a cloud service provider that understands your business. As required by HIPAA, Mozy by Dell offers appropriate safeguards—including those for encryption, password restrictions, and data storage—to help you protect and secure the electronic health information you work with and store.

Next up: The Healthcare Cloud for Data Breach Prevention and HIPAA Compliance

Cloud Computing and Healthcare: Understanding the HIPAA Omnibus Rule

Note: This is blog 2 of 4 in our HIPAA series.

Now that you’re equipped with a basic understanding of HIPAA provisions, and how they apply to Covered Entities (CEs) and Business Associates (BAs), it’s time to dig deeper and look at some of the most important changes to this legislation during the last few years. The Omnibus Rule is the most relevant to health care because it governs, at least in part, the way health agencies leverage and interact with cloud computing services.

HIPAA highlights

Before diving into HIPAA changes and cloud compliance highlights, here’s a refresh: The Health Insurance Portability and Accountability Act (HIPAA) was adopted in 1996 and lays out specific regulations for companies that handle electronic protected health information (ePHI). Critically, these companies are responsible for keeping records of all disclosures of PHI, encrypting all PHI, and meeting other HIPAA security standards. Failure to comply—even through ignorance—can result in a $50,000 fine for the first offense and $1.5 million for the same offense in a calendar year.

Changing conditions

Think of HIPAA like a living piece of legislation that is constantly being assessed and modified to fit current needs. As a result, changes have emerged in recent years which impact both first-party health agencies and third-party providers.

According to HIPAA Journal, the Security Rule as revised in 2013 lays out specific administrative, physical, and technical safeguards that must be in place to ensure data security. These include Business Associate Agreements (BAAs) with third parties who access PHI, controls for devices and media used to store ePHI, and limits on who can remotely access ePHI. In addition, the impermissible use or disclosure of protected health information (that is, a violation of the HIPAA Privacy Rule) is presumed to be a breach unless the CE or BA, as applicable, demonstrates that there is a low probability that the protected health information has been compromised, such as through the use of strong encryption.

The new rules that became effective in 2013 also included changes such as:

   •     Expanded patient rights to request copies of their ePHI in electronic form.
   •     Prohibited the sale of health information for marketing or fundraising without patient permission.
   •     Introduced risk assessment methodology to determine the probability of ePHI compromise.

More recently, The U.S. Department of Health and Human Services released guidance on the applicability of HIPAA to cloud service providers (CSP). As noted by Becker Hospital Review, any CSP engaged by a CE to host ePHI becomes a BA by default, meaning they need to sign a BAA to comply with HIPAA’s requirements for BAs. CSPs must comply with certain breach notification requirements if their network is breached and results in unauthorized access to unencrypted ePHI, which includes prompt warning to the CE that their information may have been compromised.

 

Safe haven?

It’s important to note that cloud computing is not a “safe haven” from HIPAA compliance. If CEs permit CSPs to host or back up ePHI data without the proper agreements and precautions in place, both the CE and CSP could face Office for Civil Rights audits and fines for failing to comply with HIPAA regulations.

HIPAA continues to evolve as technology advances and new cybersecurity threats emerge. Although cloud computing is now a viable way to store and transmit ePHI, CEs and CSPs must take precautions to ensure HIPAA compliance. As required by HIPAA, Mozy by Dell offers appropriate safeguards—including those for encryption, password restrictions, and data storage—to help you protect and secure the electronic health information you work with and store.

Up next: Key causes of a health data breach. Find out how your CE can both detect new threats and safeguard patient information.

What is HIPAA compliance?

Note: This is blog 1 of 4 in our HIPAA series.

With identity theft on the rise, HIPAA compliance is becoming more vital than ever for businesses in the healthcare industry. The costs of violating HIPAA continue to increase; HIPAA non-compliance penalties went from $6.1 million in 2015 to $23.5 million in 2016. Experts predict they will continue to increase in 2017.

To assist with HIPAA compliance and to help protect against potential liabilities, the healthcare industry has been turning to the cloud for better security. In this first part of a four-part series, we’ll explore how the cloud is helping healthcare companies better address compliance with the HIPAA Security Rule.

How cloud computing plays a role in healthcare

The backstory to the healthcare industry’s HIPAA compliance strategy is healthcare’s migration to the cloud. The global cloud computing healthcare market stood at $4.5 billion at the end of 2016, and is on track to rise to nearly $6.8 billion by the end of 2018, according to projections by Transparency Market Research. Disaster recovery, data storage, and mobile health are the three biggest application needs driving healthcare’s cloud migration, according to TechTarget research.

The cloud’s ability to provide automated remote virtual backups makes it ideal for disaster recovery, enabling healthcare companies to have a secure backup offsite in the event of an on-site emergency. Meanwhile, the cloud’s scalability makes it suitable for storing the huge amounts of data that healthcare providers must manage. And the cloud’s connectivity to mobile devices makes it a perfect tool for delivering healthcare solutions to mobile device users.

What HIPAA compliance is all about

In conjunction with these applications, the healthcare industry is also using the cloud as a tool for HIPAA security compliance. The Health Insurance and Portability Accountability Act of 1996 established national privacy and security standards to protect healthcare patients. HIPAA’s Privacy Rule regulates standards for maintaining the confidentiality of certain healthcare information.

HIPAA’s Security Rule puts these privacy standards into effect by regulating standards for protecting health information stored in electronic form, known as electronic protected health information (e-PHI). HIPAA requires healthcare providers to maintain the confidentiality, integrity, and availability of all e-PHI they handle; to take reasonable steps to safeguard against anticipated security threats; to protect against impermissible uses or disclosures of information; and to ensure compliance by their workforce.

How HIPAA fits into the healthcare cloud

For companies seeking to comply with HIPAA’s security provision, the healthcare cloud serves as an improvement upon the security afforded by traditional on-premises data storage. Traditional on-premises storage is restricted by the space limitations of in-house IT equipment, which becomes impractical when terabytes of data are involved. On-site servers are also vulnerable to data loss if they become compromised or damaged in a disaster. On-premise servers further depend on in-house IT security teams, who typically handle security as part of a host of other IT duties.

Cloud servers address these disadvantages. Cloud usage can be scaled up to accommodate any amount of data, even if it overflows the capacity of in-house servers. Cloud servers are stored off-site where data is automatically backed up in multiple locations, so that a data hack or on-site disaster will not result in data loss. And cloud providers have full-time dedicated security specialists, alleviating healthcare providers of the need to rely solely on in-house IT teams for security.

An invaluable tool

As the healthcare industry migrates to the cloud, healthcare companies are finding the cloud an invaluable tool in their efforts to meet HIPAA compliance standards. The cloud makes it easier for healthcare companies to store large amounts of data, to back up stored data, and to keep stored data secure. We’ll explore how the cloud helps healthcare companies in their efforts to comply with a specific HIPAA provision in the next article in this series: Cloud Computing and Healthcare: Understanding the HIPAA Omnibus Rule.