The Cloud Security Alliance has published a new resource to help healthcare organizations address the privacy and security risks associated with the processing, storage, and transmission of patient data in the cloud when providing telehealth services.
The COVID-19 public health emergency has required healthcare providers to start providing virtual visits to help control the spread of COVID-19. Telehealth services have been expanded and providers are now treating patients virtually over the telephone and using teleconferencing applications such as Skype and Zoom. While these services have proven invaluable during the pandemic, the technologies used to provide telehealth services can introduce privacy and security risks. Those risks must be identified and mitigated.
“For health care systems, telehealth has emerged as a critical technology for safe and efficient communications between healthcare providers and patients, and accordingly, it’s vital to review the end-to-end architecture of a telehealth delivery system,” said Dr. Jim Angle, co-chair of CSA’s Health Information Management Working Group. “A full analysis can help determine whether privacy and security vulnerabilities exist, what security controls are required for proper cybersecurity of the telehealth ecosystem, and if patient privacy protections are adequate.”
There is a common misconception that cloud service providers are responsible for ensuring the security of patient data stored on their platforms, when that is not actually the case. Cloud services operate under the shared responsibility model. The service provider will look after the security of their infrastructure and will apply security updates automatically, but it is the responsibility of customers to ensure that any data is secured. It is therefore important for healthcare providers to understand exactly what security tasks are being performed by the cloud service provider and which security tasks are the responsibility of the customer.
Healthcare providers must ensure that any data, privacy, and security issues are addressed, that they are aware of the capabilities and limitations of any technologies used in the provision of telehealth services, and that all regulatory requirements are satisfied. Security teams must ensure their architecture is thoroughly assessed to identify any vulnerabilities. Controls must be implemented to ensure the confidentiality, integrity, and availability of any ePHI collected, stored, or transmitted through the cloud and checks must be performed to ensure that those controls are effective.
The CSA recommends healthcare providers speak with their cloud service providers to find out about governance, compliance, confidentiality, integrity, availability, and incident response and management. They must learn how cloud providers handle their data, how that data is accessed and used, and a plan should be developed that can be implemented in the event of a data breach. Healthcare providers should also implement a process of continuous monitoring of internal controls and those used by their providers.
There is no reason why healthcare data cannot be stored securely in the cloud, but it will not happen automatically. Armed with the right information, it is possible for a healthcare provider to implement a robust telehealth program and for all patient data to be processed, stored, and transmitted securely n the cloud, in line with all appropriate regulations.