SlideShare a Scribd company logo

Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud

Cheryl Goldberg
Cheryl Goldberg

The document outlines best practices for securing healthcare data in the cloud. It discusses how healthcare organizations are increasingly adopting cloud services but have concerns about data security. Breaches of healthcare data are common due to the high value of medical records on black markets. The document then provides recommendations for securing data, including understanding what data needs to be in the cloud, defining access policies, complying with regulations like HIPAA, and using encryption or tokenization techniques. Following these best practices can help healthcare organizations take advantage of cloud services while maintaining strong data security.

1 of 7
Download to read offline
Best Practices for Securing HealthCare Data in the Cloud
2©2015 | Perspecsys Executive Summary Many healthcare organizations are looking to take advantage of new cloud-based clinical and support applications that improve patient care and collaboration while reducing costs. Yet, concern about patient data security is keeping many of these organizations from fully utilizing these new solutions. Breaches of healthcare data are common due to the high value that stolen medical records command—and the costs of a breach are especially high. Clouds that aggregate information from many organizations only add to the concern because they make for bigger, more lucrative targets. As a result, healthcare organizations either find themselves trapped on legacy systems. Or when they do move to the cloud, they adopt private cloud solutions that are far more costly and inefficient than their public-cloud counterparts. This paper describes best practices for securing healthcare data in the cloud that enable healthcare organizations to fully benefit from lower cost public cloud-based services. Are You Ready for the Cloud? Healthcare organizations are increasingly adopting cloud-based patient support portals, medical claims processing systems, and electronic medical records (EMRs). Indeed, 80 percent of the respondents to the 2014 HIMSS Analytics Cloud Survey 1 currently use cloud services—half for clinical applications. Why the interest? These cloud-based systems promise to improve patient care and collaboration across the medical community. Cloud-based clinical applications can also make it easier to share patient information with secondary industries and the people that contract with them such as pharmaceutical companies doing drug testing and insurance providers handling medical claims. The pay-as-you-go nature of the services reduces capital costs for accessing state-of-the-art applications. Data Security Concerns May be Holding You Back Yet, the HIMSS cloud survey also found one factor preventing healthcare organizations from using the cloud to its fullest potential. That factor is data security. Ponemon Institute 2 has reported that medical data is the subject of more attacks than military and banking information combined. You needn’t look far to see why. Illegally obtained medical records fetch huge sums on black markets—about $50 a pop—compared to $1 for credit card numbers. Criminals can use medical records to fraudulently bill insurance or Medicare. They can even take on patients’ identities for free consultations or to obtain prescription medications for sale on the street. To make matters worse, the consequences to healthcare organizations of a data breach are disproportionately high. Per capita costs of a breach in the healthcare industry are $359-- 3 nearly double the $201 average cost for all industries in the U.S., according to Ponemon institute. 1 http://apps.himss.org/content/files/HIMSSAnalytics2014CloudSurvey.pdf 2 “2014 Cost of Data Breach Study,” Ponemon Institute and IBM https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=gts-LITS-bus-conn- NA&S_PKG=ov23509 3 “2014 Cost of Data Breach Study,” Ponemon Institute and IBM https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=gts-LITS-bus-conn- NA&S_PKG=ov23509
3©2015 | Perspecsys Given the fact that public clouds aggregate information from a large numbers of enterprises, which makes them even bigger targets than they already are, it’s easy to understand why healthcare providers would be wary. Compliance Is Not Enough The Health Insurance Portability and Accountability Act (HIPAA), of course, includes provisions designed to ensure privacy and security for private health information (PHI). And all organizations that handle PHI must address these requirements. For example, when healthcare providers (e.g. covered entities) work with third-party business associates (BA), including cloud providers, HIPAA typically require those BAs to safeguard electronic PHI. But while most third-party arrangements meet HIPAA guidelines, some cloud providers have been hesitant to sign BA agreements. And if the BA violates HIPAA, the department of Health and Human Services can pursue and levy penalties against the covered entity (i.e. the healthcare organization itself) for violations committed by their BA agents. Even if cloud providers are compliant, data security isn’t guaranteed. For example, HIPAA doesn’t technically mandate that data be encrypted. And many third party providers fail to incorporate additional data security best practices not specified in current regulations. If unencrypted data is exposed through a data breach, the HITECH Act requires healthcare organizations to notify patients and the federal government, which is often an expensive proposition and holds the real risk of brand damage. Indeed research finds that third-party data breaches are on the rise. A survey by Kroll Advisory Services4 found that 18 percent of the respondents who experienced a breach in the past 12 months cited third parties as the cause and 28 percent of respondents indicated that sharing information with external parties is the top item that puts patient data at risk (up from 18 percent in 2010 and 6 percent in 2008). As result of these data security issues, many healthcare companies feel trapped in old legacy systems. When healthcare companies do adopt cloud technologies to take advantage of new computing capabilities, the vast majority of install private cloud solutions. Private cloud solutions alleviate data security concerns, but they’re costly and inefficient. Tight IT budgets mean that healthcare providers would ideally want to use public cloud computing applications. Cloud Data Protection Safeguards Data A Cloud Data Protection Platform addresses these challenges. These Platforms provide a flexible cloud data control platform that enables healthcare firms to protect sensitive information before it leaves their network. The Platform intercepts sensitive data while it is still on-premise and replaces it with a tokenized or encrypted value which is then sent to the cloud for processing and storage. As a result, the data becomes meaningless should anyone outside of the company access it on its way to the cloud or within the cloud environment. The Platform also plays the important role of ensuring that Cloud end-users keep SaaS application functionality, such as the 4 “2012 HIMSS Analytics Report: Security of Patient Data,” by HIMSS Analytics and Kroll Advisory Services http://www.krollcybersecurity.com/white-papers/himss-2012-report.aspx
