Security is always a concern with any cloud service, but the sensitive nature of personal health information makes security for cloud storage of medical records, including digital medical images, especially critical. Cloud services can actually be more secure than your own local server, but it depends on the vendor’s standards and practices for protecting the imaging data.
Here are six essential questions healthcare providers need to ask when evaluating cloud vendors:
1. Do you adhere to federal healthcare privacy and security policies?
The vendor should assure that their cloud-based storage solution supports and helps providers follows federal standards and regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
2. How do you separate and secure data in a multi-tenant environment?
Data should be secured based on group and individual permissions, so medical images from Healthcare Group A are not accessible to Healthcare Group B.
3. Do you provide multiple levels of security?
The vendor should have a multi-level procedure for protecting the organization’s imaging data at different levels and from various threat, and a detailed plan for disaster recovery.
4. Are you routinely audited by a third party?
A regular audit of the vendor should go beyond the scope of a SAE16Audit, and encompass security architecture, policies, requirements, staff and network performance.
5. How do you handle training to ensure security internally?
Your vendor should have security training protocols in place to train staff as security risks evolve — including on HIPAA.
6. Do you execute a BAA (Business Associate Agreement)?
Make sure your healthcare cloud services vendor will help ensure PHI (Protected Health Information) is not disclosed and is protected.