Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/4/2013
10:04 AM
50%
50%

Patient Privacy Advocate Calls For Better Cloud Security

Letter to Office of Civil Rights calls for stronger data security protections, business associate agreements with cloud computing services.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
A leading advocate for the privacy and security of patient health information is urging the government to issue a strong guidance document on how healthcare data should be protected in the cloud.

In a letter to the Office of Civil Rights (OCR) in the Department of Health and Human Services (HHS), Deborah Peel, MD, founder and chair of Patient Privacy Rights, said, "Health providers will benefit from such guidance as they consider moving to cloud services, and patients will benefit by knowing which data privacy and security protections should be in place."

Peel's letter cites the HHS' settlement with Phoenix Cardiac Surgery in April 2012 to illustrate the challenges that can arise when providers move to the cloud. In that case, the practice was fined $100,000 for managing appointments using a Web-based calendar that was publicly available.

Today, healthcare providers' use of cloud services goes far beyond that. Electronic health records, billing data, medical images and many other types of healthcare information are now stored on remote servers. According to an Optum Institute report published last March, nearly 60% of responding CIOs from organizations that had an EHR and a health information exchange said they planned to invest in "cloud-based open systems."

[ How can patient engagement help transform medical care? Check out 5 Healthcare Tools To Boost Patient Involvement. ]

Despite the burgeoning use of the cloud to store and manage information, however, Peel could not cite evidence that this shift has led to an increase in security breaches or that cloud storage is inherently less secure than onsite storage of data. "I don't know whether there are any studies of that," she told InformationWeek Healthcare.

What is known, she added, is that "the healthcare industry has the worst security practices of any industry. Eighty percent of hospitals still don't even encrypt data. Hospitals are not putting the money into data protection."

The key issue with cloud storage, she said, is that "there's no way of telling which services are following best practices for state-of-the-art comprehensive security and privacy."

For example, she pointed out, remote servers can be located anywhere. "We don't even know whether they're in the U.S. We have no way of knowing what happens inside the cloud servers, whether the owners of the cloud service snoop in the information or not, and there's no certification or auditing of these systems to verify whether they do what they say they do in a contract."

Even worse, she pointed out, many contracts between cloud service firms and healthcare providers lack even basic security protections. For example, the HIPAA law mandates that cloud services sign business associate agreements requiring them to adhere to the same security and privacy rules that HIPAA-covered entities must comply with. But many providers do not ensure that this provision is in their contracts.

Under the guidance that Peel's group is seeking, the OCR would urge cloud companies to provide:

-- A secure infrastructure, including data encryption and audit controls

-- Security standards consistent with standards required of federal agencies

-- Privacy of protected health information, based on standards for appropriate use, disclosure and safeguarding of individually identifiable information

-- Business associate agreements -- something that OCR has already called for.

Eventually, Peel said, her group wants the government to introduce a certification system for cloud computing, similar to the EHR certification it requires for showing Meaningful Use. Such certification, which could be performed by HHS or by private entities authorized by HHS, would incorporate the guidance elements in Peel's letter. It would also include other requirements set forth in a "trust framework" that her group plans to release within the next few weeks.

Patient Privacy Rights developed and validated the trust framework with the help of Microsoft and PwC and tested it on HealthVault, according to Peel. "We have some tools that could be used to assess every kind of platform, application or system so that some kind of ranking or rating could be created for how well they comply with what the public expects. We have 15 major principles broken down into auditable criteria, such as what nation the servers are in."

Initially, Peel noted, Patient Privacy Rights will release the framework for purposes of discussion, research and self-evaluation by cloud services and healthcare providers. The criteria in the framework, she said, could apply to anybody who stores healthcare information remotely, even on a website.

Clinical, patient engagement, and consumer apps promise to re-energize healthcare. Also in the new, all-digital Mobile Power issue of InformationWeek Healthcare: Comparative effectiveness research taps the IT toolbox to compare treatments to determine which ones are most effective. (Free registration required.)

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
1/15/2013 | 6:15:54 AM
re: Patient Privacy Advocate Calls For Better Cloud Security
I don't believe these issues are specific to cloud technologies as a whole. Regardless of whether you have dedicated infrastructure or are using a cloud, you always have to have certain security measures in place. Sure, there may be a slightly larger risk when aggregating resources together, but at the end of the day all of that data should be secure so it shouldn't matter whether it's cloud hosted or not. Healthcare IT has it's work cut out for the next couple of years with trying to find solutions to the security concerns that plague it today.

Jay Simmons
Information Week Contributor
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
1/7/2013 | 8:54:45 PM
re: Patient Privacy Advocate Calls For Better Cloud Security
Big challenge here still will be the small healthcare practices without the IT security resources and knowledge.

Kelly Jackson Higgins, Senior Editor, Dark Reading
PJS880
50%
50%
PJS880,
User Rank: Ninja
1/7/2013 | 4:33:53 PM
re: Patient Privacy Advocate Calls For Better Cloud Security
Wonderful article and a topic that I believe is getting overlooked, What I mean is people do not realize the risk of putting medical records in the cloud is security has to be standard and above and beyond 'normal' standards. Whatever policy that is written up also need sot consistent across the board or it will be useless for some organizations. I don't care if you are a small organization or massive, simple rule;encrypt your data, it is a very useful tool!

Paul Sprague
InformationWeek Contributor
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...