The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.
If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.
This question this time: What policies or technologies do you use to prevent clinicians and employees from storing patient information on cloud-based consumer applications such as Google Docs or Dropbox? Have you discovered this happening?
By policy we prohibit moving PHI/PII outside our firewalls. Early on in using data leakage prevention type tools to prohibit. We do prohibit auto-forwarding emails.
We use Websense for filtering all of our internet traffic – this includes blocks for sites like Google Docs and Dropbox. We also work to educate providers and staff on the related policies.
We actually had a reportable breach that involved Dropbox. We have developed policies and compensating controls (like random audits), as well as communication through our HIPAA office and inclusion in annual HIPAA training.
We block all file sharing sites. Google Docs have some interest but we have tried to direct all similar requests to internal, secure solutions.
We’re looking at Box, but haven’t done anything to block these sites.
This is almost certainly happening, but we have not been monitoring or preventing it in any systematic way.
Generally speaking, we’ve blocked nearly all access to file sharing services such as Drop Box and SugarSync. These services are opened on an exception basis only upon a justifiable request. We’ve implemented Mobile Device Management software to disable cloud based backup and photo streaming on iPhones and iPads to help prevent data from being stored off the network. We’ve forced password protection of connected device (tethered iDevice backups) to help secure our data.
Our "appropriate use of patient and employee data" policy defines the conditions under which the cloud applications can be used. For example, if a patient’s care is at great risk and using Dropbox will mitigate that risk, we allow for it and in fact, we encourage it. We have a corporate Dropbox account for his very purpose, which is very effective, particularly for sharing images. There’s no way you can expect the cloud applications not to be used. They are going to be used, especially by physicians who are tech savvy and see no other alternative to sharing data that is important to their patient care. So, with that realization, we’ve tried to put in place policies and corporate accounts that make it easier for clinicians to take advantage of the service, but do so with some degree of consolidation and risk reduction. We take the same stance on using Skype for remote consults with patients. For the ultra-paranoid and over-controlling CIOs in the crowd that freak out when they read this approach, they should remember that the data breaches which are plaguing healthcare are about simple sys admin passwords that have never been changed after install; unprotected thumb drives and mobile computers; and the insider that downloads data for resale. Worry about what matters, don’t worry about what doesn’t. That’s the key mindset to information security risk management, but we rarely hit the bullseye in healthcare.
We’ve seen this happen. We’ve blocked the ports so that they cannot use the consumer apps. We have also provided a secure cloud-based replacement for some of our staff that need to routinely share large files with others outside the organization.
Haven’t seen this yet.
I’m a physician, so we like this… shhhhh.
Give them access to storage drive to network or give them access to private cloud for storage.
All are blocked on hospital network using a proprietary service (Websense? I’m a CMIO, not a CIO so I can’t recall all the vendors.) connected to our proxy. All PHI is available only over Citrix, no fat clients, so download would be screen by screen. Wireless Guest Network does allow connection to Dropbox, Google Docs/Drive, etc.
I think you would call our policy, "don’t ask, don’t tell". We are very concerned about encryption of laptops because we have had problems with lost devices, but so far we have not had problems with these publically-accessible cloud solutions … knock on wood. Therefore, our purely reactive leadership team has not made any pronouncements on this topic. I can’t wait to see what other responses you get so I can forward them to our leadership. Our sister organization has implemented an automated email "filter" that attempts to automatically identify patient-identifiable information included within emails and converts them to a secure messaging solution. Of course this creates so many problems that most people resort to Gmail to send their documents that are inadvertently trapped by the filter.
I don’t think docs even know these things exist!!!!!
Administrative policy prohibiting use of Cloud applications for sensitive data including but not limited to PHI.
Prayer, and offering better alternatives.
Policies for now, which are sub-optimal. Yes, it’s happening, and those who think it’s not needs to get their kid’s beach shovel and dig themselves out! We make it difficult by blocking certain known and popular file sharing sites, but it is imperfect. We have been evaluating technologies which have promise but struggled in a proof of concept. Could be a late ’14 initiative but more likely ’15.
These sites are blocked from access from our network. To date, we have not seen this occurring.