Healthcare Technology News

What is a HIPAA Compliant Cloud Drive?

There is no doubt that data storage in the cloud has many benefits for healthcare organizations; however, if electronic protected health information (ePHI) is to be stored in the cloud, it is necessary to use a HIPAA compliant cloud drive – a HIPAA compliant cloud storage solution from a cloud service provider (CSP).

HIPAA and Cloud Computing

The Health Insurance Portability and Accountability Act was enacted just as the use of virtual computers started to gain popularity in the 1990s; however, it was not until the early 2000s that cloud computing really took off, although healthcare organizations were slow to embrace the cloud. The situation is very different today. According to Market Data Forecast, in 2022 the healthcare cloud computing market was worth $5.22 billion and it is expected to reach $201.1 billion by 2032. 90% of healthcare organizations are already using cloud-based services or plan to use them by 2025.

Even though cloud computing services have now been widely adopted by healthcare organizations, there is no mention of cloud computing in the HIPAA text. HIPAA was written in a way to ensure that it is technology agnostic to ensure that when new technologies were introduced, the HIPAA Rules could be easily applied to those technologies. Cloud services can be used by HIPAA-regulated entities, as long as they are fully compliant with the HIPAA Privacy and Security Rules. Healthcare organizations that have yet to transition to the cloud may be unaware what a HIPAA compliant cloud drive is, how HIPAA compliant cloud storage differs from other cloud storage services, and how they can ensure HIPAA compliance in the cloud, all of which are explained below.

What is a HIPAA Compliant Cloud Drive?

Technically, there is no such thing as a HIPAA compliant cloud drive as no cloud server can be truly HIPAA compliant. HIPAA compliance depends on the actions of the people. Even if appropriate security is applied to secure ePHI in the cloud, if healthcare organizations misconfigure settings or do not implement appropriate access controls, ePHI could easily be exposed over the Internet, thus violating the HIPAA Rules.

That said, many CSPs offer HIPAA compliant cloud storage to HIPAA-regulated entities. What this means is the service they offer incorporates all of the necessary security controls to ensure the confidentiality, integrity, and availability of ePHI and prevent impermissible disclosures. Those controls apply to ePHI at rest (stored on cloud servers) and in motion to and from the cloud server or service. Access controls can be configured to restrict access to ePHI to ensure only authorized individuals can view, alter, or transmit data, and audit logs are maintained of successful and unsuccessful access attempts and any alterations to ePHI.

A HIPAA compliant cloud service provider will ensure that safeguards are incorporated into the platform to ensure that it can be used in a HIPAA-compliant way; however, it is up to each HIPAA-regulated entity to ensure that the controls are correctly configured and the service is used in a manner that is compliant with the HIPAA Privacy and Security Rules.

A Business Associate Agreement Must be Obtained from a Cloud Service Provider

If a HIPAA-regulated entity engages the services of any vendor to create, receive, maintain, or transmit ePHI on their behalf, that vendor is classed as a business associate under HIPAA. If cloud services are used in connection with any ePHI, including the processing and storage of ePHI in the cloud, the CSP is a business associate and has responsibilities under HIPAA, even if the CSP only stores encrypted ePHI and does not hold an encryption key for the data. Any subcontractors used by the CSP are also business associates of the CSP and must also comply with certain requirements of the HIPAA Rules.

HIPAA-regulated entities must obtain a HIPAA compliant business associate agreement from the CSP before any HIPAA-covered data is uploaded to the cloud, and a CSP must obtain a HIPAA compliant business associate agreement from any third-party vendor before allowing them access to a HIPAA-regulated entity’s environment. The CSP and any subcontractors used are contractually liable for meeting the terms of the business associate agreement and are directly liable for compliance with the applicable requirements of the HIPAA Rules. If a CSP is not prepared to sign a business associate agreement, their services must not be used in connection with any ePHI.

