High-resolution digital medical images – 3-D imaging, PET/MR scans, and other techniques – produce extremely large files. Combine these massive files with Health Insurance Portability and Accountability Act (HIPAA) requirements for minimum protection of medical records, and the result is a perfect storm that is rapidly overwhelming the existing digital infrastructure of many health care institutions.
Many look to the cloud to help ease the pain.
Five critical questions
Here are five important procedural and technical questions to consider when searching for a highly-secure, cloud-based service for medical image access, archive, and management:
1. What regulatory policies do you follow?
A cloud-based storage solution should be able to provide provisions to support health care providers’ ability to meet federal standards such as HIPAA and HITECH. A cloud services provider must provide clinical access to patient data while still being protected from prying eyes.
2. How do you separate and help secure data in a multi-tenant environment?
Can the vendor ensure that the medical images from Healthcare Group A are not accessible to Healthcare Group B?
3. Do you provide multiple levels of security?
- Network security: How do you help protect against misuse, modification, or denial of service (DOS) attacks by hackers that can bring down the system?
- Threat management services: What is the technical strategy for anti-virus and data loss prevention?
- Intrusion prevention services: How do you monitor for policy violations or malicious activities?
- Firewall management: How does the firewall control the flow of data between the highly-secure and trusted network, and external, potentially unsecure devices?
- Environment hardening: Are there multiple, layered security checks for all incoming data requests?
- Storage security: Is access limited solely to trusted networks and authorized users?
- Data encryption: What algorithms are in place for the highly-secure transmission of data?
- Physical security of the data center: Who has access? How are they trained and certified?
- Disaster recovery: Are backup copies of all images secured in a redundant location?
- Security features for portable media and mobile devices: How are devices approved, what access is granted, and what are the sanitation policies to ensure data is wiped from the devices?
- Audit tools to track data access and changes: How do we know who has accessed the data? When? Were changes made? What were the changes?
4. Are you routinely audited by a third party?
Routine audits provide accountability and assurance of security compliance. This audit would go beyond the scope of an ISO27001 certification and encompass security architecture, policies, requirements, staff, and network performance.
5. What ongoing employee training is in place to ensure security measures are met?
Threats and risks evolve over time. Ensure that the vendor not only has current levels of security training (including HIPAA security training), but also a plan to control, manage, log and audit the security certifications and training for each individual associated with the administration of your organization’s data. The vendor also should provide auditing tools for clients to monitor the cloud environment as desired.
Finding the right fit
By carefully analyzing a health care cloud services provider’s strategies to balance accessibility, reliability, and security, health care organizations will be able to make meaningful comparisons between their own internal capabilities and those of external service providers.