4©2015 | Perspecsys ability to search and sort data that has been encrypted or tokenized, while the enterprise ensures its information is secure and remains compliant. The optimal Cloud Data Protection Platform will:  Deliver the strongest security available to hold up to the scrutiny of internal and external security and audit professionals.  Preserve the functionality of the cloud application so users take advantage of the richest cloud experience.  Furnish scalability to meet enterprise demands while providing the ability to plug into the existing IT environment through open architecture and standards.  Support multiple cloud environments to minimize solution and training costs. Best Practices for Securing Sensitive Data in the Cloud How do you best take advantage of the Cloud Data Protection Platform to optimally secure your sensitive customer information? The following best practices will help you get started. Understand what data assets you need to have in the cloud You need a clear understanding of what data you need to have in the cloud. If you must keep sensitive or regulated data in the cloud, classify it with the correct sensitivity level. Later, perform an audit to confirm that the proposed security treatment and risk mitigation strategies have been implemented. Define what systems, people and processes need access To select appropriate technical controls and activities to protect confidential data that must be accessed via the Cloud, map out how the information flows over time and how multiple applications and people access and process it for various purposes. Develop internal data governance and risk management policies Clearly define your firm’s privacy and security policies. These policies should determine what data you need to protect—and what you don’t need to protect. Never compromise internal security best practices designed to ensure data control, confidentiality and privacy when using shared IT infrastructure through a Cloud Service Provider.
5©2015 | Perspecsys Determine the relevant external data privacy security requirements One of the key regulations healthcare providers must adhere to is HIPAA. Encryption is an implementation specification under two standards in the HIPAA security rule: access control and transmission security. Strictly speaking, HIPAA doesn’t mandate encryption. However, if healthcare organizations don’t encrypt, they must demonstrate in writing why they believe that it is not “reasonable and appropriate” to encrypt and be prepared to defend that position in the event of an audit. In addition, if ePHI data is in a format that’s unusable, unreadable or indecipherable to unauthorized individuals, Safe Harbor Provisions in the Final Breach Notification Rule render the organization exempt from the requirement to notify parties and the federal government in the event of a data breach, representing significant cost savings. Encryption of ePHI data is the primary way organizations can qualify for Safe Harbor. Protected Health Information HIPAA defines 18 types of PHI that must be secured:  Names  All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.  All elements of dates (except year) for dates directly related to an individual, including birth date, admission date,, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;  Telephone numbers  Fax numbers  Electronic mail addresses  Social security numbers  Medical record numbers  Health plan beneficiary numbers  Account numbers  Certificate/License numbers  Vehicle identifiers and serial numbers, including license plate numbers  Device identifiers and serial numbers  Web Universal Resource Locators (URLs)  Internet Protocol (IP) address numbers  Biometric identifiers, including finger and voice prints  Full face photographic images and any comparable images  Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
6©2015 | Perspecsys Protect assets in the appropriate manner to stay in compliance Because HIPAA doesn’t mandate encryption, health care organizations have the option of using encryption or tokenization to secure ePHI. Encryption Encryption encodes data in such a way that only authorized parties can read it. While Encryption doesn’t prevent interception, strong encryption approaches keep the interceptor from seeing the data. Best practices for encryption demand that you employ a recognized, well-established form of strong encryption, such as the National Institute of Standards and Technology (NIST) guideline—FIPS 140-2. A valid alternative is the FFS-Mode of AES 256. Third-party analyst firms such as Gartner have warned enterprises to beware of proprietary encryption techniques that attempt to preserve application functionality by weakening well-known encryption schemes (e.g. Searchable Encryption) – a motivated attack has a good chance of unveiling the original value. Tokenization Tokenization is the process by which data is replaced with a surrogate value called a token. De- tokenization reverses the process by redeeming a token for its associated value. The security of an individual token relies on how difficult it is to determine the original data knowing only the surrogate value. There are several ways to generate tokens. Some take a mathematical approach that links the token value to the value of the original data. Others use an arbitrary approach to assign sequentially generated token values. Best practices recommend the latter approach. This approach is strongest because it completely removes the original data from the system in which the tokens reside and eliminates any mathematical link between the surrogate token value and the original sensitive data. Separation of duties Putting encryption or tokenization in the hands of cloud service providers can leave your enterprise open to additional risks of data disclosure. A best practice for data privacy and governance is segregation of duties. If you encrypt/tokenize data, don’t give the provider (where the data resides) access to the encryption key or token vault. Secure data at rest, in-motion and during cloud-processing Discussions about cloud security and privacy often focus on the service itself, as well as the cloud service provider’s privacy and security quality and practices. But it is essential to also secure data as it flows in and out of the cloud as well as when it is being processed in the cloud. Thus, another best practice is to secure not only data at rest but also and data in motion (while it is traversing to the cloud as well as when it is moving within the cloud). Data at rest is data in storage—whether that’s in the cloud, on-premise or when using a Cloud Data Protection Platform, in the platform. Data in motion is data in transit between the end user and the application as well as when it is being processed within the cloud application (i.e. a report is being generated). Ensure that your application will remain fully usable In some cases, adding security makes the application unusable for business users. Server-based encryption can “break” application functionality that end users depend on, such as the ability to search and sort information or to create reports and send cloud-based e-mails. Make sure security preserves all of the functionality your users need from the cloud application.
7©2015 | Perspecsys Take Advantage of Existing investments The solution should leverage your existing infrastructure as much as possible. It should interoperate with the other security layers within your enterprise, such as SSO/IAM. In addition, make sure it supports multiple cloud applications. This allows you to use the same deployment hardware and software to protect all your cloud applications and centralize and automate data protection policy management for consistency. Leverage Existing Training and Expertise Organizations have existing investments not only in technology but also in training people on that technology. For example, they may already have a key management system in place. Be sure that the solution allows you to leverage any investments you’ve made in your human capital. Conclusion Many healthcare organizations hesitate to take advantage of the new capabilities that are available from leading-edge public cloud applications due to their wariness of ceding control of data security and confidentiality to a third-party. Cloud Data Protection Platform solutions alleviate these concerns. These solutions protect all the data you want to put in the cloud by encrypting or tokenizing any data that your enterprise doesn’t want to have outside of its control. By following the best practices described here, you can ensure the strongest security possible for any sensitive data you put in public cloud SaaS applications. At the same time, you’ll also maintain the functionality of all your cloud services and achieve the scalability your enterprise users demand. Contact us today to learn more or request a demo: Email: sales@perspecsys.com P +1 703-712-4752 (USA) +44 207-868-2037 (Europe) +1 905-282-0023 (Canada)