In addition to a business associate agreement (BAA), many covered entities address other requirements through a service-level agreement (SLA). The BAA outlines the responsibilities of the CSP with respect to HIPAA, while the SLA deals with technical aspects such as availability and reliability of the service, data backups and recovery, the security responsibilities of each party, and how any stored data will be returned when the service is no longer used.

HIPAA Compliant Cloud Storage Requires More than a BAA!

Covered entities must obtain a BAA prior to any cloud service being used in conjunction with ePHI, but having a BAA is not sufficient to avoid a penalty for noncompliance with HIPAA Rules. Before any cloud service is used, covered entities must conduct a comprehensive risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI and must subject any identified risks to a risk management process to reduce them to a low and acceptable level. Policies and procedures must be developed and implemented covering the use of the cloud service, and training must be provided to the workforce on the HIPAA-compliant use of cloud services.

Access controls must be configured correctly to ensure that only authorized individuals are able to access cloud-stored data. Even though a HIPAA compliant cloud drive may meet the requirements of the HIPAA Security Rule, covered entities must ensure they are fully compliant with the requirements of the HIPAA Privacy Rule. Covered entities should apply single sign-on controls, use multifactor authentication, automatic logoff controls, and secure passwords, and procedures should be developed to ensure ePHI is available in emergencies.

Audit controls are required to ensure all activities in relation to ePHI are recorded. HIPAA-regulated entities are required to conduct regular checks of logs to monitor for unauthorized activity and regulators may require access to those logs in the event of an audit or compliance investigation. Any data stored in the cloud should be encrypted and covered entities must ensure data uploaded to the cloud is encrypted in transit. The encryption algorithms used should meet the standards of the National Institute of Standards and Technology (NIST).

What Cloud Storage is HIPAA Compliant?

Many CSPs offer HIPAA compliant cloud storage and file-sharing services and are willing to sign BAAs with HIPAA-regulated entities. Sync is one of the current market leaders and is used by many healthcare providers for storing files in the cloud and private and secure file sharing, including Mount Sinai Hospital, Doctorcare, Equalize Health, and the Canadian Red Cross. The platform allows mission-critical files to be accessed easily by authorized individuals from any computer, mobile device, or the web, no matter where care is provided. Sync signs business associates with HIPAA-regulated entities and supports HIPAA compliance, PIPEDA compliance for Canadian healthcare companies, GDPR compliance for European healthcare providers, and other privacy and security regulations. The platform integrates with Microsoft Office 365, Windows and macOS desktops, and mobile devices, and all data is protected with strong encryption, robust access controls, and state-of-the-art security.

Many cloud service providers offer a variety of plans to meet the needs of individuals and businesses; however, not all plans are covered by business associate agreements. For example, Sync offers a HIPAA compliant cloud drive and will sign a BAA, but only for the Sync Professional and Teams Plans. HIPAA-regulated entities must sign up for a Professional or Business Plan and obtain a signed BAA before the service is used.

Summary

While there is no mention of HIPAA cloud storage and cloud computing in the HIPAA text, healthcare organizations can engage the services of CSPs and use their platforms to reduce costs, improve productivity, and connect and communicate more easily, provided they use HIPAA-compliant cloud services and obtain a BAA from the CSP. You can find out more about HIPAA cloud storage from the HHS, which recently published guidance for HIPAA-regulated entities on HIPAA compliant data storage in the cloud and the use of other cloud services in connection with ePHI.

The post What is a HIPAA Compliant Cloud Drive? appeared first on HIPAA Journal.

OCR/FTC Warn Hospitals & Telehealth Companies About Tracking Technologies

The Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) have written to 130 hospitals and telehealth providers warning them about the risks of using tracking technologies such as pixels on their websites and web apps which may disclose sensitive health information to third parties in violation of the HIPAA Rules and the FTC Act.

