File sharing and collaboration services offer many advantages to HIPAA-covered companies, although the services can also introduce risks to the privacy and security of electronic health information. Many groups use these services, including among those healthcare organizations, yet they can lead to the exposure or disclosure of sensitive information.
The Department of Health and Human Services’ Office for Civil Rights (OCR) has recently issued a release to covered groups. clients and business associates of the potential weaknesses associated with file sharing and collaboration tools, explaining the danger these tools can introduce and how covered companies can use these tools and remain in compliance with HIPAA Rules.
While file sharing services and cloud computing may incorporate all the required protections to ensure data is secured and will not be accessed by unauthorized persons, over the past few years there have been numerous instances where human incompetence has led to misconfigurations. Those mistakes have resulted in data breaches.
A Metalogix survey carried out by the Ponemon Institute revealed, in its results, that 50% of companies that uses the file sharing tool SharePoint had a confirmed data breach within SharePoint in the last two years. That doesn’t mean that SharePoint should not be used, nor that healthcare groups should avoid other cloud and file sharing services. If these cloud services and tools are to be used, covered companies and business associates must complete a thorough risk analysis to identify potential weaknesses and danger to the confidentiality, integrity and availability of ePHI. Risk management policies must then be implemented to ensure those risks are restricted to an acceptable level.
Improper configurations should be identified during a risk analysis, although OCR also advises that organizations conduct vulnerability searches. Scans should help covered companies find potential flaws such as misconfigurations of software, obsolete software or missed patches. The recent ransomware attacks (WannaCry and NotPetya) have highlighted the fact that missed patches and/or obsolete software can enable cybercriminals to gain access to networks and install malware.
OCR also points out that covered companies and business associates must complete a business associate agreement with cloud service providers prior to services/tools being adopted.
OCR points to guidance issued in 2016 last year on cloud computing tools. The guidance helps covered companies wishing to utilize cloud computing tools to implement the solutions while adhering to HIPAA Rules.
These guidelines can be downloaded from the OCR website by clicking here.