This page contains a Flash digital edition of a book.
Healthcare IT Horizon Service Provider 9


workflow management systems for pathology labs, said cloud-based SaaS offerings have been slow to catch on in healthcare because medical professionals fear a loss of control over security and availability when data is not physically on their site. Equally challenging is the reluctance of healthcare


IT end users to embrace the discipline that data security requires. “Physicians don’t like the rigors of security because that


slows them down. They don’t like entering a user name and password,” said Tom Whalen, core infrastructure team leader at Aspirus, a healthcare organization based in Wausau, WI. What follows are three key security recommendations


for healthcare organizations making the move to a cloud service provider.


Secure the perimeter. Whether connecting to a public or private cloud, the first step for security is to authenticate each person accessing the system with a username and password. To overcome physician resistance, Whalen, who has built an internal cloud environment at Aspirus, has begun to implement radio frequency identification (RFID)-based smart badge technology that automatically logs in a user. From there, the user only has to input a personal identification number (PIN). “For both security and compliance, we adhere to strong


access policies,” Whalen said. In addition, Aspirus is considering end-point protection tools from vendors such as Symantec Corp. to prevent activities such as unauthorized writes to removable media like USB drives.


Encrypt. Medical practices must also consider


the level of security on their local network. HIPAA requires medical information to be encrypted in transport or in flight. That includes Wi-Fi network encryption. HIPAA also requires storage encryption, when data is at rest. As a result, healthcare organizations must implement encryption in their private cloud or obtain assurances of encryption from cloud service providers. “Encryption is starting to become more and more


relevant. We’re now encrypting our backups —we didn’t do that before,” Whalen said. Aspirus is also interested in in-flight encryption capabilities from EHR vendor Epic Systems Corp.


Ensure compliance. One issue that cloud-based EHR services are running into is the willingness of hosting services to offer guarantees of reliability and HIPAA compliance. “Healthcare is a different animal because of the


mission-critical nature of those applications,” said Patti Dodgen, CEO of Hielix, a health IT consultancy in Tampa, FL. “Most of the smaller managed service providers aren’t provisioned to be that bullet-proof. They won’t offer enough assurances.” A mere statement of HIPAA compliance is not enough,


either. Before a healthcare organization signs a contract with a cloud service provider, it must make sure that the provider’s HIPAA compliance strategy is strong enough to stand up to an audit. Special attention in particular must be paid to who will be held responsible in the event of a data breach.


ABOUT THE AUTHOR: Stan Gibson is a Boston-based contributing writer.


CONNECTION


VOLUME 1 • ISSUE 3


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36