Up in the Cloud: Is It Safe to Store PHI on Remote Servers?
Medical practices and facilities are depending more and more on cloud storage because it gives users the ability to access data across a variety of electronic devices while eliminating the costs and difficulties associated with maintaining a physical storage system.
What exactly is the cloud? Cloud storage is a network of remote servers that allow for centralized data storage and online access to these resources. Your files are stored on a server connected to the Internet instead of being stored on your own computer’s hard drive. This eliminates the need to purchase hardware equipment to store files or to upgrade your hardware to get extra storage space—or the need to delete old files to make room for new ones. The cloud is convenient and cost-effective, providing a way to automatically back up your files and folders.
Despite these benefits, recent publicity around hacks of public cloud storage websites has raised concerns about whether it is appropriate for medical practices and facilities to store health records and information in the cloud. Cybercriminals target healthcare organizations more than any other form of business because criminals find personal patient information particularly valuable to exploit. Providers must ensure they are compliant with the Health Insurance Portability and Accountability Act (HIPAA) in how they secure patient protected health information (PHI). The repercussions of a breach can be daunting under HIPAA. A business that suffers a breach of unencrypted PHI must report the breach to the U.S. Department of Health and Human Services’ Office for Civil Rights. If found negligent, the business can face fines and damage to its reputation.
Is cloud storage a safe way to store PHI? The answer is a qualified “yes”: The cloud can be an appropriate method of data storage, but only under the right circumstances.
As with many new technologies, the safety level of the cloud, and whether it’s appropriate for use, depends on the vendor. To be sure your data is safe and secure when you hand it over to a cloud service provider, you need to research each vendor you consider and do appropriate due diligence. There are several important questions you need to answer and issues you have to keep in mind:
- Are the vendor’s security standards appropriate? You have to research each vendor you choose. Make sure the company has a good reputation and solid security policies. You are entrusting the provider to store your information, so the extra time spent researching and comparing providers and their security practices will pay off in the long run.
- How much data will you be storing? Many companies charge by the amount of storage you use, so understand what your needs are before choosing a vendor. Ensure the vendor can handle the amount of data you would like to move to the cloud.
- Ensure your data is encrypted when being uploaded to or downloaded from the cloud. This is also your responsibility. Make sure your browser or app requires an encrypted connection before you upload or download your data. Also ensure all devices that contain PHI (laptops, desktops, thumb drives, and centralized storage devices) are encrypted.
- Make sure your data is encrypted when stored in the cloud. This is perhaps the most important consideration. Data protected by law, such as medical information or personal identifiers, should never be stored in the cloud unless the storage solution is encrypted. Only selected members of your organization should be able to decrypt the data, and your organization should create policies detailing under what circumstances information can be decrypted. Determining whether the stored data will be encrypted requires a careful review of the specific terms of service within your agreement with the cloud service provider. Many cloud service providers store data on a cloud server with no encryption, meaning anyone who has (or can get) high-level access to that server will be able to read your files.
- Understand how access is shared in your cloud folder. Many cloud storage providers allow you to share access to your online folders. Be familiar with the details on how that sharing works. Can the user read-only or can the user edit the file? Will you know who the last person to edit a file was? Awareness of who has access and how is critical to monitoring activity within your stored data.
- Understand your options if the cloud provider is hacked or your data is lost. Virtually all cloud service providers require a user to sign an agreement that contains a terms of service provision. In most cases, these agreements provide that the user has very little, if any, remedy if a hack or a loss of data occurs. Pay attention to what rights you have given up and make sure you are comfortable with doing so.
Cloud storage can be a valuable asset to medical practices and facilities, but the decision to use the cloud to store HIPAA-protected records should not be made until substantial due diligence has been performed on the cloud service provider. Make sure you have absolute confidence in the service provider’s ability to keep the data safe and secure.
By David McHale, Senior Vice President and Chief Legal Counsel, The Doctors Company
The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider in light of all circumstances prevailing in the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.