We’ve talked at length on this blog about how CipherCloud’s Cloud Information Protection solution can help financial services firms achieve regulatory compliance and data privacy in the cloud. I’d like to spend some time on the health care industry now. For health care organizations seeking to adopt cloud services, cloud data privacy is, thanks to the sensitivity of individuals’ electronic medical records (EMRs) and the expanding scope of protections mandated by the Health Insurance Portability and Accountability Act (HIPAA), a vital issue.
Should health care organizations even adopt the cloud, given these concerns? Writing for PCWorld, Dave Jeffers expresses serious concerns: “The growing trend of storing all kinds of data – including our medical records – in the cloud, is troubling,” he wrote, and worries about data breaches “enough to make you sick.” But we believe that it doesn’t have to be this way. In fact, with the proper protections, moving EMRs to the cloud can prove safer than storing them on local machines or infrastructures. Those local machines and infrastructures aren’t exactly safe themselves, after all. The U.S. Department of Health & Human Services’ list of breaches affecting 500 or more individuals demonstrates this: most breaches were from desktop and laptop computers or network servers.
So how can your organization achieve cloud data privacy? The steps are simple.
1. Know what you need to protect, and how
Knowledge will always be key to cloud data privacy. Your first step, therefore, is to review both the relevant regulations and your own body of data to identify exactly which data fields or types must be protected and set policies for their protection. HIPAA, as Michael Kassner wrote for Tech Republic, considers the following pieces of information particularly important:
- Individuals’ past, present, and future mental and physical health information
- Individuals’ health care records
- Individuals’ health care payment records
- Individuals’ Personally Identifying Information (PII), including names, birth dates, addresses, and Social Security numbers
2. Protect each piece of sensitive data appropriately
Now that you know exactly which data fields or unstructured data content require protection, you can apply that protection, most likely through data encryption or tokenization.
Not every piece of data will require the same level of protection, of course. This is where granularity comes into play. The most effective way to address cloud data privacy is to apply exactly the right strength of encryption or type of data protection to maximize both security and usability of the data. \
3. Maintain control of your data while it’s in the cloud
Ultimately, cloud data privacy boils down to control, as even Jeffers acknowledged: The benefits of adopting the cloud typically “come at the price of losing control over how the data is managed,” he wrote. That shouldn’t be the case.
CipherCloud’s Cloud Information Protection platform puts control back in your organization’s hands by giving customers exclusive access to their encryption keys. Without the encryption keys, a hacker or an insider threat cannot decrypt or read your data. Neither can anyone else without your authorization. Additionally, exclusive control of your encryption keys means that you have exclusive control over the life cycle of your data. Should you decide to terminate your use of a particular cloud provider, or a cloud provider goes out of business, just destroy your encryption keys, and you’ve effectively destroyed the data you no longer want housed in their infrastructure.
Ultimately, when it comes to cloud data privacy, control is paramount. Financial services firms already recognize the importance of the control that CipherCloud Cloud Information Protection provides. This control can benefit health care organizations, too.
What concerns do your health care organizations have around cloud data privacy? Let us know in the comments.