In the dark world of the data black market, hackers shell out more for healthcare information than any other type of stolen data — including credit card information. Whereas a credit card number sells for just a few dollars on the black market, a bundle of 10 Medicare IDs can go for upwards of $4,700, according to a 2015 NPR report. That’s because electronic protected healthcare information, or e-PHI, is a fraudster’s dream come true. E-PHI often includes a victim’s email, birth date, social security number, and credit card information — an all-inclusive ticket to identity theft, insurance fraud, and targeted phishing.
The Health Insurance Portability and Accountability Act (HIPAA) mandates that all covered entities and business associates take precautions to safeguard their patients’ data. Despite HIPAA’s regulations and high-cost penalties, the healthcare sector has notoriously outdated IT, making it one of the most vulnerable industries around. But with the historical Anthem breach just a year behind us, the healthcare industry is changing its ways.
Perhaps the most drastic leap forward the healthcare sector is making is the move to the cloud. A report by Accenture states that a third of healthcare administrators say they already use cloud-based storage, while 73% have plans to move to the cloud in the near future.
But is the cloud a safe place for patients’ priceless e-PHI, and does it meet HIPAA’s standards?
The Cloud and Encryption
In itself, reputable cloud data storage is a safe and effective way to store large quantities of confidential information. Advances in technology mean healthcare enterprises need more storage every day. For example, patients fill out their healthcare history on tablets in the waiting room, while doctors carry mobile devices to access patient information on the go. These new file types, and a growing need to keep patient information for longer periods of time, make the move to cloud-based storage a smart and logical step.
Cloud storage providers nearly always offer encryption for businesses’ data, making the information unreadable to hackers. However, it’s often what happens before data is transferred to the cloud that causes security breaches — or rather, what doesn’t happen.
Currently, Bluefin employs PCI-validated Point-to-Point Encryption, or P2PE, for encryption of credit card data in healthcare and other industries. The solution encrypts and secures data from the moment it is collected (at a card swipe, for example) all the way to its end destination. This means that at the point of entry, all data is converted into an unreadable code hackers are unable to decipher. While cloud providers may offer encryption once the data reaches the cloud, they often do not provide native encryption, which occurs immediately at the site of data collection.
When a healthcare service provider fails to employ native encryption, it leaves consumers’ private information vulnerable to cyber attacks. A hacker can steal raw, unencrypted information as it is transferred to the cloud or even before. Anthem, for example, neglected to encrypt its customers’ social security numbers in its internal database, which was all too easily hacked by invasive malware. The volume and nature of patient information for which healthcare enterprises are responsible makes it essential to seek more than just cloud storage. Healthcare vendors should utilize third-party security services that offer native encryption and protection during data transmission.
Does Cloud Storage Meet HIPAA Regulations?
Because HIPAA spans across so many types of healthcare service providers, the guidelines of the HIPAA Security Rule (HSR) are intentionally loose. The basic requirement is that healthcare service providers conduct a risk analysis for technical vulnerabilities in information systems and then “implement reasonable and appropriate security measures.”
Determining those measures is left up to the provider, and neglecting to do so can come at immense costs. Not only do security breaches cost companies the loyalty and trust of their patients, they can also lead to exorbitant fines. Depending on the level of noncompliance, penalties range from $100 to $50,000 per individual record violation with a limit of $1.5 million per year and possible jail time.
So then, is cloud-based data storage HIPAA compliant?
The answer is yes and no. When it comes to e-PHI encryption, the HSR states that it “allows covered entities the flexibility to determine when, with whom, and what method of encryption to use.” Encrypted cloud data storage does make patients’ information safer. However, as demonstrated by recent breaches, cloud storage alone does not defend against malware and cyber attacks at the source. There is also no guarantee that it will deflect high HIPAA penalties in the event of a breach.
The cloud is changing the technological landscape of the healthcare sector for the better. But to keep patients’ personal information as safe as possible, providers in the healthcare industry also need end-to-end protection. This means employing a protection system that works alongside cloud vendors to keep data encrypted from the source of collection — whether that’s a tablet in the clinic waiting room or an online form for an e-prescription — all the way to its destination in the cloud.