[BreachExchange] Is protected health information safe in the cloud?

Destry Winant destry at riskbasedsecurity.com
Fri May 19 03:42:22 EDT 2017


Many healthcare providers face the decision on if they should store
protected health information (PHI) in the cloud. There are benefits
and concerns to storing PHI in the cloud, and the decision to do so
should be analyzed.

PHI is any health-related or insurance payment information that is
stored or managed by a healthcare provider that can identify a
specific individual. Examples of PHI are patient names, addresses,
Social Security numbers, X-ray images, lab results, insurance payment
information and medical records. Even information about a patient’s
planned future procedures is PHI. Government regulation of PHI is
covered in the HIPPA Privacy Rule, and all healthcare providers in the
United States must adhere to it or face fines.

PHI data is some of the most valuable data on the black market. Many
hackers prefer PHI data over standard credit card data due to the
amount that they can earn through health insurance fraud. With many
banks having limits on account transfers or alerts for frequent
transactions, bank account and credit data has become even less

Health insurance fraud is more difficult to trace by law enforcement
than unauthorized credit card usage. This fraud can enable criminals
to obtain access to prescription medications, get medical services or
even purchase expensive medical equipment that can resale at a much
higher price on the black market. Healthcare data is even being used a
lot to file false tax returns. Most times, the cost on the black
market for healthcare information is multiple times higher than credit
card records.

Benefits of storing PHI in the cloud

Storing healthcare data in the cloud gives users the ability to access
it across a variety of electronic devices while eliminating the costs
and technical challenges associated with maintaining an infrastructure
system on site.

Many health providers would prefer to move their infrastructure to the
cloud so they can focus on what they perform best, which is provide
healthcare services. Also, the capital cost of managing a data center
can vary each year due to hardware refreshes. But hosting data in the
cloud can provide more static cost each year, which makes the budget
for managing it simpler and more predictable.

Cloud services allow data to be stored in multiple locations. This can
be beneficial if there is a fire, natural disaster or power outage and
can provide reassurance that critical business functions or operations
will not be interrupted.

Having options for data being stored in multiple locations can
contribute to increasing the speed that users can access it. For
example, if a health provider has a data center in New York but most
of its customers are in California, then this would degrade
application performance due to increased latency because of the long
distance. If a cloud provider has a data center in California, then
the organization can work toward hosting their critical applications
within that data center without having to pay the up-front capital
costs of a building a new data center. Having most of its users closer
to the data center can contribute to reduced latency and better
application performance for it users.

Another possible benefit of storing data in the cloud is a healthcare
provider would have a business associate agreement (BAA) with the
cloud provider, which can include a shared responsibility in cases of
a PHI breach. The level of responsibility shared would be written out
in the BAA and could reduce the impact of a PHI breach on the cloud
customer. Fines and other costs associated with the breach can be
shared with the customer and cloud provider.

Risks of storing PHI in the cloud

The cloud is an off-premise system in which data needs are outsourced
to a third-party provider. These providers are trusted to perform
updates, maintenance and manage security. The downside is you are
placing responsibility for your data with someone else. The key point
to remember is that no business is ever going to be as passionate
about looking after your data as you.

Another risk of storing data in the cloud is insider threats. Security
breaches from the inside are on the rise. Once an employee or an
attacker posing as an employee gives others access to your cloud
environment, everything from customer data or intellectual property is
up for grabs. The cloud makes this problem a lot worse, since
administrative access can be shared across multiple platforms.

In a cloud environment, you must be concerned with government
intrusions or surveillance. If you store data on a shared drive or the
same devices as another organization and that organization is under
surveillance or requires the drive to be confiscated, it can affect
your data that is stored on the same drive or server.

There is also a lack of standardization within the cloud. There is no
clear guideline that unifies the various cloud providers, and thus it
becomes more challenging with various sectors for which these
providers offer services. Remember, one cloud provider’s definitions
of “safe” may not be the same as another provider.

Customer service is another risk of moving your data to the cloud. If
there is ever a data breach or security update you need immediately
applied, you will need to speak to the provider as soon as possible.
If the provider’s customer service or technical representatives are
unavailable at the time or do not respond in a timely manner, it can
affect the availability or security of your data.

If your systems are not considered mission-critical, you need not
worry so much about security and availability. But if you have PHI or
other mission-critical systems, be prepared to invest in cloud
provider that can provide a level of service that meets your needs.

The biggest risk for cloud computing is you never know how the
provider will perform. Hackers aren’t going away and will keep trying
to access your data. As technology advances, so do the risks that come
with adopting them.

Securing PHI in the cloud

It is important to verify your cloud provider’s security standards are
appropriate. Make sure they have up-to-date procedures on patching and
actively upgrade their equipment. Also, review their security policies
as they pertain to the cloud environment. Your provider should have an
actively managed compliance program that verifies their adherence to
the various regulatory requirements and security standards.

Data protected by law, such as PHI or personal identifiers, should
never be stored in the cloud unless it is encrypted while in storage.
Only certain members of your organization who are required access
should be able to decrypt the data. Your organization should create
policies that detail the circumstances that this information can be
decrypted. All of this should be reviewed and agreed upon in the terms
of service within your agreement with the cloud service provider.

Encrypting data in transit

Your data should also be encrypted when being uploaded to or
downloaded from the cloud. It is your responsibility to make sure this
is always done. Your applications should require an encrypted
connection before anything is transferred to it.

Many cloud providers allow you to share access to your online folders.
Be familiar with the details on how the sharing works. You need to be
aware of who can view these folders and how this is monitored. You
will need to know who is the last person to modify a file and at what
time. Monitoring this activity is critical when storing PHI in the

You must know where all PHI data is stored. Your provider should be
able to give you the exact locations of your data. Also, you should
consider not having your data stored on shared storage resources with
another cloud customer. If it is shared, there is a possibility of
confiscation by law enforcement. Verify that your cloud provider
supports an appropriate data loss prevention solution that will allow
uniform application of information policies across its environment.

An important point to remember about information security is that it
has always been about finding a balance between ease of access and the
sharing of data versus locking down a system. The more you have of
one, the less you have of the other. The key to securing PHI is to
always find the right balance that is the most beneficial to your
organization and customers’ needs.

The decision to use the cloud to store PHI should not be made until
substantial due diligence has been performed on the cloud service
provider. It is best to migrate non-mission critical applications into
the cloud first so you can analyze their performance with
availability, security and customer service before deciding to migrate
applications that contain PHI. You must make sure that their
performance regarding security and compliance is up to the standards
required of your organization and customers. You want complete
confidence in the provider’s ability to keep this most critical data
safe and secure.

More information about the BreachExchange mailing list