Let’s talk about data security, the cloud, and e-health technology. In an era of digital transmissions, data security may be the elephant in the room of today’s healthcare technology applications.
As cloud computing continues to expand in the healthcare space, with growth predictions hovering around $9.48 billion by 2020, how will the massive amounts of data stay safe and HIPAA-compliant?
As organizations continue to use the cloud to store data and to treat remote patients in e-health applications, what are important best practices for technology service providers to adopt?
Perhaps even more importantly — How can a patient and their trusted physician be confident that their e-health visit will remain confidential?
E-Health Security Best Practices
“Without adequate security and privacy protections for underlying telehealth data and systems, providers and patients will lack trust in the use of telehealth solutions.”
You’ve probably read about how hospitals have been having some widespread data breaches lately that have caused CIOs some sleepless nights. Check out these headlines:
- LifeBridge Health reveals breach that compromised health data of 500,000 patients.
- UnityPoint Health System hit with cyberattack affecting 16,000 patients.
- Ransomware attack against California provider breachers data of 85,000 patients.
What’s interesting about these stories is that the breaches occurred when a hospital employee opened an email infected with malware or a computer virus. These are preventable human errors that can be mitigated with security education and network monitoring. In fact, nearly 80% of all healthcare leaders say their cybersecurity concerns are tied most closely to employee awareness.
But what about the security infrastructure behind today’s electronic transmissions?
While the privacy of any data traveling in the cloud between facilities is subject to scrutiny, medical data is particularly sensitive. E-Health applications involve the bidirectional sharing of digital data between patients and providers. The information network, at a minimum, can include:
- Two (or more) endpoints, which could be a laptop, smartphone or another device.
- The cloud to transmit the data.
- Mobile software applications.
- The server that holds data.
- The EMR.
A ComputerWorld article lays out fundamental data and security requirements for any e-health platform:
- Data security is an end-to-end process that must be managed constantly. With hackers always seeking new vulnerabilities to exploit, any cloud-driven application must be updated frequently to stay ahead of threats.
- Data security must balance absolute protection with user access. Whether it is a mobile application, EMR, or e-health, the answer is about secure access – a two-word phrase that isn’t, in our minds, an oxymoron. User access should be controlled via an authentication process that is simple yet effective.
- Security is a function of budgets, which is why EMRs and e-health applications had been originally inaccessible to the smaller practice. Today, thanks to the cloud, applications formerly available only to those with hospital-sized budgets have been democratized for even the smallest ambulatory site.
- Encryption is the key to data security. Encryption locks electronic data so that no one without the key can access the information. Even if a hacker gets through the network security controls to the data, it will be meaningless.
Encryption should include data flowing up to the Internet, while at rest in the cloud or on-premise storage, and on the download to patients or providers. Having secure wireless protocols for e-health applications like OrthoLive means that data is secure at each stage of the patient/doctor interaction.
Organizations including the cloud providers themselves work tirelessly to secure their networks from external threats. Offering end-to-end encryption, counseling patients on conducting the visit in a private place, or not sharing their secure login information are additional steps that can be taken to ensure security.
While the benefits of e-health applications are clear, the responsibility for providers to set up firewalls, encryption, and other security features is just as clear. Security controls should extend all the way to both ends of the application and the network access points.
E-Health and HIPAA
The HIPAA Omnibus Rule states that patent privacy must be ensured on any electronic transmission. The Center for Connected Health Policy says that if personal health records are utilized in an e-health application, data security protocols must follow the same rules as an in-person visit. The HIPAA Journal offers guidelines for understanding what defines HIPAA compliance in e-health applications:
● Only authorized users should have access to the e-health application.
● A documented security system should be in place to protect patient health information (PHI).
● A system to monitor the e-health application must be in place.
It should be noted that the HIPAA Journal specifically points to SMS, Skype, and email as unapproved and unsecure methods of conducting an e-health visit.
Too, the e-health provider must have a Business Associate Agreement (BAA) in place in order to be HIPAA-compliant. HIPAA states that business associates are entities that “create, receive, maintain, or transmit” health data on behalf of a covered entity, in this case, the patient. A BAA requires cloud service providers to understand their obligations to keep data secure and comply with HIPAA security regulations.
How OrthoLive Keeps Data Secure
“To protect data security during electronic transmission, files containing PHI should be encrypted using technologies such as 256-bit AES algorithms.”
Architecting for HIPAA Security and Compliance on Amazon Web Services
E-Health is the next evolution in a cash and time-strapped healthcare industry. These applications can enhance communication between provider and patient and the data shows that both clinical outcomes and patient satisfaction improve with this technology.
Enhancing the doctor/patient relationship while offering a secure and effective e-health service is the mission of OrthoLive. Our team has developed an application that brings the doctor to the patient in a virtual house call over our secure network architecture. OrthoLive ensures cybersecurity compliance at every step in the process through the use of 256-bit end-to-end encryption on HIPAA-compliant servers.
Keeping your patient’s PHI secure will allow them to safely experience the convenience of an e-health visit.
To find out more about our secure, affordable e-health service, contact us for a demo today.