Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Tips On Storing Patient Information In The Cloud

Posted on June 27, 2018 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

These days, it’s pretty much a given that providers will store some or all of their data in the cloud, i.e. off-site on a vendor’s servers.  For many providers, doing this is a good idea, as it allows them to avoid buying dedicated hardware or upgrade their own storage capacity.

That being said, all cloud vendors are not made equal, and it’s important to pick the right one. After all, providers can face dire consequences if their patient data is breached. Even if the vendor is at fault, providers will take most or all of the blame.

Before storing data on an outside service, it’s important to check them out carefully.  Here are some tips on evaluating vendors from David McHale of The Doctors Company:

  • Research the vendor’s security practices: Find out of they have a good reputation and strong security policies in place. Whatever time you put into the research is time well spent.
  • Make sure the vendor can handle all of your data: Bear in mind that many cloud services company charge by the amount of storage providers use, so being sure those costs are affordable is important. Also, providers should make sure the vendor can handle the amount of data they’d like to store.
  • Be sure that your data is encrypted at all times: Providers should see to it that their data is encrypted when being uploaded to or downloaded from the cloud. This includes ensuring that browsers or apps require an encrypted connection to the vendor’s server.
  • Patient data should be encrypted when stored in the cloud: Never store data protected by law in the cloud, such as medical information or personal identifiers, unless the stored data is encrypted. Also, don’t let anyone decrypt the data unless they are authorized to do so.
  • Learn how access is stored in your cloud folder: Cloud storage vendors often let providers share access to online folders stored on their servers. and it’s important to know how that sharing works. For example, find out whether data in the folder is read-only or whether users can edit the file, and whether managers can find out who last edited a file.
  • Prepare for the worst: Providers should know what they’ll do if their cloud vendor gets hacked or their data is lost. To find this out, they should read the “terms of service” provisions of their contract, which often states that users have little recourse if their data is breached or lost.

To be sure, cloud storage can be a great way for providers to save money on storage and see that their data is backed up offsite. However, it’s important they do their due diligence and see that the vendor will protect that data carefully.

Study Says Physicians Have Major Cybersecurity Problems

Posted on December 18, 2017 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

New research sponsored by the AMA and consulting firm Accenture has concluded that cyberattacks on medical practices are common – in fact, far more common than one might think.

Not only do these numbers suggest patient data is far more vulnerable than expected, it suggests that clinicians are often poorly educated about security and the implications of handling it badly. It’s fair to say that unless this trend is turned around, it could undermine industry efforts to build trusting relationships with patients and encourage them to engage in two-way data exchange.

The study found that most physicians (85%) think that sharing electronic protected health information is a good idea and that two-thirds believe that giving patients more access to their health data would improve care. One-third of respondents said that they share ePHI if they trust the vendors involved.

Thirty-seven percent get training content on security from their health IT vendor, and 50% said they trust these training providers are sure the content is adequate. However, this may be a mistake. While 87% of respondents said that their practice is HIPAA-compliant, the study also found that two-thirds of doctors still have basic questions about HIPAA. It’s clear, in other words, that trusted relationships aren’t doing the job here.

In fact, an eye-popping 83% of medical practices have experienced some form of cyberattack such as malware, phishing or viruses. Not surprisingly, 55% of physicians surveyed are very worried about future cyberattacks. Unfortunately, worrying is what many people do instead of taking action, and that may be what’s going on here.

What makes these lax attitudes all the more problematic is that when attacks occur, the effect can be very substantial. For example, 74% of respondents said that a cyberattack was likely to interrupt their clinical practice, and 29% of doctors working in medium-sized practices said that it could take up to a full day to recover from an attack, a crippling length of time for any small business.

So what are practices willing to do to avoid these problems? Among these respondents, 60% said they would pay someone to create a security framework to protect ePHI. Also, 49% of practices surveyed have in-house security staffers on board. However, it should be noted that three times more medium and large practices have such an officer in place compared to smaller medical groups, probably because security expertise is very pricey.

However, probably the most valuable thing they can do is the least expensive of the list. Every practice should require that physicians stay current at least on HIPAA and cybersecurity basics. If medical groups do this, at least they’ve established a baseline from which they can work on other security issues.