Home » Advisory Panel » Currently Reading:

Advisory Panel: PHI Stored in the Cloud by Clinicians and Employees

August 14, 2013 Advisory Panel 5 Comments

The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

This question this time: What policies or technologies do you use to prevent clinicians and employees from storing patient information on cloud-based consumer applications such as Google Docs or Dropbox? Have you discovered this happening?

By policy we prohibit moving PHI/PII outside our firewalls. Early on in using data leakage prevention type tools to prohibit. We do prohibit auto-forwarding emails. 

We use Websense for filtering all of our internet traffic – this includes blocks for sites like Google Docs and Dropbox. We also work to educate providers and staff on the related policies.

We actually had a reportable breach that involved Dropbox. We have developed policies and compensating controls (like random audits), as well as communication through our HIPAA office and inclusion in annual HIPAA training.

We block all file sharing sites. Google Docs have some interest but we have tried to direct all similar requests to internal, secure solutions.

We’re looking at Box, but haven’t done anything to block these sites.

This is almost certainly happening, but we have not been monitoring or preventing it in any systematic way.

Generally speaking, we’ve blocked nearly all access to file sharing services such as Drop Box and SugarSync. These services are opened on an exception basis only upon a justifiable request. We’ve implemented Mobile Device Management software to disable cloud based backup and photo streaming on iPhones and iPads to help prevent data from being stored off the network. We’ve forced password protection of connected device (tethered iDevice backups) to help secure our data.

Our "appropriate use of patient and employee data" policy defines the conditions under which the cloud applications can be used. For example, if a patient’s care is at great risk and using Dropbox will mitigate that risk, we allow for it and in fact, we encourage it. We have a corporate Dropbox account for his very purpose, which is very effective, particularly for sharing images. There’s no way you can expect the cloud applications not to be used. They are going to be used, especially by physicians who are tech savvy and see no other alternative to sharing data that is important to their patient care. So, with that realization, we’ve tried to put in place policies and corporate accounts that make it easier for clinicians to take advantage of the service, but do so with some degree of consolidation and risk reduction. We take the same stance on using Skype for remote consults with patients. For the ultra-paranoid and over-controlling CIOs in the crowd that freak out when they read this approach, they should remember that the data breaches which are plaguing healthcare are about simple sys admin passwords that have never been changed after install; unprotected thumb drives and mobile computers; and the insider that downloads data for resale. Worry about what matters, don’t worry about what doesn’t. That’s the key mindset to information security risk management, but we rarely hit the bullseye in healthcare.

We’ve seen this happen. We’ve blocked the ports so that they cannot use the consumer apps. We have also provided a secure cloud-based replacement for some of our staff that need to routinely share large files with others outside the organization.

Haven’t seen this yet.

I’m a physician, so we like this… shhhhh. 

Give them access to storage drive to network or give them access to private cloud for storage.

All are blocked on hospital network using a proprietary service (Websense? I’m a CMIO, not a CIO so I can’t recall all the vendors.) connected to our proxy. All PHI is available only over Citrix, no fat clients, so download would be screen by screen. Wireless Guest Network does allow connection to Dropbox, Google Docs/Drive, etc.

I think you would call our policy, "don’t ask, don’t tell". We are very concerned about encryption of laptops because we have had problems with lost devices, but so far we have not had problems with these publically-accessible cloud solutions … knock on wood. Therefore, our purely reactive leadership team has not made any pronouncements on this topic. I can’t wait to see what other responses you get so I can forward them to our leadership. Our sister organization has implemented an automated email "filter" that attempts to automatically identify patient-identifiable information included within emails and converts them to a secure messaging solution. Of course this creates so many problems that most people resort to Gmail to send their documents that are inadvertently trapped by the filter.

I don’t think docs even know these things exist!!!!!

Administrative policy prohibiting use of Cloud applications for sensitive data including but not limited to PHI.

Prayer,  and offering better alternatives. 

Policies for now, which are sub-optimal. Yes, it’s happening, and those who think it’s not needs to get their kid’s beach shovel and dig themselves out! We make it difficult by blocking certain known and popular file sharing sites, but it is imperfect. We have been evaluating technologies which have promise but struggled in a proof of concept. Could be a late ’14 initiative but more likely ’15.

These sites are blocked from access from our network. To date, we have not seen this occurring.

View/Print Text Only View/Print Text Only

HIStalk Featured Sponsors


Currently there are "5 comments" on this Article:

  1. In regard to the panel member who stated “Worry about what matters, don’t worry about what doesn’t. That’s the key mindset to information security risk management, but we rarely hit the bulls eye in healthcare”, A BIG ROUND OF APPLAUSE!

    As a certified Cloud Architect and over 17 years of healthcare IT experience, I would rather have my patient data sitting in a cloud (public or private) vs.sitting in an application/system that is not interoperable or hard to access and navigate. Especially, if I am at great risk physically.

    I frequently wonder whether all the over generated hype surrounding cloud security is generated by vendors who still believe they can control their share of the market by only providing close-ended solutions. Ummm…….

  2. As of 9/23/13 all Clouds that touch PHI MUST BE HIPAA compliant. It is the providers responsibiity to make sure your vendor is. If cloud vndor is not, the provider is also non-compliant per OCR and can be fined along with the vendor. Some public clouds will certify in a contracts to HIPAA compliance (Microsoft) while others (Google) will not.
    Be careful here…

  3. What FLPoggio says: to be more specific, anyone vendor handles a covered entity’s PHI must have executed a BAA, right? Microsoft and Box will sign BAA’s, Google, Dropbox won’t. Anyone know of other options?

  4. John – Not to be arguementative, but… that seems too fine a point, because if the organization is fully compliant, then all of it’s practices and applications are also compliant, by definition. Applications are indeed developed in compliance, or they are not.

Subscribe to Updates



Text Ads

Report News and Rumors

No title

Anonymous online form
Rumor line: 801.HIT.NEWS



Founding Sponsors


Platinum Sponsors























































Gold Sponsors
















Reader Comments

  • You gotta be kidding me: the Sperm bank story made me laugh. "Withholding the remaining sperm" sounds like a vindictive date to me. Do what I say...
  • Donald Lyons: This is probably the better of the HISTALK suggestions: "HIMSS is a show about selling, not doing, and while the form...
  • Lazlo Hollyfeld: It is just a form of self-promotion and attention grabbing that is legion at HIMSS. If you can name one objective an...
  • Lazlo Hollyfeld: This is the cool, angsty ‘insider’ take but it ignores that large gatherings like this present several opportunities...
  • Mr. HIStalk: It's tough when the hospital won't reopen for a year or more (if ever -- Adventist Health didn't seem to want to commit ...
  • Brian Too: I am a little disappointed Ellkay didn't bring the bees to HIMSS 2019. Can you imagine the pictures, the headlines, t...
  • NoGoodDeedGoes...: RE: Adventist Health & Paradise - your coverage is warranted, but your commentary would have been better off omitted...
  • Vaporware?: I almost feel a little bad and embarrassed for Cerner. It's notable that MEDITECH's "re-branded" and "old" EMR has score...
  • Dave N: I also am continually amazed at how many men don't wash their hands after using the restroom. Society still struggles to...
  • RE: Pink Socks: Please check the facts. Not everything revolves around Epic. Here's the original website https://pinksocks.life/...

RSS Industry Events

  • An error has occurred, which probably means the feed is down. Try again later.

Sponsor Quick Links