Recommended

Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010DataMotion
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOT
Compliancy Group
 
HIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future ExpectationsHIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future Expectations
PYA, P.C.
 
4. data security eb__1_
4. data security eb__1_4. data security eb__1_
4. data security eb__1_
Appsian
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Envision Technology Advisors
 
Data Sovereignty and the Cloud
Data Sovereignty and the CloudData Sovereignty and the Cloud
Data Sovereignty and the Cloud
IESL - The Institution of Engineers, Sri Lanka
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
Redspin, Inc.
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
EMC
 

Recommended

Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010DataMotion
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOT
Compliancy Group
 
HIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future ExpectationsHIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future Expectations
PYA, P.C.
 
4. data security eb__1_
4. data security eb__1_4. data security eb__1_
4. data security eb__1_
Appsian
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Envision Technology Advisors
 
Data Sovereignty and the Cloud
Data Sovereignty and the CloudData Sovereignty and the Cloud
Data Sovereignty and the Cloud
IESL - The Institution of Engineers, Sri Lanka
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
Redspin, Inc.
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
EMC
 
Health Information Technology Implementation Challenges and Responsive Soluti...
Health Information Technology Implementation Challenges and Responsive Soluti...Health Information Technology Implementation Challenges and Responsive Soluti...
Health Information Technology Implementation Challenges and Responsive Soluti...
International Journal of Modern Research in Engineering and Technology
 
Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...
PortalGuard
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin, Inc.
 
HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations
OnRamp
 
ZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskJohn Loveland
 
IAPP Canada Privacy Symposium- "Data Retention Is a Team Sport: How to Get It...
IAPP Canada Privacy Symposium- "Data Retention Is a Team Sport: How to Get It...IAPP Canada Privacy Symposium- "Data Retention Is a Team Sport: How to Get It...
IAPP Canada Privacy Symposium- "Data Retention Is a Team Sport: How to Get It...
Blancco
 
Confidentiality
ConfidentialityConfidentiality
ConfidentialityKym Canty
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
Brian Matteson, CISSP CISA
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
Redspin, Inc.
 
