Debunking the myths about HIPAA compliant cloud storage
As cloud storage and sharing options have boomed, deciding which solution actually fits your needs might be more confusing than ever. Layer on the already confusing requirements for HIPAA compliance, and the prospect of moving your healthcare organization to the cloud might suddenly seem daunting. After all, misconceptions about HIPAA compliant cloud storage providers abound.
But that shouldn’t lead you to conclude that you can’t find HIPAA compliant cloud storage. Choosing to rely on increasingly outdated legacy systems risks leaving you behind in this current healthcare environment. Just consider the pressure you stare down daily. Healthcare is increasingly fast-paced, and demands on individual providers are growing rapidly. The natural solution—the only solution, really—is to find ways to be more efficient. The key is doing so in a way that improves, rather than detracts from, patient care.
The cloud offers the ability to access data anywhere, any time and from any device. What’s more, the cloud comes at a competitive cost, making it a viable option for staying organized and collaborating toward shared goals of improving quality of care in an efficient manner. So we’re here to debunk the myths to help select a HIPAA compliant cloud storage provider.
HIPAA compliant cloud storage myth no. 1: All encryption is created equally
When thinking about how best to protect sensitive information in accordance with HIPAA compliance, your mind might first go to encryption. That impulse is appropriate for people searching for HIPAA compliant cloud storage options: After all, encryption is an obvious way to protect your most sensitive data by scrambling the contents for unauthorized users.
But it turns out that there’s a fair amount of variety in encryption itself, and when it comes to HIPAA compliant cloud storage, each approach isn’t equally appropriate. In our minds, the best, by far, is finding end-to-end encryption for your chosen cloud-based file sharing service. File-level encryption protects discrete files and folders with a unique key. That means the file is protected regardless of where it’s stored, because you’re encrypting more than just the place where it resides or travels. Files remain encrypted and are tracked by Sookasa—even if they are synchronized by the cloud application to a device. So even if they’re sent via email or downloaded to a device, they remain protected and auditable.
HIPAA compliant cloud storage myth no. 2: Encryption is enough
Security isn’t so robust if there’s no way to control access to data in real-time or examine what’s happened to information historically. For example, providers should make it possible—and easy—for administrators to track operations made to every encrypted file. Preserving a complete version history of your company’s files, as Dropbox for Business does, can help track and recover any changes made to a file. Sookasa takes integrity controls a step further—we use a hash-based message authentication code to make it impossible to modify files without access to the private encryption keys. Together, Sookasa and Dropbox combine to create a HIPAA compliant cloud storage option that’s actually convenient.
Device loss / theft protection
When a device is lost or stolen, you might feel like there’s little to be done to stem a threat in progress. But certain HIPAA compliant cloud storage solutions, such as Sookasa, provide a device block feature, with which users or their administrators can remotely wipe the keys associated with certain devices and users so that it will no longer be able to decrypt sensitive information. Automatic logoff also helps with that, as terminating a session after a period of inactivity can help prevent unauthorized access.
No one wants to think about what threats current or former employees pose, but you need only scan the Department of Health and Human Services site to know that it can happen to anyone. Consider the case of a Colorado-based spine clinic that had to notify patients of a HIPAA breach after a former employee emailed herself a document containing the protected health information—including names, insurance information, and surgical procedure data—of more than 500 patients. The ability to leverage technology to stop such a thing from happening can help legitimize policies you may already have in place about who should and shouldn’t have access to sensitive data. And in situations in which permission needs to be quickly revoked, technology can play a key role. Sookasa, for example, features real-time access revocation to terminated employees and business associates—a key feature for any true HIPAA compliant cloud storage option.
HIPAA compliant cloud storage myth no. 3: Any cloud storage provider will do
Even so-called HIPAA compliant cloud storage companies that tout their HIPAA compliance aren’t risk-proof. So, what are the two biggest risks you face with any of the biggest cloud storage services? Two words: Device. Sync.
Here’s the rub: The biggest advantages to the cloud—the very thing leading you to consider it—are actually the biggest threats to your security.
There are a couple of ways to mitigate these threats: First, educate your staff (which you’re doubtless already doing) so they understand the risks and possibly avoid risky behavior. Alternatively, seek out solutions that provide security in these areas. That way, you won’t even have to think about it.
User mistakes remain the no. 1 cause of breaches of protected health information. Indeed, inadvertent HIPAA violations run rampant in healthcare, which is why it’s helpful to find a solution that’s practically fool-proof.
Here are the fast facts on how different providers stack up.
- Dropbox: Dropbox is the most popular cloud storage, syncing, and sharing solution for a reason: It’s super easy to use. Dropbox takes numerous steps to ensure that your data is secure, starting with robust encryption at-rest and in-transit. What’s more, the combination of Dropbox and Sookasa is a HIPAA compliant cloud storage option that extends to devices. Sookasa provides on-device encryption so your sensitive data is protected wherever it is, and also delivers administrative and audit capabilities in accordance with regulations.
- Google Drive: An essential preface: The HIPAA-compliant version of Google Drive likely isn’t the Google you know and love. The functionality is largely the same, but the company’s free services are not covered under HIPAA. Google will sign a BAA for paid users that covers Gmail, Google Drive, Google Calendar, and Google Vault. To be compliant across the universe of Google Apps, it’s therefore necessary to disable the other Google services, and it often necessitates users to disable sync unless another encryption solution is applied.
- Microsoft OneDrive: Microsoft also will sign a BAA that covers mail, file storage, calendars, and other aspects of the Microsoft Online offering. Office 365 meets many of the compliance regulations for health organizations around the world. It complies with the HIPAA Business Associate Agreement, which memorializes the implementation of physical, technical and administrative safeguards. It meets the breach notification requirements of ARRA/HITECH.
- iCloud: iCloud’s security struggles have been well-documented following the 2014 celebrity photo hack. It does not offer adequate security or control to ensure HIPAA compliance, and iCloud is therefore not an appropriate destination for PHI. Beyond technical security, iCloud also doesn’t offer the administrative controls necessary for organizations to properly comply with HIPAA.
- Box: Box meets HIPAA’s security and technical requirements, and it will sign a business associate agreement—if you’re an Enterprise or Elite user, which means compliance doesn’t come cheap. Box offers features such as: Server-side data encryption in transit and at rest; restricted physical access to production servers; Strict logical system access controls; Configurable administrative controls to enable explicit authorization and monitor access; restricted employee access to customer data files. That said, it doesn’t cover PHI synced to devices, which can be problematic for many users.
So, why are two solutions better than one? In short, any one of the cloud storage providers alone doesn’t provide adequate protection. The added strength of Sookasa makes the most user-friendly option, Dropbox, HIPAA-compliant. What’s more, it’s essential to separate data from keys, an added precaution that Sookasa delivers.