Data protection considerations for cloud adoption in the healthcare industry

By Kathy Karpinski, Sr. Product Marketing Manager, Spanning Cloud Apps

June 28, 2017

The healthcare industry is changing how it delivers patient care. With technology that enables greater collaboration for patient care, and with patient care delivery models shifting toward telemedicine and self-served healthcare, healthcare IT (HIT) finds itself thrust into the world of online collaboration platforms, SaaS, and cloud computing. As a highly regulated industry in which individual’s data demands the utmost security, this move isn’t always comfortable. But as recently noted in a statement by the Cloud Standards Customer Council, “Around the globe, healthcare reform has mandated that it is time for healthcare IT to be modernized; and that cloud computing is at the center of this transformation.” The benefits and cost efficiencies gained from moving to the cloud are many, including:

The ability to share information easily and securely
More seamless collaboration among geographically dispersed healthcare entities and patients
Scalability and flexibility
The ability to secure and back up your data inexpensively

Microsoft Office 365 is a great example of a feature rich, unified collaboration and communication cloud-based service that is being adopted by healthcare entities – from clinics to medical device manufacturers. With Office 365, for example, caregivers can work together and connect virtually with patients more efficiently and cost effectively. They can communicate anywhere and via multiple device types, all with the end goal of improving patient care.

Considerations for leveraging cloud services

Office 365 is built to meet HIPAA security and privacy regulations. However, healthcare entities should be aware that most cloud vendors operate under the rubric of shared responsibility, in which both the cloud service provider and the customer are responsible for ensuring data protection and business continuity. Though Microsoft provides for security and data protection from hardware and software failure, natural disaster and power outages, it does not cover other data loss scenarios including:

Ransomware and viruses
Human error
Programmatic errors (such as configuration errors)
Malicious acts
External hackers

In each case, it is the customers’ responsibility to provide data protection against these very real and common threats. Did you know that 58 percent of companies that use SaaS applications have suffered a data loss incident over a 12-month period? These are odds that HIT departments and healthcare entities cannot afford.

In order for health care providers to securely leverage SaaS or Cloud services and take shared responsibility for data management and protection, the following considerations should be made:

Category	Cloud Considerations
Privacy and Security	Establish strong Service Level Agreements with the cloud service provider with regard to security and privacy. Healthcare organizations must be informed of where and how electronic protected health information is moved or stored by the provider.
Regulation and Compliance	Implementation of security controls and compliance measures should be required by the cloud vendor, but ultimately, responsibility for compliance always resides with the healthcare entity. Cloud vendors must provide solutions that are HIPAA compliant. Organizations must consider whether data entrusted to a cloud provider carries legal/regulatory protection and breach notification requirements, such as protected health information (PHI) governed by HIPAA and HITECH, and personally identifiable information (PII) governed by state privacy laws.
Data Backup and Protection	Healthcare industries should implement a cloud-to-cloud backup provider to ensure their data is always accessible and not vulnerable to data loss events such as accidental deletions, ransomware attacks or human error. Cloud backup solutions must comply with recovery time objectives (RTO) and must provide full access to backup data. Data backup and protection must comply with HIPAA regulations. Backups should occur daily or on demand.
Data Restore Requirements	Individuals’ data should be restored in the same format it was in prior to backup – not encrypted. Restore functionality should be granular and provide a point-in-time snapshot of data. Backups should be easily monitored and data restoration should happen easily and into a consumable format.

Case study: Millar, Inc.

Millar, Inc., a medical manufacturer of neurological and cardiac catheters, recently migrated to Office 365. Like any other healthcare entity, Millar must meet strict standards surrounding data protection and accessibility. IT director Todd Miller knew Millar, Inc. needed a backup and recovery solution that would ensure their critical data could be retained indefinitely and conveniently restored to its original state in the event of data loss. Millar implemented Spanning Backup for Office 365 to provide daily, automated backup and peace of mind to continue innovating in the cloud. The installation took place in a few hours, and the easy-to-use GUI made Spanning Backup for Office 365 a “set it and forget it” data protection service that works seamlessly with Office 365 via a Microsoft API. Millar also chose Spanning Backup for Office 365 because it is HIIPA compliant and provides granular backup and restore capabilities for Mail, One Drive for Business and Calendar.

As your healthcare organization moves more of its HIT to the cloud, it should ensure that patient data is secure and recoverable. Backup and restore cloud solutions are a must when determining your cloud data protection strategy. For more information on cloud backup solutions for Microsoft Office 365, visit www.spanning.com or follow us at @spanningbackup.

About Spanning

Spanning is a leading provider of backup and recovery solutions for SaaS applications, helping organizations to protect and manage their information in the cloud. We provide powerful, enterprise-class data protection for Office 365. Spanning Backup is the most trusted cloud-to-cloud backup solution for thousands of companies and millions of users around the world. Start a 14-day trial by visiting http://spanning.com/free-trial.

Learn more about Microsoft’s Cloud for Health here.