Dr. Jayne's advice is always valuable for healthcare professionals. Thanks for sharing this informative update.
Advisory Panel: PHI Stored in the Cloud by Clinicians and Employees
The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.
If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.
This question this time: What policies or technologies do you use to prevent clinicians and employees from storing patient information on cloud-based consumer applications such as Google Docs or Dropbox? Have you discovered this happening?
By policy we prohibit moving PHI/PII outside our firewalls. Early on in using data leakage prevention type tools to prohibit. We do prohibit auto-forwarding emails.
We use Websense for filtering all of our internet traffic – this includes blocks for sites like Google Docs and Dropbox. We also work to educate providers and staff on the related policies.
We actually had a reportable breach that involved Dropbox. We have developed policies and compensating controls (like random audits), as well as communication through our HIPAA office and inclusion in annual HIPAA training.
We block all file sharing sites. Google Docs have some interest but we have tried to direct all similar requests to internal, secure solutions.
We’re looking at Box, but haven’t done anything to block these sites.
This is almost certainly happening, but we have not been monitoring or preventing it in any systematic way.
Generally speaking, we’ve blocked nearly all access to file sharing services such as Drop Box and SugarSync. These services are opened on an exception basis only upon a justifiable request. We’ve implemented Mobile Device Management software to disable cloud based backup and photo streaming on iPhones and iPads to help prevent data from being stored off the network. We’ve forced password protection of connected device (tethered iDevice backups) to help secure our data.
Our "appropriate use of patient and employee data" policy defines the conditions under which the cloud applications can be used. For example, if a patient’s care is at great risk and using Dropbox will mitigate that risk, we allow for it and in fact, we encourage it. We have a corporate Dropbox account for his very purpose, which is very effective, particularly for sharing images. There’s no way you can expect the cloud applications not to be used. They are going to be used, especially by physicians who are tech savvy and see no other alternative to sharing data that is important to their patient care. So, with that realization, we’ve tried to put in place policies and corporate accounts that make it easier for clinicians to take advantage of the service, but do so with some degree of consolidation and risk reduction. We take the same stance on using Skype for remote consults with patients. For the ultra-paranoid and over-controlling CIOs in the crowd that freak out when they read this approach, they should remember that the data breaches which are plaguing healthcare are about simple sys admin passwords that have never been changed after install; unprotected thumb drives and mobile computers; and the insider that downloads data for resale. Worry about what matters, don’t worry about what doesn’t. That’s the key mindset to information security risk management, but we rarely hit the bullseye in healthcare.
We’ve seen this happen. We’ve blocked the ports so that they cannot use the consumer apps. We have also provided a secure cloud-based replacement for some of our staff that need to routinely share large files with others outside the organization.
Haven’t seen this yet.
I’m a physician, so we like this… shhhhh.
Give them access to storage drive to network or give them access to private cloud for storage.
All are blocked on hospital network using a proprietary service (Websense? I’m a CMIO, not a CIO so I can’t recall all the vendors.) connected to our proxy. All PHI is available only over Citrix, no fat clients, so download would be screen by screen. Wireless Guest Network does allow connection to Dropbox, Google Docs/Drive, etc.
I think you would call our policy, "don’t ask, don’t tell". We are very concerned about encryption of laptops because we have had problems with lost devices, but so far we have not had problems with these publically-accessible cloud solutions … knock on wood. Therefore, our purely reactive leadership team has not made any pronouncements on this topic. I can’t wait to see what other responses you get so I can forward them to our leadership. Our sister organization has implemented an automated email "filter" that attempts to automatically identify patient-identifiable information included within emails and converts them to a secure messaging solution. Of course this creates so many problems that most people resort to Gmail to send their documents that are inadvertently trapped by the filter.
I don’t think docs even know these things exist!!!!!
Administrative policy prohibiting use of Cloud applications for sensitive data including but not limited to PHI.
Prayer, and offering better alternatives.
Policies for now, which are sub-optimal. Yes, it’s happening, and those who think it’s not needs to get their kid’s beach shovel and dig themselves out! We make it difficult by blocking certain known and popular file sharing sites, but it is imperfect. We have been evaluating technologies which have promise but struggled in a proof of concept. Could be a late ’14 initiative but more likely ’15.
These sites are blocked from access from our network. To date, we have not seen this occurring.
In regard to the panel member who stated “Worry about what matters, don’t worry about what doesn’t. That’s the key mindset to information security risk management, but we rarely hit the bulls eye in healthcare”, A BIG ROUND OF APPLAUSE!
As a certified Cloud Architect and over 17 years of healthcare IT experience, I would rather have my patient data sitting in a cloud (public or private) vs.sitting in an application/system that is not interoperable or hard to access and navigate. Especially, if I am at great risk physically.
I frequently wonder whether all the over generated hype surrounding cloud security is generated by vendors who still believe they can control their share of the market by only providing close-ended solutions. Ummm…….
As of 9/23/13 all Clouds that touch PHI MUST BE HIPAA compliant. It is the providers responsibiity to make sure your vendor is. If cloud vndor is not, the provider is also non-compliant per OCR and can be fined along with the vendor. Some public clouds will certify in a contracts to HIPAA compliance (Microsoft) while others (Google) will not.
Be careful here…
What FLPoggio says: to be more specific, anyone vendor handles a covered entity’s PHI must have executed a BAA, right? Microsoft and Box will sign BAA’s, Google, Dropbox won’t. Anyone know of other options?
Just to clarify, ‘applications’ cannot be HIPPA compliant, only ‘organizations’ !!!!
John – Not to be arguementative, but… that seems too fine a point, because if the organization is fully compliant, then all of it’s practices and applications are also compliant, by definition. Applications are indeed developed in compliance, or they are not.