WHY YOU SHOULDN'T STORE ELECTRONIC MEDICAL RECORDS IN THE PUBLIC CLOUD

The healthcare industry is carefully trying to strike a balance between innovation and patients’ privacy. 

One the one hand, individuals and healthcare professionals alike are pushing to make health data more accessible in order to better treat patients. On the other hand, healthcare organizations must keep this sensitive information safe from hackers.  

Clearly, healthcare organizations have had a tough time keeping all this data safeIBM proclaimed 2015 the year of the healthcare data security breach. Healthcare executives report hundreds of attempted cyber intrusions per year. In California alone, more than half of the state’s residents had their health records breached last year.  

Yet, the healthcare industry is highly regulated. The Healthcare Insurance Portability and Accountability Act (HIPAA) requires the protection and confidential handling of health information. Why do we still see so many data breaches in this industry 

In short, ticking the HIPAA compliance box alone won’t keep your data safe. Healthcare insurer Anthem contributed to nearly half of the 24 million breached records in California in 2015. Anthem was quoted in a news article claiming it “protected its member data consistent with HIPAA guidelines”. That may be true, but it doesn’t help those who had their information stolen and potentially used illegally by hackers. 

Today, let’s look at one use case: the storage of Electronic Medical Records (EMR). An EMR is a digital version of a paper chart that contains all of a patient’s medical history from one practicemostly used by providers for diagnosis and treatment. What once took up drawers and drawers in filing cabinets is now being moved to an electronic form that can be easily accessed, analyzed, and transported when necessary.  

There are two pieces to EMR we must address: 

  1. Use by medical professionals: When was the last time you brought a stack of your most recent bloodwork to the Emergency Room so the doctors on staff could see your medical history? We need to know how and when healthcare professionals are accessing an EMR.  

  2. Archiving EMR:  Once doctors are done reviewing a piece of EMR on a patient, where does it live securely?  

Most healthcare organizations don’t want to have thousands – if not tens of thousands – of square feet devoted to real estate space just to hold these records. Having to purchase, house, and maintain the hardware servers necessary to store EMR can come at a great capital expense. As a result, many have either made the jump or are seriously considering public clouds such as Amazon Web Services, Microsoft Azure, and Google Drive.  

This is a mistake. Here’s why public clouds aren’t suited for storing EMR:  

  

  1. Complexity is the opposite of security. The public cloud has software defined networks ingrained into its DNA, which have a lot of moving parts by its very nature. The more parts something has, the greater a chance for one of those parts to break. With multiple data streams crossing, there is a high chance for significant breaches in public clouds over the next 10-12 months. Certain workloads are great for public clouds, and others are not. Highly regulated and scrutinized EMRs are definitely not suited for the public cloud.  
  2. Compliance does not equal security. Most public cloud services have some semblance of HIPAA compliance baked into its systems. HIPAA compliance may help you pass regulation standards, but it hasn’t stopped nearly every organization represented in a May 2015 Ponemon Institute study from experiencing multiple security incidents and data breaches. These cyber threats have cost the industry an estimated $6 billion with an average cost of $2.1 million for each healthcare organization breach.

 Considering public versus private clouds for your EMR? We can help. Sign up for a free trial of our secure cloud platform for healthcare. Building on decades in cloud security, US Cyber Vault protects against threats, provides a secure data and computing environment, and is supported by an incident response team of counter intelligence experts with guaranteed day-zero breach detection. 

 

Written by Rob LaMear, CEO, US Cyber Vault

Once a month we share where we will be speaking in the world as well as expert opinions on cyber security, data loss prevention, and information security that we like from the larger community.  Receive our next issue by signing up here.