Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud

A recent survey by HyTrust has revealed that a quarter of healthcare organizations do not use encryption to protect data at rest in the cloud, even though the lack of encryption potentially places sensitive data – including the protected health information of patients – at risk of being exposed.

Amazon Web Service (AWS) one of the most popular choices with the healthcare industry, although many healthcare organizations are using multiple cloud service providers. 38% of respondents said they had a multi-cloud environment and 63% of respondents said they were planning to use multiple cloud service providers in the future. 63% of healthcare organizations said they were using the public cloud to store data.

When asked about their main concerns, data security came top of the list – with 82% of surveyed healthcare organizations rating security as their number one concern. Despite the concerns about data security, encryption is not always employed.

As Eric Chiu, co-founder and president of HyTrust explained, “For these care delivery organizations, choosing a flexible cloud security solution that is effective across multiple cloud environments is not only critical to securing patient data, but to remaining HIPAA compliant.” However, the lack of encryption is a cause for concern.

Health Insurance Portability and Accountability Act (HIPAA) Rules permit the use of cloud services for storing and processing ePHI. However, before any cloud service is used, covered entities are required to conduct a comprehensive risk assessment to assess threats to the confidentiality, integrity, and availability of ePHI.

Covered entities must make sure that appropriate technical safeguards are employed to ensure the confidentiality of cloud-stored ePHI is preserved, and data encryption must be considered. If a decision not to use encryption for cloud-stored data is made, the reason for that decision must be documented, along with the alternative controls that are put in place to provide a similar level of protection.

HHS pointed out in last year’s cloud computing guidance for HIPAA-covered entities that encryption can significantly reduce the risk of ePHI being accessed, exposed, or stolen.  That said, HHS also explained that encryption alone is not sufficient to ensure the confidentiality, integrity, and availability of ePHI stored in the cloud.

Encryption may cover the confidentiality aspect, but it will do nothing to ensure that ePHI is always available, nor will it safeguard the integrity of ePHI. Alternative controls must be put in place to ensure ePHI can always be accessed, while access controls must be used to ensure the integrity of ePHI is maintained. The use of encryption alone to safeguard ePHI may therefore constitute a violation of the HIPAA Security Rule.

Healthcare organizations that choose to use cloud services provided by a separate entity must ensure that the cloud service provider is aware of its responsibilities with respect to ePHI. Cloud service providers are classed as business associates of covered entities, and as such, they are required to abide by HIPAA Rules. Healthcare organizations must obtain a signed business associate agreement from each cloud service provider used, if the service is used to store any ePHI. HHS has also explained that even if ePHI is stored in the cloud and the cloud service provider does not hold a key to decrypt the data, the cloud service provider is still classed as a HIPAA-business associate.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.