A recent study reveals some of the critical security steps hospitals must take before turning to a cloud computing service for their electronic health records.
Cloud computing is beneficial for many healthcare providers, especially smaller organizations that may not have the resources available to install and maintain a complex software system on their premises.
With a cloud computing service, the system is hosted by the vendor, which becomes responsible for maintenance and upgrades. Cloud-based systems can also make it easier to deploy EHR software across multiple locations and to share records among multiple providers.
While that brings benefits such as a lower upfront cost and less of a need for internal technical staff, cloud computing creates several challenges as well, especially in health care. EHR systems hold a lot of sensitive personal information, and many hospitals are worried about allowing that data to be held on a vendor’s servers.
Third-party audits are key
There’s a lot of work still be done to protect sensitive patient information stored in the cloud, according to a recent study published in the Journal of Medical Internet Research.
That includes some steps that software vendors should be taking to make their systems more secure. But there are also a lot of things healthcare providers can do when they’re looking for systems that will go a long way toward preventing costly data breaches.
While cloud computing service providers take on a lot of the responsibility for protecting their customers’ data, it’s still up to the healthcare organization to verify that the proper precautions are being taken.
That’s why one of the most important steps a hospital must take before contracting with a cloud provider is conducting a security audit of the vendors’ system, according to the authors of the report. The recommended way to do that is to hire a third party to conduct the audit.
What to look for
What are some of the key security controls that a cloud-based EHR system should have? Here are some of the key factors listed by the researchers:
Role-based access – Many different types of employees will need access to the EHR system for different reasons. In order to keep data safe, providers should make sure they can configure a system so that people only have access to information they need for their jobs.
Data encryption – Information should be encrypted not just while it’s stored on the cloud provider’s servers, but also as it’s being transmitted to avoid interception.
Digital signature – This is one method providers can use to verify that the electronic records are authentic when they’re transmitted back and forth between the hospital and the EHR vendor. A digital signature can be used to verify that the sender is legitimate and that the information wasn’t tampered with while it was in transit.
Hiring and training — Since a lot of security threats come from inside an organization, it’s important that a cloud provider conducts thorough background checks for all employees with access to systems and provides security training to avoid breaches due to employee negligence.
System monitoring – While technical controls can help keep unauthorized people from accessing electronic records, they aren’t perfect. That’s why it’s important that a cloud-based EHR is monitored in order to create a log of all the people who have accessed the system.
Review the contract
In addition to the system itself, it’s also important healthcare providers make sure they’re being adequately protected by the contracts they sign with cloud computing vendors.
Unfortunately, most organizations say their cloud contracts favor the vendor when it comes to liability for security issues. To keep the system secure and avoid getting stuck in case of a security incident, experts recommend looking for these provisions in vendor contracts:
Audits and testing — In addition to the initial audit before signing on for a service, hospitals should be able to conduct regular audits and security tests.
Notification of changes — Cloud customers should be notified of any time software will be changed or upgraded, with an explanation of what that means for security and service availability.
Mandatory security precautions — Since software may change often, organizations may want the contract to specify which security controls must always be in place.
Compensation — Cloud providers should have an incentive to protect data. That means the contract should include significant penalties if the vendor’s actions result in a security incident.
Notify patients
It won’t necessarily do anything to protect data, but there is an additional step that can help the transition to a cloud service go more smoothly: Notify patients about the move.
While organizations are concerned about protecting patient data, many don’t actually involve patients when they’re switching to the cloud or even tell their patients about the change.
The researchers say providers should notify patients when their data is being moved to the cloud and explain the steps that will be taken to protect that information. Full disclosure will help avoid any unpleasant surprises that could anger patients down the road.