Security Considerations for Running Your Medical Practice Management Software in the Cloud

The responsibility of all health care providers is not justmedicine. Healthcare providers and medical practitioners are also responsiblefor protecting their patent’s most sensitive information.  This requires a cultural shift in thinkingfor many practices, and unfortunately too many practices have been slow toadapt. As a consequence, the Australian Government has made some changes to therules for software providers connecting to the Medicare system for processingpayments.  This is preventative measureand in addition to last years’ Notifiable Data Breach legislation.

Understanding Cloud-BasedSoftware

A lot of data gets stored on “the cloud” these days. However,not everybody understands what that means exactly.

The cloud refers to remote servers capable of storing and accessing data programs over the internet rather than a computer in your office. The actual process is called cloud computing.

The computing part may comprise file storage and sharing,e-mail, inventory management, data collection, accounting information, etc.This is all done by the remote servers at the data centers owned and providedby a third-party cloud service infrastructure provider. Typically you wouldrent the computing resources and associated software as a service, rather thanpurchase outright and have to manage, maintain and secure everything yourself.

This allows businesses to cut costs on the expensive hardware and maintenance needed to store all of their necessary information. While this makes for a great technological solution, it can also leave sensitive information vulnerable to digital criminals—otherwise known as hackers.

Hackers are the last people you want with your most sensitiveand private information.

Why Should Doctors andPractice Managers Care?

Today with everything online, hackers are the biggest threat toany business. But the most vulnerable of all is arguably the health sector.Medical practices far and wide contain databases with some of the mostsensitive information there is. Patient information, hospital records and thelike are all at stake without the proper security implementations.

According to the Officeof Australian Information Commissioner (OAIC), the health sectorencounters more data breaches than any other industry on a regular basis. Themajority of these data breaches are noted to be criminal attacks, while therest are due to both human and system errors.

To keep information secure from invisible criminals, it must beunreachable. However, this is not necessarily an option in the health sectorsince patient information must be reachable by multiple parties. Those partiesinclude medical practitioners, specialists, hospitals and healthcare centers,Medicare and private funding for health care.

This is exactly what leaves the health sector so vulnerable todata breaches.

The Dark Web and YourInformation

You’re probably wondering where all of that sensitiveinformation ends up during a successful data breach. While there are thosehired to hack servers for specific information, there are also those who hackto sell information to the highest bidder.

In other words, any sensitive information obtained during abreach will most likely wind up on the darkweb. What began as a way to purchase illicit drugs, dark webmarketplaces have expanded to sex trafficking, weapons dealings, and things ofa much worse caliber.

So why should the dark web matter to the health sector?

Simply put, fraud and identity theft—that’s why. Now, anybusiness with holes in their security can fall victim to stolen personal data.This includes Medicare policy numbers, bank account numbers, credit cardinformation, and other private documents that may be of value.

Individual health records can be worth up to USD $30 each on thedark web since the data is so useful in social engineering attacks onindividuals.

Once information is stolen and broadcast over the dark web, notmuch can be done about it. Hospitals and private practices who lose theirpatients’ private information are susceptible to fines, lawsuits, damage totheir brand, and in the worst case risk of losing their status or entirepractice.

The Australian Governmentis Cracking Down

To help address this threat and to keep businesses who use cloudservices safe, the Australian government has recently implemented newrequirements for third-party service providers. This is a part of the DigitalTransformation Agency’s Software CloudStrategy.

The Department of Human Services (DHS) has adopted the SecureCloud Strategy in an effort to tighten the security for all parties thatconnect with the department. Those parties all refer to the health sector.

Part of their requirements are for applicable Australiansoftware companies to complete am accreditation and compliance process. Theaccreditation process includes a certification known as the Certified CloudServices List (CCSL). The companies also have to be vetted by theAustralian Government Security Vetting Agency (AGSVA).

Third-party cloud service providers with a negative vettingclearance are encouraged to be physically separated from sensitive information.They are also encouraged to be restricted from the access of citizens’ privateinformation.

Under this same strategy, the DHS requires that all third-partysoftware companies only use on-shore solutions. In other words, any and allthird-party software companies used within the DHS are limited to Australiancompanies only.

Changes such as these take time. In the meantime, there are anumber of security of measures which healthcare providers can take.

Next Steps: What YouShould Be Asking Your Cloud Service Provider

While you may not be totally up to date on the new requirements that comply with the DHS, your software company is - or at least, it should be. If your practice or company utilizes third-party software that connects with the DHS or Medicare, there are questions you can ask to ensure the safety of your patients’ information:

  • Is patient data stored in the cloud?
  • Is your cloud service provider certified by the AustralianSignals Directorate (ASD)?
  • Is all data located/backed-up in Australia?
  • Is my data stored in a publicly accessible cloud?
  • Can they guarantee that their engineers and technical staffmaintain the high security clearance measures of the DHS?

Of course, no matter how prepared you think you are, a databreach can still happen. In this case, you should equip yourself with knowledgeof the data breach notificationlaws in Australia.

Prior releases