Is Your Data Safer in the Cloud?
Medical data is one of the most sensitive types of data and, like lawyers, some doctors have reservations about storing confidential client data “in the cloud.” The security of storing Electronic Health Records and related data on-premise is perceived by many doctors to be more secure than cloud-based alternatives.
This thinking is challenged by a US Department of Health and Human Services (HHS) study that assesses the root cause of significant data breaches involving health information. The study finds the top causes of breaches of the Health Insurance Portability and Accountability Act (HIPAA) to be:
- Physical theft of devices / servers
- Accidental loss of devices
- Unauthorized access to devices
The causes listed above accounted for nearly 80% of the 221 HIPAA breaches assessed in the survey. The top 5 violations identified by the HHS were as follows:
- Health Net. 1,900,000 individuals affected. Cause: portable disk drive stolen from Health Net’s California office.
- NYC Health & Hospitals Corporation. 1,700,000 individuals affected. Cause: hard drives storing health record information stolen from the back of a van.
- AvMed. 1,220,000 individuals affected. Cause: laptops stolen from the corporate office in Gainsville.
- Blue Cross Blue Shield of Tennessee. 1,023,209 individuals affected. Cause: hard drives storing health record information were stolen from an IT closet.
- South Shore Hospital. 800,000 individuals affected. Disk drives were lost when being transported to a contractor for destruction.
All of these breaches can be attributed to the use of on-premise systems. If these organizations were leveraging the cloud, it would eliminate the possibility of physical theft, and eliminate the need to transport sensitive data via USB drives, laptops, and other devices that are easily lost or stolen.
The data from this study highlights the tremendous level of risk associated with storing data locally. While storing data in the cloud does theoretically introduce new risks, these risks appear to be dwarfed by the difficulty of attempting to secure on-premise data.
“In the cloud” is this year’s buzzword bingo for “on a time-sharing server”, an old and well-understood way of trading off capital costs against monthly expenses.
The security trade-off is less risk from your own staff making a mistake, but greater damage if the people you outsource to make a mistake.
And, of course, you then need to ensure that the data is only ever stored on the time-sharing server. If a staffer can download it, they can lose it.
Once you’ve done that, of course, you need to worry about having only one copy, the outsourcer losing it, the backups failing, etc, etc, ite ad infinitum (;-))
–dave
Even if you decide not to store your data “in the cloud”, these are good questions to ask.
It makes me shudder when I hear people rail against outsourcing data storage or storing data in the cloud, but think nothing of having data walking around on laptops or flash drives. Is it more likely that Google is going to expose your data or that your junior is going to leave it in a Starbucks?