From hurricanes to hackers, there's a lot that can go wrong with your data. If a major storm takes out power to a cloud provider's sole computer center, a hospital's entire cloud-based system could go offline, hamstringing doctors indefinitely. Should a hacker decide to hit a data warehouse, the integrity of an entire healthcare network's IT could be compromised.
With so much riding on unfettered and highly secure access to healthcare data of every kind – from prescription information to scheduling to payroll – keeping that data ironclad is more important than ever.
Kurt Hagerman, compliance director for Dallas-based cloud firm FireHost, talks about six key points that should be second nature to anybody concerned with securing their data from natural disasters or malicious cyber marauders.
1. Demand redundancy. Many people see an attractive solution in the cloud these days. But if the cloud should fail, hospitals are high and dry. Redundancy is something that clients should seriously consider, says Hagerman. "If you are going to work with a vendor who is providing cloud services, it's great if they have the newest mousetrap from a technology perspective," he says. "But who's backing them up, from a hosting perspective?" Hagerman advises looking for hosts with tier four data centers, which have the highest level of redundancy.
Redundancy is a word that gets thrown around a lot, but make sure a provider really means what they say, he adds. "Tier one doesn't have a lot of redundancy in terms of electricity or air conditioning." A tier four system does more than just back data up: "All the power is going to come from two separate power systems," says Hagerman. "They might even have two separate battery backup systems. When you get to tier four, all the cooling equipment is dual-powered, and everything is fully redundant. They might even locate their centers where they can sit on two different [power] grids."
2. Adopt HITRUST standards. "HIPAA doesn't actually provide much prospective information on what you're required to do" with regard to data security, says Hagerman. Hospitals that want to stay on the cutting edge should look into HITRUST, an organization that was founded a few years ago to help hospitals "understand what their HIPAA responsibilites are."
Borrowing heavily on standards such as PCI DSS, which was established within the credit card industry, HITRUST has been adopted by many large healthcare systems, and relies on accredited third party auditors to provide high quality assessments of a hospital's information security. HITRUST has "harmonized controls from PCIDSS and state control laws," says Hagerman, describing its standard as having "taken the best from all of the other published controls."
Because there is no official Health and Human Services Office of Civil Rights (OCR) standard for IT security yet, and because it would be costly to retool a system that didn't conform to a government-mandated rule set, how worthwhile of an investment is it to buy into an independent standard? Hagerman thinks that an OCR accreditation and one from HITRUST would be pretty similar. "Anybody who goes through the HITRUST process, although it's not OCR-recognized, will find themselves in very good shape," he says.