Cloud Security Alliance Publishes Guidance on Storing Telehealth Data Securely in the Cloud

COVID-19 has prompted regulators to remove many telehealth restrictions and healthcare delivery organizations have increased their utilization of telehealth capabilities and are now conducting more virtual visits and are treating patients in their own homes. The regulatory changes have helped to prevent the spread of COVID-19 by reducing the risk of exposure for healthcare providers, and while the regulatory changes are only temporary, there is considerable support for many of the changes to become permanent.

The provision of telehealth services means patents’ protected health information is sent over the internet and is being stored in the cloud. While the Department of Health and Human Services’ Office for Civil Rights has issued a Notice of Enforcement Discretion and will not be imposing sanctions and penalties on healthcare providers for data breaches and other HIPAA violations related to the good faith provision of telehealth services, the Notice of Enforcement Discretion is only temporary and only applies for the duration of the nationwide public health emergency. It is therefore important for healthcare providers to ensure that the technologies being used to provide telehealth services are HIPAA compliant and any data collected or transmitted over the internet or stored in the cloud is secured in accordance with HIPAA requirements.

HIPAA requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). To help healthcare organizations secure telehealth data in the cloud, The Cloud Security Alliance (CSA) has shared a report produced by the Health Information Management Working Group that details the privacy and security concerns related to the processing, storage, and transmission of patient data in the cloud with respect to telehealth services.

The paper – Telehealth Data in the Cloud – covers the use of technology solutions for remote patient monitoring (RPM) and telemedicine and how healthcare delivery organizations can proactively address data, privacy, and security issues. Under the shared responsibility model, cloud service providers are responsible for securing their infrastructure and handle security tasks related to that infrastructure, but it is the responsibility of each healthcare delivery organization to secure any data uploaded to the cloud.

Most healthcare delivery organizations are using a range of technologies to provide telehealth services, such as videoconferencing tools and internet and cloud technologies, and they all introduce risk. It is therefore essential for security teams to thoroughly assess those risks and identify any flaws that could expose patient data and apply controls to reduce those risks to a low and acceptable level. Evaluations should also be conducted to ensure that any implemented controls are functioning as they should.

The Cloud Security Alliance recommends healthcare delivery organizations speak with their cloud service providers and ask questions about governance, compliance, confidentiality, integrity, availability, and incident response and management, and offers a series of questions to ask those providers. The CSA also strongly recommends implementing a continuous monitoring program to enforce and enhance security operations.

You can download the report here.

In addition to the report, the CSA draws attention to other resources that can help HDOs. The CSA Security Trust and Assurance Registry (CSA STAR) is a list of cloud providers that have met security requirements and are certified, which is useful when selecting service providers. CSA also maintains a Top Threats List, which details the main cloud security threats, the business impact of those threats, and controls that can be implemented to mitigate the threats.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.