Top gdpr assessment tools
Top gdpr assessment toolsTop gdpr assessment tools
Top gdpr assessment tools
Rajivarnan R
 
Healthcare Exchange Interoperability
Healthcare Exchange InteroperabilityHealthcare Exchange Interoperability
Healthcare Exchange Interoperability
Tomislav Milinović
 
BRG_TAP_IG_20150826_WEB
BRG_TAP_IG_20150826_WEBBRG_TAP_IG_20150826_WEB
BRG_TAP_IG_20150826_WEBMargaret (Peggy) Daley
 
web-MINImag
web-MINImagweb-MINImag
web-MINImagAllison Walton
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?
Power Admin LLC
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentation
Provider Resources Group
 
Defeating Cyber Threats
Defeating Cyber ThreatsDefeating Cyber Threats
Defeating Cyber Threats
Envision Technology Advisors
 
Lightwell Healthcare B2B Gateway Solution Guide
Lightwell Healthcare B2B Gateway Solution GuideLightwell Healthcare B2B Gateway Solution Guide
Lightwell Healthcare B2B Gateway Solution Guide
Lightwell
 
Getting a clue: uncovering the truth about your data with mobile forensics
Getting a clue: uncovering the truth about your data with mobile forensicsGetting a clue: uncovering the truth about your data with mobile forensics
Getting a clue: uncovering the truth about your data with mobile forensics
Druva
 
Lockheed Martin
Lockheed MartinLockheed Martin
Lockheed Martin
camillebarnes
 
EHLP - July 2015 pg 6-8
EHLP - July 2015 pg 6-8EHLP - July 2015 pg 6-8
EHLP - July 2015 pg 6-8Caroline Rivett
 
Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010DataMotion
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docx
wlynn1
 

More Related Content

What's hot

Health Information Technology Implementation Challenges and Responsive Soluti...
Health Information Technology Implementation Challenges and Responsive Soluti...Health Information Technology Implementation Challenges and Responsive Soluti...
Health Information Technology Implementation Challenges and Responsive Soluti...
International Journal of Modern Research in Engineering and Technology
 
Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...
PortalGuard
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin, Inc.
 
HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations
OnRamp
 
ZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskJohn Loveland
 
IAPP Canada Privacy Symposium- "Data Retention Is a Team Sport: How to Get It...
IAPP Canada Privacy Symposium- "Data Retention Is a Team Sport: How to Get It...IAPP Canada Privacy Symposium- "Data Retention Is a Team Sport: How to Get It...
IAPP Canada Privacy Symposium- "Data Retention Is a Team Sport: How to Get It...
Blancco
 
Confidentiality
ConfidentialityConfidentiality
ConfidentialityKym Canty
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
Brian Matteson, CISSP CISA
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
Redspin, Inc.
 
Top gdpr assessment tools
Top gdpr assessment toolsTop gdpr assessment tools
Top gdpr assessment tools
Rajivarnan R
 
Healthcare Exchange Interoperability
Healthcare Exchange InteroperabilityHealthcare Exchange Interoperability
Healthcare Exchange Interoperability
Tomislav Milinović
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?
Power Admin LLC
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentation
Provider Resources Group
 
Defeating Cyber Threats
Defeating Cyber ThreatsDefeating Cyber Threats
Defeating Cyber Threats
Envision Technology Advisors
 
Lightwell Healthcare B2B Gateway Solution Guide
Lightwell Healthcare B2B Gateway Solution GuideLightwell Healthcare B2B Gateway Solution Guide
Lightwell Healthcare B2B Gateway Solution Guide
Lightwell
 
Getting a clue: uncovering the truth about your data with mobile forensics
Getting a clue: uncovering the truth about your data with mobile forensicsGetting a clue: uncovering the truth about your data with mobile forensics
Getting a clue: uncovering the truth about your data with mobile forensics
Druva
 
Lockheed Martin
Lockheed MartinLockheed Martin
Lockheed Martin
camillebarnes
 

What's hot (19)

Health Information Technology Implementation Challenges and Responsive Soluti...
Health Information Technology Implementation Challenges and Responsive Soluti...Health Information Technology Implementation Challenges and Responsive Soluti...
Health Information Technology Implementation Challenges and Responsive Soluti...
 
Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012
 
HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations
 
ZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info Risk
 
IAPP Canada Privacy Symposium- "Data Retention Is a Team Sport: How to Get It...
IAPP Canada Privacy Symposium- "Data Retention Is a Team Sport: How to Get It...IAPP Canada Privacy Symposium- "Data Retention Is a Team Sport: How to Get It...
IAPP Canada Privacy Symposium- "Data Retention Is a Team Sport: How to Get It...
 