A study published in Health Affairs suggests 98.6% of US nonfederal acute care hospitals have used tracking technologies on their websites, and a 2022 analysis by The Markup found one-third of the top 100 hospitals in the United States were using tracking technologies on their websites that could collect individually identifiable information, including information about health conditions. Following these discoveries, several hospitals and health systems reported breaches of protected health information, some of which involved impermissible disclosures of millions of patient records.

A later study by The Markup found that the technologies were also widely used by telehealth companies. Even companies that are not required to comply with the HIPAA Rules have an obligation to protect personal health information against impermissible disclosure. The FTC has already taken action against entities that are not covered by HIPAA, such as GoodRx, BetterHelp, and Premom, over the use of these tracking technologies for alleged violations of the FTC Act and Health Breach Notification Rule.

In December 2022, OCR issued guidance to HIPAA-regulated entities on HIPAA and tracking technologies. While these tools can provide valuable insights for improving the services provided to patients, these technologies can collect and transmit information protected by HIPAA. Further, these technologies also permit the tracking of users even after they navigate away from the website or mobile app where the tracking technology is used. Any information transmitted to a third party may then be used for a purpose not permitted under the HIPAA Rules, and the collected information may be further disclosed to other third parties.

“When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.”

“Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, OCR Director. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.”

The letters were jointly sent by OCR and the FTC to 130 entities cautioning them about tracking technologies on websites and mobile apps that can potentially disclose sensitive health data. The organizations that were sent the letters are believed to have used or are using tracking technologies such as Pixel from Meta/Facebook and Google

Analytics code to collect and analyze user interactions on websites and web apps. The letters do not mean that an organization has been found to be in violation of violated HIPAA or the FTC Act nor does the failure to receive a letter mean that an organization is in the clear. All organizations that collect personal health information should review their websites and web apps to identify any tracking technologies and ensure they are fully compliant with all relevant laws. If tracking technologies are discovered to have been used on websites or apps that impermissibly disclosed personal health information or protected health information to third parties, then the breaches should be reported in accordance with the HIPAA Breach Notification Rule and FTC Health Breach Notification Rule.

“Both agencies are closely watching developments in this area,” explained the FTC and OCR in the letters. “To the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.”

The post OCR/FTC Warn Hospitals & Telehealth Companies About Tracking Technologies appeared first on HIPAA Journal.

Vulnerabilities Identified in Popular Telemedicine Software Development Kit

Security flaws have been identified in the QuickBlox software development kit (SDK) and application programming interface (API) that supports the real-time chat and video applications used by many telemedicine providers.

The vulnerabilities were identified by security researchers from Claroty’s Team82 and Check Point Research who collaborated to look into the security of the popular QuickBlox SDK and API, which support applications used in telemedicine, finance, and smart IoT device applications. The SDK and API are provided to mobile and web application developers to deliver user management, real-time public and private chats, and incorporate security features to support HIPAA and GDPR compliance.

The researchers identified two vulnerabilities that put sensitive data at risk, including protected health information (PHI). Given the extent to which the QuickBlox chat and video framework is used, the sensitive information of millions of individuals was at risk of exposure. CVE-2023-311847 is a high-severity flaw with a CVSS 3.1 base score of 7.8 and is due to the creation of hard-coded credentials. The second vulnerability, tracked as CVE-2023-31185, is a high-severity flaw with a CVSS 3.1 base score of 7.5 and allows information disclosure via an unspecified request.

The vulnerabilities make it possible to log in to QuickBlox on behalf of any user – doctor or patient – and view all of their data, including personal information, medical histories, chat histories, and medical record files. The researchers say full impersonation is also possible, so a malicious actor could log in as any doctor, modify information, and communicate in real-time via chat and video with real patients. The patient would be unaware that they were not chatting with a real physician. The researchers developed proof-of-concept exploits for the vulnerabilities against multiple applications and demonstrated how secret tokens and passwords embedded in applications along with the use of an insecure QuickBlox API would allow malicious actors to gain access to the PHI of millions of users.

