Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:35 PM
Connect Directly

Cloud Security Alliance Offers Tips to Protect Telehealth Data

As telehealth grows more common, security experts address the privacy and security concerns of storing health data in the cloud.

The COVID-19 pandemic has pushed healthcare organizations to make telehealth a top priority. As they do, they're forced to confront privacy concerns related to information access, usage, and alteration, as well as the security of public cloud services where health data is stored.

As the Cloud Security Alliance (CSA) explains in a new report on protection of health data, "telemedicine" and "telehealth" should not be used interchangeably. The former refers to the clinical diagnosis and monitoring by technology; the latter has a broader definition. Telehealth covers clinical healthcare and tools such as kiosks, website monitoring applications, mobile apps, wearable devices, and videoconferencing technology to link patients with healthcare providers.

Health delivery organizations (HDOs) are ramping up telehealth capabilities such as remote patient monitoring (RPM) and telemedicine to treat people at home and reduce the risk of exposure for both providers and patients. This will continue to grow long after the pandemic, the experts write.

The increasing reliance on telehealth in the cloud is expected to drive privacy and security risks for healthcare institutions. Most hospital systems delivering telehealth use videoconference tools as well as cloud and Internet technologies, creating a range of potential issues and demanding security teams take a closer look at their architecture to identify flaws and decide on controls.

This is a shared responsibility between the HDO and cloud provider. Healthcare organizations must understand the regulatory requirements of patient data and the technologies they use.

Public cloud services are accessed over the public Internet, which experts say does not mean the cloud is inherently secure but should be considered in a cloud security model. HIPAA requires HDOs maintain "reasonable and appropriate" administrative, technical, and physical protections to protect public health information (PHI). HDOs are also mandated to do a security-threat risk analysis, which includes cloud-based threats and provides information needed to make risk-based decisions.

Healthcare organizations should also identify the security controls they have in place and ensure they're working as intended. As part of these assessments, the HDO should talk with its cloud service providers about governance, compliance, confidentiality, integrity, availability, and incident response and management. Stakeholders must consider the end-to-end security of the systems, including internal policies for access control and user provisioning.

Protected health information is at the core of privacy concerns related to telehealth, and the emergence of targeted attacks against information systems to access PHI is concerning. The HIPAA Privacy Rule, which regulates the collection, use, and disclosure of PHI, provides insight for better understanding the privacy implications. It mandates health organizations to track the use and disclosure of PHI and notify patients when their data is used. The EU's GDPR, which gives people certain rights when data is used, may also apply, depending on where PHI is stored.

Healthcare organizations must know how their cloud providers handle data retention and monitor how they access and use data. If there's a breach of health data, the provider should have a plan for how it will notify the HDO and launch incident response. Cloud providers should also sign a business associate agreement, another requirement under HIPAA.

CSA also emphasizes the importance of a continuous monitoring program to make sure HDOs enforce and improve their security operations for internal controls, as well as privacy and security programs used by a cloud service provider. This monitoring is maintained throughout the data, applications, and systems life cycles and should be altered over time for continuous risk awareness and compliance, the experts explain in their report.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/24/2020 | 3:34:07 PM
Re: Pragmatic Advice but...
I agree with what you are saying; however, it is well past the time when we can start with the fundamentals. Healthcare has historically been way behind other industries when it comes to security and they are starting to pay for it. It is time to catch up.

I also believe it is too late to think in terms of telehealth systems as on-premise. Every telehealth system I have looked at in the last year (and there have been many) all connect to the cloud, even systems with on-premise servers have a cloud connection. We must treat telehealth privcy and security proactively or we will always be chasing the newest threats and vulnerabilities. Telehealth is not going away so we better secure it. 

I would really like for more people to join our CSA Health Information Management work group and help develop best practices for securing all healthcrae in the cloud.
User Rank: Ninja
6/21/2020 | 2:09:09 PM
Pragmatic Advice but...
This is pragmatic advice but as security professionals it seems like we are always putting the cart before the horse and it most cases its not our fault that we do. This pandemic has forced us to think of security and technology as a whole in a different lens. But even before this the Healthcare sector, along with education were hopelessly behind the security best practice model with even entire hospitals falling victim to having to pay ransoms.

So the way I see it we can either treat this new venture in one of two ways. Proactively or reactively. Push towards the cloud with security ingrained in each lifecycle step of that transition. Or look to rectify the security shortcomings of on-premise environments and then iteratively transition to the cloud. Both of which I noticed many companies neglecting to heed. 

Not trying to be cynical just trying to be realistic. We are still in an era where many comapnies do not heed the security warnings until they are burnt by the stove. I hope one day that they will start learning from the mistakes of their fallen comrades instead of hoping that they aren't the ones that end up in the news. 
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...
PUBLISHED: 2021-04-19
A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality and integrity.
PUBLISHED: 2021-04-19
If Ethernet communication of the JTEKT Corporation TOYOPUC product series’ (TOYOPUC-PC10 Series: PC10G-CPU TCC-6353: All versions, PC10GE TCC-6464: All versions, PC10P TCC-6372: All versions, PC10P-DP TCC-6726: All versions, PC10P-DP-IO TCC-6752: All versions, PC10B-P TCC-6373: Al...
PUBLISHED: 2021-04-19
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The serialnumber parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP request to trigger...
PUBLISHED: 2021-04-19
GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files.