Medical data is one of the most sensitive types of data and, like lawyers, some doctors have reservations about storing confidential client data "in the cloud." The security of storing Electronic Health Records and related data on-premise is perceived by many doctors to be more secure than cloud-based alternatives.
This thinking is challenged by a US Department of Health and Human Services (HHS) study that assesses the root cause of significant data breaches involving health information. The study finds the top causes of breaches of the Health Insurance Portability and Accountability Act (HIPAA) to be:
- Physical theft of devices / servers
- Accidental loss of devices
- Unauthorized access to devices
The causes listed above accounted for nearly 80% of the 221 HIPAA breaches assessed in the survey. The top 5 violations identified by the HHS were as follows:
- Health Net. 1,900,000 individuals affected. Cause: portable disk drive stolen from Health Net’s California office.
- NYC Health & Hospitals Corporation. 1,700,000 individuals affected. Cause: hard drives storing health record information stolen from the back of a van.
- AvMed. 1,220,000 individuals affected. Cause: laptops stolen from the corporate office in Gainsville.
- Blue Cross Blue Shield of Tennessee. 1,023,209 individuals affected. Cause: hard drives storing health record information were stolen from an IT closet.
- South Shore Hospital. 800,000 individuals affected. Disk drives were lost when being transported to a contractor for destruction.
All of these breaches can be attributed to the use of on-premise systems. If these organizations were leveraging the cloud, it would eliminate the possibility of physical theft, and eliminate the need to transport sensitive data via USB drives, laptops, and other devices that are easily lost or stolen.
The data from this study highlights the tremendous level of risk associated with storing data locally. While storing data in the cloud does theoretically introduce new risks, these risks appear to be dwarfed by the difficulty of attempting to secure on-premise data.