Healthcare organizations have to share patient information but they also have to keep that information private. The two requirements are in direct conflict. Add the Cloud and things get really “interesting!”
Cloudy with a chance of breach
Everyone wants to move to the cloud – especially for file sharing use cases. For larger healthcare organizations the motivation to move to the Cloud is often to consolidate enterprise users to a common platform (as opposed to the scattershot “shadow IT” approach that exists today). Smaller companies often just want to get off servers. Regardless of why HIPAA covered entities are moving the Cloud or how big those entities are, the reality is they have patient privacy and security needs beyond what Office 365 and other platforms provide. When it comes to HIPAA covered entities Microsoft’s Office 365 is better than most (more on that later) but organizations need to approach Cloud adoption with a clear understanding of what your hosting provider can do from a security standpoint and what the end-user organization is responsible for. The scary thing is that users are adopting Cloud file sharing platforms far in advance of the enterprise actually being able to manage risk of a breach of patient information associated with those platforms.
Carry a big stick
When the Obama Administration included patient privacy enforcement in the HITECH Act, many of us in the privacy business noted that HIPAA finally got some “teeth.” The HITECH Act and other related changes resulted in very impactful provisions relative to breaches of patient data including
- The establishment of fines for losing unsecured electronic patient healthcare information
- The notion of shared risk for companies that provide services (aka Business Associates) to a HIPAA covered entity.
- The use of data at rest encryption as a form of safe harbor from the breach notification requirements
The Haves and the Have Nots
In the first paragraph I mentioned that Office 365 is better than most offerings. The reason I say this is because of what’s called a Business Associate Agreement (BAA). A HIPAA Business Associate (BA) is any organization that provides services to a HIPAA covered entity that traffic in patient information. A BAA is an agreement that a Business Associate signs to share risk of a breach of patient information relative to the BA’s services. SaaS and other Cloud providers are clearly delineated into two camps: those that will sign BAAs and those that won’t. Microsoft will sign a BAA. Google, Dropbox and many others will not. This dynamic is wreaking havoc with organizations that have patient information. At best they can get existing providers to sign a BAA. At worst, they have to track down rogue usage of services like Dropbox and threaten employees with serious consequences.
In the past several months we’ve talked to a lot of enterprise security leaders in the healthcare space about their patient privacy needs relative to Office 365. They tell us that they do not want to be in the business of controlling who can collaborate with whom but they do need to get a level of central control over patient privacy. These healthcare providers, payers, and other covered entities need to identify patient information in Office 365, encrypt that information at rest (to get Safe Harbor), and track who accesses it. Microsoft’s willingness to sign a BAA just means that Office 365 is on the short list of options. These healthcare systems and other organizations recognize that they, not Microsoft, are responsible for how the enterprise users consume Office 365.
Don’t rock the boat
The reality is there are collaboration platforms built explicitly for regulated or high security use cases. The problems with these platforms are that they are much more expensive than Office 365 and, maybe more important, users don’t want to adopt them. The right way to approach the problem is to make the platforms like Office 365 secure for patient information.
Securing Office 365 so that you can safely store patient information on the platform translates to encrypting the data, applying access controls, and auditing access to the data. With these three technical security controls in place, you’ll be in good shape to prove to auditors that you’re protecting your ePHI as required by HIPAA security requirements.