Maintaining HIPAA Compliant Cloud Storage
A perfect way of storing and sending medical files is by using HIPAA compliant cloud storage. File-sharing services like Dropbox and Box help you automatically back-up, synchronize and share healthcare files in the cloud and on mobile devices. But unless you protect these services using proper encryption, they can be a HIPAA hazard.
This is a quest post written by Asaf Cidon, Sookasa CEO and co-founder.
Not long ago, healthcare professionals likely would have marveled at an invention that allowed them to easily and instantly back up patient files and share them with other care providers from any location.
At the same time, healthcare professionals may have quaked at the prospect of an invention that could scatter copies of their patient files to exposed locations, giving easy access to potential snoops and identity thieves.
Both inventions exist today, and they’re both the same thing: cloud file sharing.
If you’re not familiar, cloud computing allows users to – among other things – backup files from desktops and mobile devices, and then access these files on demand from any Internet-connected device or browser. On a consumer level, most people are familiar with cloud file-sharing services like Dropbox, Box, and Google Drive, which enable users to automatically backup files to the cloud, share them with friends and colleagues, and automatically get access to the latest version of files from any mobile device.
File sharing services can provide a huge productivity boost for healthcare professionals. For starters, they ensure that you never accidentally lose a single patient file. Even if your entire practice is flooded, for example, and all of your computers and paper files are destroyed, your files will still be safe if you’ve backed them up with a service like Dropbox.
These services also enable you to synchronize files across a number of different devices. So, even if you take notes on a tablet with a patient, annotate them on a desktop computer in your office, and then continue to work on them on your laptop at home, you’ll always have access to the most up-to-date version of your data.
Additionally, file-sharing services like Dropbox make it extremely easy to seamlessly share files with other colleagues involved in your patient’s care.
With these productivity gains, unfortunately, also come increased risks. Dropbox and other file-sharing services do their best to secure and encrypt your documents while they’re stored on their servers. But, as soon as someone downloads the files you’ve sent them to a device, they’re unprotected again.
Consider what might happen if your share a patient file with a colleague on Dropbox or Box. That file will immediately get synchronized to all of your colleague’s devices, including all of her phones, tablets and laptops. All it takes is for one of those devices to be lost or stolen, and you’ve got a major security breach (and, with 12,000 laptops stolen each week at U.S. airports alone, this is not a far-fetched scenario).
New HIPAA regulations require healthcare organizations to report any loss or accidental sharing of information about 500 or more individuals, with potential fines as high as $1.5 million, plus civil liabilities. Even losing a single patient record is a HIPAA breach that exposes you to legal liability. More than 60 percent of HIPAA violations are the result of lost or stolen devices, so this isn’t a threat that even small family therapy practices can afford to take lightly.
A lost device isn’t the only security threat that accompanies cloud-based file-sharing services. For example, you or someone you’ve shared a file with might accidentally type in the wrong email address when sharing it with someone else, inadvertently placing it in the wrong hands. Even if you intentionally share a file with someone, there’s nothing stopping them from passing it along to someone else or uploading it to other cloud-based services. Furthermore, most file-sharing services only audit files while they’re stored in the cloud (and even then, these audits don’t necessarily comply with HIPAA), so your documents could be scattered without you ever even knowing about it.
If you also use file-sharing services for billing records, these risks are multiplied.
None of this should scare you away from using the cloud, however. As mentioned above, file-sharing services are tremendous tools for boosting productivity. And frankly, they’re probably no less secure than what you’re already using. If you’ve ever emailed a patient file without encrypting it, for example, you’ve put that data at risk.
While some healthcare professionals will actually go to the trouble of postal mailing patient documents or even hand delivering them to ensure confidentiality there are a number of tools that can now help you keep patient data secure while you take advantage of the benefits that cloud sharing has to offer.
One option is to approximate the cloud by setting up your own file server, although this can be clunky and expensive. You could also use a file-sharing service and protect your files by encrypting all of your devices. However, this solution only works if you can ensure that files are only opened from the devices you control, and also requires considerable IT support.
This simplest, most effective solution is to purchase a software product specifically designed to encrypt the files you share over the cloud. Our company, Sookasa, provides such a solution. Sookasa allows healthcare professionals to utilize their enjoy the significant productivity benefits of cloud-based file sharing, while preventing HIPAA breaches by encrypting files after they have been downloaded or shared externally.
By properly securing the files you share, you can enjoy all of the productivity rewards of the cloud – without exposing your patients and your practice to unacceptable risk.
Asaf Cidon is CEO and co-founder of Sookasa. Cidon is also a Stanford PhD candidate, specializing in mobile and cloud computing. He founded Sookasa with the mission of allowing businesses to control their data securely via the cloud with a product that encrypts, audits and controls access to files stored on Dropbox, and complies with HIPAA and other government agency regulations. Learn more at www.sookasa.com.