Confidentiality
ConfidentialityConfidentiality
Confidentiality
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
 
Top gdpr assessment tools
Top gdpr assessment toolsTop gdpr assessment tools
Top gdpr assessment tools
 
Healthcare Exchange Interoperability
Healthcare Exchange InteroperabilityHealthcare Exchange Interoperability
Healthcare Exchange Interoperability
 
BRG_TAP_IG_20150826_WEB
BRG_TAP_IG_20150826_WEBBRG_TAP_IG_20150826_WEB
BRG_TAP_IG_20150826_WEB
 
web-MINImag
web-MINImagweb-MINImag
web-MINImag
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentation
 
Defeating Cyber Threats
Defeating Cyber ThreatsDefeating Cyber Threats
Defeating Cyber Threats
 
Lightwell Healthcare B2B Gateway Solution Guide
Lightwell Healthcare B2B Gateway Solution GuideLightwell Healthcare B2B Gateway Solution Guide
Lightwell Healthcare B2B Gateway Solution Guide
 
Getting a clue: uncovering the truth about your data with mobile forensics
Getting a clue: uncovering the truth about your data with mobile forensicsGetting a clue: uncovering the truth about your data with mobile forensics
Getting a clue: uncovering the truth about your data with mobile forensics
 
Lockheed Martin
Lockheed MartinLockheed Martin
Lockheed Martin
 

Similar to Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud

Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010DataMotion
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docx
wlynn1
 
Constructing a HIPAA-compliant healthcare app from scratch
Constructing a HIPAA-compliant healthcare app from scratch Constructing a HIPAA-compliant healthcare app from scratch
Constructing a HIPAA-compliant healthcare app from scratch
Techugo
 
Executive Brief- 4 Critical Risks for Healthcare IT
Executive Brief- 4 Critical Risks for Healthcare IT Executive Brief- 4 Critical Risks for Healthcare IT
Executive Brief- 4 Critical Risks for Healthcare IT
Sungard Availability Services
 
Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?
Druva
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast
- Mark - Fullbright
 
Running Head Stage 2 Sharing Data1Stage 2 Sharing Data3.docx
Running Head Stage 2 Sharing Data1Stage 2 Sharing Data3.docxRunning Head Stage 2 Sharing Data1Stage 2 Sharing Data3.docx
Running Head Stage 2 Sharing Data1Stage 2 Sharing Data3.docx
jeanettehully
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALSteve Knapp
 
Cloud Disrupting Healthcare
Cloud Disrupting HealthcareCloud Disrupting Healthcare
Cloud Disrupting Healthcare
kairostech
 
eBusinessinHealthcare_Final
eBusinessinHealthcare_FinaleBusinessinHealthcare_Final
eBusinessinHealthcare_FinalHeather Tomlin
 
Vertex_Why_Software_Non_Negotiable_WP
Vertex_Why_Software_Non_Negotiable_WPVertex_Why_Software_Non_Negotiable_WP
Vertex_Why_Software_Non_Negotiable_WPLuke Arrington
 
Cloud computing in healthcare
Cloud computing in healthcare Cloud computing in healthcare
Cloud computing in healthcare
leadingphysicianofworld
 
Cloud compliance test
Cloud compliance testCloud compliance test
Cloud compliance test
Prancer Io
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix LLC
 
Hot Topics in Privacy and Security
Hot Topics in Privacy and SecurityHot Topics in Privacy and Security
Hot Topics in Privacy and Security
PYA, P.C.
 
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Hybrid Cloud
 
Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionTrend Micro
 
An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance Requirements
DoubleHorn
 

Similar to Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud (20)

EHLP - July 2015 pg 6-8
EHLP - July 2015 pg 6-8EHLP - July 2015 pg 6-8
EHLP - July 2015 pg 6-8
 
Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docx
 
Constructing a HIPAA-compliant healthcare app from scratch
Constructing a HIPAA-compliant healthcare app from scratch Constructing a HIPAA-compliant healthcare app from scratch
Constructing a HIPAA-compliant healthcare app from scratch
 
Executive Brief- 4 Critical Risks for Healthcare IT
Executive Brief- 4 Critical Risks for Healthcare IT Executive Brief- 4 Critical Risks for Healthcare IT
Executive Brief- 4 Critical Risks for Healthcare IT
 
Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast
 
Running Head Stage 2 Sharing Data1Stage 2 Sharing Data3.docx
Running Head Stage 2 Sharing Data1Stage 2 Sharing Data3.docxRunning Head Stage 2 Sharing Data1Stage 2 Sharing Data3.docx
Running Head Stage 2 Sharing Data1Stage 2 Sharing Data3.docx
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
 
Cloud Disrupting Healthcare
Cloud Disrupting HealthcareCloud Disrupting Healthcare
Cloud Disrupting Healthcare
 
eBusinessinHealthcare_Final
eBusinessinHealthcare_FinaleBusinessinHealthcare_Final
eBusinessinHealthcare_Final
 
