The Cloud Isn’t a Security Blanket!
Even if you have all of your stuff in cloud, you’re still at risk of an attack. You can just as easily get infected in the cloud as you could on your local server. The hardware is similar, so is the software and so are the updates and patches. If you are accessing the cloud from an infected computer, someone may be able to access your data if that computer or device is not secure. The BIGGEST misconception with the cloud is your data is safe.
Most healthcare offices (and their IT Support) lose focus on security.
All you need to crack the cloud is a Trojan (malicious software disguised as legitimate software). Maybe someone on your staff is working from home, clicks on a link and is infected with some malware that starts recording EVERY keystroke. Over the course of their work day, unknowing that their machine is infected, they log into all sorts of accounts—including logging into your cloud! A criminal now has the exact credentials to access ALL of your cloud data. They may ransom it, or they may just steal it. Either way, your cloud was breached. HIPAA was violated, and your business is at risk of hefty lawsuits, fines, and attrition.
All it took was fooling the office manager.
An office’s cloud was breached and no one knew about it. It took 3 days for anyone to notice. Hackers took 180 records PER day from cloud storage that was supposed to be protected. All of this happened because the office manager clicked on an email link warning that her Microsoft password had been compromised. From there, malware was installed on her computer, her password credentials to the cloud were compromised, and data started trickling out of the office. Over 500 health records were leaked and sold on the black market. That’s more than 500 patients with compromised data—from one doctor’s office. All because of one simple email click (and overconfidence that the cloud was impenetrable).
500 is the magic number for HIPAA. If an organization gets breached or data gets leaked, if 500 individuals or more are impacted, HHS is required to keep record of your breach. That means public records. News stories. And all that goes with having a tarnished reputation.
How can you really tell if your BA meets HIPAA requirements? Before signing on that dotted line, ask them for their BA agreement. If they have one, great! Evaluate it and let your legal team evaluate it. But if they don’t and you end up handing over your own BAA for them to sign, you should expect them to have some questions—be thoughtful when reviewing it and taking time (likely delay signing a contract or SLA) until they’ve been able to review and follow up with you on the BAA.
First and foremost, cloud vendors (and any managed service provider, for that matter!) that specialize in any capacity within healthcare need to have a business associate agreement (BAA) ready for you to read. To be quite clear, any vendor you work with that may have any chance of accessing your PHI data.
The take home: find a cloud vendor that really is secure and compliant, one that goes out of their way to produce documentation as how they comply with HIPAA standards and that has a Business Associate Agreement in hand when you initiate a discussion with them about forming a relationship. And even if you find a vendor that’s good enough to trust, you still have some services—your domain controller or active directory to worry about (things they won’t be able to easily put in the cloud). These are servers you’re going to probably keep around at your facility.
And even if you decide to go to the cloud, that DOESN’T mean you’re through with physical servers onsite!
To recap…
The cloud doesn’t necessarily mean your data is safe. Even if you use the cloud, you’re still susceptible to ransomware attacks and data breaches.
Even vendors that say they’re securing your data (backing it up and guaranteeing failover) may not be—we’ve had to pick up the pieces when cloud vendors fail at configuring backups properly or don’t actually test that backups are actually working.
AND after putting your trust in a cloud vendor and thinking everything is ‘safe’ in the cloud, you’re still stuck with physical servers onsite!
What’s an alternative to the cloud?
Consider a private virtual cloud. One that’s onsite (so you still have control and ownership of your data), but a solution that gives you the peace of mind that everything is getting backed up properly. It’s like the cloud but safer.
Ask us about getting a private virtual cloud that puts you in control of your data.
