Establishing best practices for securing sensitive healthcare information in the cloud

Using Cloud Services to Store and Process Electronic Health Information Healthcare organizations increasingly are turning to encrypted cloud services that offer the convenience effect associated with the tradeoff between storing sensitive healthcare information on their own servers and utilizing a commercially operated cloud service. Concerns about strict, pervasive security protections in HIPAA and other healthcare regulations are being addressed by creative solutions and technical innovation. New cloud-based healthcare information technology services are helping organizations, physicians, and patients manage the massive volumes of electronic health information being generated and consumed every day (Dilsizian & Siegel, 2014; Lee & Yoon, 2017; Davenport & Kalakota, 2019). Cloud services address the often challenging issues of system accessibility and downtime by allowing electronic health information to be stored and retrieved from remote servers accessible through the Internet. Virtualization technology, coupled with a variety of increasingly affordable storage options, allows cloud service providers to store significant amounts of data in a cost efficient manner, keeping subscription fees lower and making affordability a non-issue for many organizations. Yet, providing security protections, user access controls, monitoring, and identification of data breaches, while normal responsibilities of any organization holding sensitive data, take on added complexity when the data resides on a third-party's server. Cloud service customers are responsible for protecting the security and integrity of their sensitive information and must take extra precautions. Both government and private sector cybersecurity agencies and organizations have issued recommendations on steps to take to ensure the security of sensitive healthcare information stored in the cloud, which are discussed in more detail later. What-if scenarios regarding vulnerability to breaches of sensitive information, the associated potential liability, and the value of reputation for excellent cybersecurity must weigh heavily into the decision whether to utilize cloud services to store and process electronic health information.That is why establishing best practices for managing sensitive healthcare information in the cloud can help organizations to develop effective security risk management processes. Understanding the paths by which security breaches may occur and the harm they could cause is a fundamental component of any risk assessment and decision-making, yet medical organizations may struggle even to identify their most sensitive data, let alone create specific methodologies or best practices for its protection. The available cloud security guidelines and standards may be well known or even widely adopted. However, little guidance is available to assist organizations through the process of protecting sensitive healthcare information stored in the cloud, especially when the information retains its sensitive status only while stored in the cloud. Without best practices, organizations may struggle even to identify their most sensitive data, let alone create specific procedures for its protection.