Vertex_Why_Software_Non_Negotiable_WP
Vertex_Why_Software_Non_Negotiable_WPVertex_Why_Software_Non_Negotiable_WP
Vertex_Why_Software_Non_Negotiable_WP
 
Cloud computing in healthcare
Cloud computing in healthcare Cloud computing in healthcare
Cloud computing in healthcare
 
Cloud compliance test
Cloud compliance testCloud compliance test
Cloud compliance test
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdf
 
Hot Topics in Privacy and Security
Hot Topics in Privacy and SecurityHot Topics in Privacy and Security
Hot Topics in Privacy and Security
 
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
 
Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryption
 
ONR Blog 1
ONR Blog 1ONR Blog 1
ONR Blog 1
 
An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance Requirements
 

More from Cheryl Goldberg

Allscripts Atlanta Womens
Allscripts Atlanta WomensAllscripts Atlanta Womens
Allscripts Atlanta WomensCheryl Goldberg
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudCheryl Goldberg
 
collateral_datasheet_sungard
collateral_datasheet_sungardcollateral_datasheet_sungard
collateral_datasheet_sungardCheryl Goldberg
 
can-you-think-like-a-fraudster-106948
can-you-think-like-a-fraudster-106948can-you-think-like-a-fraudster-106948
can-you-think-like-a-fraudster-106948Cheryl Goldberg
 
Akamai___WebSecurity_eBook_Final
Akamai___WebSecurity_eBook_FinalAkamai___WebSecurity_eBook_Final
Akamai___WebSecurity_eBook_FinalCheryl Goldberg
 

More from Cheryl Goldberg (6)

Allscripts Atlanta Womens
Allscripts Atlanta WomensAllscripts Atlanta Womens
Allscripts Atlanta Womens
 
NuanceWhitepaperfinal
NuanceWhitepaperfinalNuanceWhitepaperfinal
NuanceWhitepaperfinal
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
 
collateral_datasheet_sungard
collateral_datasheet_sungardcollateral_datasheet_sungard
collateral_datasheet_sungard
 
can-you-think-like-a-fraudster-106948
can-you-think-like-a-fraudster-106948can-you-think-like-a-fraudster-106948
can-you-think-like-a-fraudster-106948
 
Akamai___WebSecurity_eBook_Final
Akamai___WebSecurity_eBook_FinalAkamai___WebSecurity_eBook_Final
Akamai___WebSecurity_eBook_Final
 

Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud

  • 1. Best Practices for Securing HealthCare Data in the Cloud
  • 2. 2©2015 | Perspecsys Executive Summary Many healthcare organizations are looking to take advantage of new cloud-based clinical and support applications that improve patient care and collaboration while reducing costs. Yet, concern about patient data security is keeping many of these organizations from fully utilizing these new solutions. Breaches of healthcare data are common due to the high value that stolen medical records command—and the costs of a breach are especially high. Clouds that aggregate information from many organizations only add to the concern because they make for bigger, more lucrative targets. As a result, healthcare organizations either find themselves trapped on legacy systems. Or when they do move to the cloud, they adopt private cloud solutions that are far more costly and inefficient than their public-cloud counterparts. This paper describes best practices for securing healthcare data in the cloud that enable healthcare organizations to fully benefit from lower cost public cloud-based services. Are You Ready for the Cloud? Healthcare organizations are increasingly adopting cloud-based patient support portals, medical claims processing systems, and electronic medical records (EMRs). Indeed, 80 percent of the respondents to the 2014 HIMSS Analytics Cloud Survey 1 currently use cloud services—half for clinical applications. Why the interest? These cloud-based systems promise to improve patient care and collaboration across the medical community. Cloud-based clinical applications can also make it easier to share patient information with secondary industries and the people that contract with them such as pharmaceutical companies doing drug testing and insurance providers handling medical claims. The pay-as-you-go nature of the services reduces capital costs for accessing state-of-the-art applications. Data Security Concerns May be Holding You Back Yet, the HIMSS cloud survey also found one factor preventing healthcare organizations from using the cloud to its fullest potential. That factor is data security. Ponemon Institute 2 has reported that medical data is the subject of more attacks than military and banking information combined. You needn’t look far to see why. Illegally obtained medical records fetch huge sums on black markets—about $50 a pop—compared to $1 for credit card numbers. Criminals can use medical records to fraudulently bill insurance or Medicare. They can even take on patients’ identities for free consultations or to obtain prescription medications for sale on the street. To make matters worse, the consequences to healthcare organizations of a data breach are disproportionately high. Per capita costs of a breach in the healthcare industry are $359-- 3 nearly double the $201 average cost for all industries in the U.S., according to Ponemon institute. 1 http://apps.himss.org/content/files/HIMSSAnalytics2014CloudSurvey.pdf 2 “2014 Cost of Data Breach Study,” Ponemon Institute and IBM https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=gts-LITS-bus-conn- NA&S_PKG=ov23509 3 “2014 Cost of Data Breach Study,” Ponemon Institute and IBM https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=gts-LITS-bus-conn- NA&S_PKG=ov23509
  • 3. 3©2015 | Perspecsys Given the fact that public clouds aggregate information from a large numbers of enterprises, which makes them even bigger targets than they already are, it’s easy to understand why healthcare providers would be wary. Compliance Is Not Enough The Health Insurance Portability and Accountability Act (HIPAA), of course, includes provisions designed to ensure privacy and security for private health information (PHI). And all organizations that handle PHI must address these requirements. For example, when healthcare providers (e.g. covered entities) work with third-party business associates (BA), including cloud providers, HIPAA typically require those BAs to safeguard electronic PHI. But while most third-party arrangements meet HIPAA guidelines, some cloud providers have been hesitant to sign BA agreements. And if the BA violates HIPAA, the department of Health and Human Services can pursue and levy penalties against the covered entity (i.e. the healthcare organization itself) for violations committed by their BA agents. Even if cloud providers are compliant, data security isn’t guaranteed. For example, HIPAA doesn’t technically mandate that data be encrypted. And many third party providers fail to incorporate additional data security best practices not specified in current regulations. If unencrypted data is exposed through a data breach, the HITECH Act requires healthcare organizations to notify patients and the federal government, which is often an expensive proposition and holds the real risk of brand damage. Indeed research finds that third-party data breaches are on the rise. A survey by Kroll Advisory Services4 found that 18 percent of the respondents who experienced a breach in the past 12 months cited third parties as the cause and 28 percent of respondents indicated that sharing information with external parties is the top item that puts patient data at risk (up from 18 percent in 2010 and 6 percent in 2008). As result of these data security issues, many healthcare companies feel trapped in old legacy systems. When healthcare companies do adopt cloud technologies to take advantage of new computing capabilities, the vast majority of install private cloud solutions. Private cloud solutions alleviate data security concerns, but they’re costly and inefficient. Tight IT budgets mean that healthcare providers would ideally want to use public cloud computing applications. Cloud Data Protection Safeguards Data A Cloud Data Protection Platform addresses these challenges. These Platforms provide a flexible cloud data control platform that enables healthcare firms to protect sensitive information before it leaves their network. The Platform intercepts sensitive data while it is still on-premise and replaces it with a tokenized or encrypted value which is then sent to the cloud for processing and storage. As a result, the data becomes meaningless should anyone outside of the company access it on its way to the cloud or within the cloud environment. The Platform also plays the important role of ensuring that Cloud end-users keep SaaS application functionality, such as the 4 “2012 HIMSS Analytics Report: Security of Patient Data,” by HIMSS Analytics and Kroll Advisory Services http://www.krollcybersecurity.com/white-papers/himss-2012-report.aspx
  • 4. 4©2015 | Perspecsys ability to search and sort data that has been encrypted or tokenized, while the enterprise ensures its information is secure and remains compliant. The optimal Cloud Data Protection Platform will:  Deliver the strongest security available to hold up to the scrutiny of internal and external security and audit professionals.  Preserve the functionality of the cloud application so users take advantage of the richest cloud experience.  Furnish scalability to meet enterprise demands while providing the ability to plug into the existing IT environment through open architecture and standards.  Support multiple cloud environments to minimize solution and training costs. Best Practices for Securing Sensitive Data in the Cloud How do you best take advantage of the Cloud Data Protection Platform to optimally secure your sensitive customer information? The following best practices will help you get started. Understand what data assets you need to have in the cloud You need a clear understanding of what data you need to have in the cloud. If you must keep sensitive or regulated data in the cloud, classify it with the correct sensitivity level. Later, perform an audit to confirm that the proposed security treatment and risk mitigation strategies have been implemented. Define what systems, people and processes need access To select appropriate technical controls and activities to protect confidential data that must be accessed via the Cloud, map out how the information flows over time and how multiple applications and people access and process it for various purposes. Develop internal data governance and risk management policies Clearly define your firm’s privacy and security policies. These policies should determine what data you need to protect—and what you don’t need to protect. Never compromise internal security best practices designed to ensure data control, confidentiality and privacy when using shared IT infrastructure through a Cloud Service Provider.
