News Feature | September 13, 2013

Cloud Technology Can Reduce HIPAA Breach Risks

Source: Health IT Outcomes
Greg Bengel

By Greg Bengel, contributing writer

While many providers worry that cloud technology puts their data at risk, it may actually be ideal for safeguarding protected health information from HIPAA breach risks

Many provider organizations have been reluctant to utilize cloud technology due to concerns about data security and HIPAA compliance. According to CDW’s 2013 State of The Cloud Report, the healthcare industry is slower than most when it comes to the adoption of cloud technology, coming at seventh out of eight industries in terms of adoption. Among the reasons why, according to the study, are security concerns.

Other studies have suggested the concern is not misplaced. Health IT Outcomes previously reported on a Ponemon Institute study that emphasizes the extent to which cloud technology poses a risk to provider data when utilized in a negligent, sloppy manner. 

However, a recent article from Healthcare IT News discusses how cloud technology actually is ideal for reducing HIPAA compliance risk. Referencing provider organizations’ fear of damaging their reputations – an outcome which inevitably results from having to report HIPAA breaches -- the article points us to data on HIPAA breaches published recently by HHS.

The data shows that this fear may be unfounded, and that cloud technology actually reduces these risks, not amplifies them. Healthcare IT News explains, “Loss or theft of electronic equipment or storage media has been the source of more than 66 percent of all large HIPAA breaches during this period. The individuals affected by these breaches amount to nearly 73 percent of all individuals affected by large HIPAA breaches reported to HHS during the same time period. In most cases the theft or loss involved a laptop or electronic media, such as a flash drive, containing unencrypted PHI. In contrast, large breaches attributed to hacking amounted to 8 percent of the total incidents and affected 6 percent of the individuals whose PHI was disclosed.”

The article rightly sums up this information. “These data suggest that the implementation of IT systems that enable secure sharing of information without the need to transport it on a computer or storage media will go a long way toward eliminating the majority of large HIPAA breaches,” it says.

Healthcare IT News explains that making sure protected health information (PHI) is not being transported on equipment like laptops or flash drives is perhaps the most important thing providers can do to eliminate risk for HIPAA breaches. By keeping data in the cloud, the only PHI on the user’s computer is the PHI the user is currently viewing on his web browser. Also, “The use of the cloud can also facilitate enforcement of encryption requirements,” says the article. “For example, many of the new commercial systems encrypt all data while in transit and while at rest. This means that even if data somehow become accessible to an unauthorized person, they would be secured and could not be read unless the hacker also obtains the encryption key.”