The researchers looked at a popular telemedicine application that integrates with the QuickBlox SDK and provides chat and video services allowing patients to communicate with doctors. The researchers were able to exploit the QuickBlox vulnerabilities alongside specific telemedicine app vulnerabilities, and gain access to the entire user database, along with related medical records and medical histories stored in the application. They were also able to log in as any user, making it possible to impersonate a doctor. At the time of publication, the telemedicine application was still running the vulnerable versions of the framework.

Team82 and CPR worked closely with QuickBlox to resolve the identified vulnerabilities. QuickBlox has now designed a new, secure architecture and API to eliminate the vulnerabilities. All users should ensure they migrate to the latest version as soon as possible to the flaws being exploited.

The post Vulnerabilities Identified in Popular Telemedicine Software Development Kit appeared first on HIPAA Journal.

Médecins Sans Frontières/Doctors Without Borders Deploys Celo Health Secure Messaging Solution to Support its Humanitarian Efforts in 87 Countries

Securely sharing patient information is vital in the United States where healthcare organizations and their business associates are required to comply with the Health Insurance Portability and Accountability Act (HIPAA) and state laws governing health information privacy. In Europe, all personal data must be secured to comply with the General Data Protection Regulation (GDPR), and many countries have regulations covering personally identifiable health. In order to comply with these regulations, organizations that operate globally must ensure that medical information is fully protected when it is transmitted electronically and access controls are in place to ensure that only authorized individuals can view that information.

Médecins Sans Frontières (MSF), aka Doctors Without Borders, is a non-governmental organization that provides emergency humanitarian medical care in conflict zones and countries affected by natural disasters, endemic diseases, and exclusion. MSF was formed in 1971 and has grown into an international movement of 63,000 people in more than 70 countries. MSF operates in extremely challenging environments and its clinicians must rely on smartphones for sharing critical patient information with their coordination teams, peers, and remote specialists. Any information shared electronically must be kept private and confidential and needs to be rapidly communicated to support clinical decisions that save lives.

There are many instant messaging platforms for mobile devices that allow rapid communication of information but they often lack the necessary privacy protections and security safeguards for communicating medical information to ensure global compliance. MSF conducted an in-depth review of messaging apps that could meet its unique communication needs and chose Celo Health’s secure messaging technology. Celo Health’s cloud communications platform was chosen due to its ease of use, global compliance, affordability, and reliability in challenging network environments. The platform was easy to implement on iOS and Android phones and desktop computers, required no training, and allowed instant onboarding of employees. The platform’s built-in directory enables MSF healthcare teams to reach the right person instantly, and the time saved communicating helps MSF to save lives.

“Due to the sensitive nature of information discussed and shared in MSF projects globally, providing secure messaging services is a top priority for the Telemedicine program,” said Clara Mazon, director of Telemedicine at MSF. “We look forward to working with Celo to improve access to secure messaging for MSF projects worldwide.” MSF has now confirmed that it has successfully implemented the Celo Health platform across the organization and is being used to support its operations in 87 countries. The collaboration between MSF and Celo Health has transformed communication within MSF teams, facilitating the instant secure exchange of patient-related clinical information even in the most challenging environments.

“We’re excited to partner with such a prestigious humanitarian organization and to help them transform their communications so it can deliver healthcare in crisis zones and underserved areas throughout the world. Celo is also committed to supporting MSF’s noble mission of providing free medical care to people who need it,” said Steve Vlok, CEO and founder of Celo. “MSF was also impressed by Celo’s simple yet comprehensive interface and onboarding process. Our team’s due diligence and transparency around privacy and security measures also made Celo stand out among our global competitors.”

The post Médecins Sans Frontières/Doctors Without Borders Deploys Celo Health Secure Messaging Solution to Support its Humanitarian Efforts in 87 Countries appeared first on HIPAA Journal.