  • 5. 5©2015 | Perspecsys Determine the relevant external data privacy security requirements One of the key regulations healthcare providers must adhere to is HIPAA. Encryption is an implementation specification under two standards in the HIPAA security rule: access control and transmission security. Strictly speaking, HIPAA doesn’t mandate encryption. However, if healthcare organizations don’t encrypt, they must demonstrate in writing why they believe that it is not “reasonable and appropriate” to encrypt and be prepared to defend that position in the event of an audit. In addition, if ePHI data is in a format that’s unusable, unreadable or indecipherable to unauthorized individuals, Safe Harbor Provisions in the Final Breach Notification Rule render the organization exempt from the requirement to notify parties and the federal government in the event of a data breach, representing significant cost savings. Encryption of ePHI data is the primary way organizations can qualify for Safe Harbor. Protected Health Information HIPAA defines 18 types of PHI that must be secured:  Names  All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.  All elements of dates (except year) for dates directly related to an individual, including birth date, admission date,, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;  Telephone numbers  Fax numbers  Electronic mail addresses  Social security numbers  Medical record numbers  Health plan beneficiary numbers  Account numbers  Certificate/License numbers  Vehicle identifiers and serial numbers, including license plate numbers  Device identifiers and serial numbers  Web Universal Resource Locators (URLs)  Internet Protocol (IP) address numbers  Biometric identifiers, including finger and voice prints  Full face photographic images and any comparable images  Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
  • 6. 6©2015 | Perspecsys Protect assets in the appropriate manner to stay in compliance Because HIPAA doesn’t mandate encryption, health care organizations have the option of using encryption or tokenization to secure ePHI. Encryption Encryption encodes data in such a way that only authorized parties can read it. While Encryption doesn’t prevent interception, strong encryption approaches keep the interceptor from seeing the data. Best practices for encryption demand that you employ a recognized, well-established form of strong encryption, such as the National Institute of Standards and Technology (NIST) guideline—FIPS 140-2. A valid alternative is the FFS-Mode of AES 256. Third-party analyst firms such as Gartner have warned enterprises to beware of proprietary encryption techniques that attempt to preserve application functionality by weakening well-known encryption schemes (e.g. Searchable Encryption) – a motivated attack has a good chance of unveiling the original value. Tokenization Tokenization is the process by which data is replaced with a surrogate value called a token. De- tokenization reverses the process by redeeming a token for its associated value. The security of an individual token relies on how difficult it is to determine the original data knowing only the surrogate value. There are several ways to generate tokens. Some take a mathematical approach that links the token value to the value of the original data. Others use an arbitrary approach to assign sequentially generated token values. Best practices recommend the latter approach. This approach is strongest because it completely removes the original data from the system in which the tokens reside and eliminates any mathematical link between the surrogate token value and the original sensitive data. Separation of duties Putting encryption or tokenization in the hands of cloud service providers can leave your enterprise open to additional risks of data disclosure. A best practice for data privacy and governance is segregation of duties. If you encrypt/tokenize data, don’t give the provider (where the data resides) access to the encryption key or token vault. Secure data at rest, in-motion and during cloud-processing Discussions about cloud security and privacy often focus on the service itself, as well as the cloud service provider’s privacy and security quality and practices. But it is essential to also secure data as it flows in and out of the cloud as well as when it is being processed in the cloud. Thus, another best practice is to secure not only data at rest but also and data in motion (while it is traversing to the cloud as well as when it is moving within the cloud). Data at rest is data in storage—whether that’s in the cloud, on-premise or when using a Cloud Data Protection Platform, in the platform. Data in motion is data in transit between the end user and the application as well as when it is being processed within the cloud application (i.e. a report is being generated). Ensure that your application will remain fully usable In some cases, adding security makes the application unusable for business users. Server-based encryption can “break” application functionality that end users depend on, such as the ability to search and sort information or to create reports and send cloud-based e-mails. Make sure security preserves all of the functionality your users need from the cloud application.
  • 7. 7©2015 | Perspecsys Take Advantage of Existing investments The solution should leverage your existing infrastructure as much as possible. It should interoperate with the other security layers within your enterprise, such as SSO/IAM. In addition, make sure it supports multiple cloud applications. This allows you to use the same deployment hardware and software to protect all your cloud applications and centralize and automate data protection policy management for consistency. Leverage Existing Training and Expertise Organizations have existing investments not only in technology but also in training people on that technology. For example, they may already have a key management system in place. Be sure that the solution allows you to leverage any investments you’ve made in your human capital. Conclusion Many healthcare organizations hesitate to take advantage of the new capabilities that are available from leading-edge public cloud applications due to their wariness of ceding control of data security and confidentiality to a third-party. Cloud Data Protection Platform solutions alleviate these concerns. These solutions protect all the data you want to put in the cloud by encrypting or tokenizing any data that your enterprise doesn’t want to have outside of its control. By following the best practices described here, you can ensure the strongest security possible for any sensitive data you put in public cloud SaaS applications. At the same time, you’ll also maintain the functionality of all your cloud services and achieve the scalability your enterprise users demand. Contact us today to learn more or request a demo: Email: sales@perspecsys.com P +1 703-712-4752 (USA) +44 207-868-2037 (Europe) +1 905-282-0023 (Canada)