Why Healthcare Organizations Need HIPAA-compliant SaaS Data Protection Now More than Ever

No matter how or where healthcare payers and providers are managing data, it has never been more critical to protect healthcare-related data and PHI (protected health information). Not only are health institutions under pressure to provide faster, better, and more accessible care by adopting new technologies (while complying with industry mandates like the Health Insurance Portability and Accountability Act ), but these organizations are also increasingly being targeted by hackers, malicious insiders, espionage groups, and other forms of cyber attack.


Healthcare record hacking is up 11,000%. Are you prepared for a data breach?
According to a recent NBC news report, health record hacking increased by 11,000 percent in 2015, and all indicators point to a continuing upward trend. In just the last few months, several major health institutes have revealed data breaches affecting millions of patients and customers.

A data heist at a southern California hospital in February of 2016 shut down critical operations and resulted in hundreds of patients being diverted to nearby facilities. In the same month, health insurer Anthem Inc. was hit by a cyberattack that exposed the personal information of 78.8 million people. And Excellus, a health insurer in western New York, reported a similar incident in September of 2015, admitting that the data breach they experienced may have provided unauthorized access to more than 10 million personal records.

These records are prized and traded on the dark web because they include name, address, social security information, health history, and other data that can be used to steal an identity, gain access to free healthcare and prescription drugs, and file fraudulent tax returns.

In spite of the numbers, only half of healthcare organizations have a disaster recovery plan.
It’s now estimated that one-third of Americans have had their health care records compromised in the last year – and almost all of them are completely unaware. Adding to this, recent research by security company ESET and the Ponemon Institute indicates that healthcare organizations average about one cyber attack per month, with nearly 50% reporting incidents involving the loss or exposure of patient information during the last year. Yet surprisingly, only half the respondents reported having an incident response plan in place in case of an emergency or attack.

This leads security experts like Eric Cowperthwaite, ‎a vice president of advanced security and strategy at Core Security to pronounce, “Healthcare payers and providers both are simply not prepared for the level of bad guy they are now facing.”

Prepare for the worst with a recovery plan that keeps you HIPAA-compliant.
Experts at Infoworld say there is much to glean from this concerning trend. “Those who deploy cloud systems can learn a lesson from these breaches: Security needs to be systemic. Security can’t be a bolt-on at the end of the build process. Instead, it must be continually updated during the life of the system. The effectiveness of security depends wholly on the planning and technology applied to the problem, for both cloud and traditional systems. Let’s get a clue and provide better security from the start, no matter where your systems are hosted.”

For organizations managing e-PHI in SaaS applications like Google Apps, Office 365, and Salesforce, part of being proactive about data protection requires getting solutions in place that help to recover from a cyberattack, data breach, or malicious insider activity. Importantly, putting these measures in place also helps organizations remain compliant with HIPAA standards.

Make cloud-to-cloud backup and recovery part of your disaster recovery plan.
A cloud-to-cloud SaaS backup and restore solution is a key part of disaster recovery and HIPAA compliance. By safeguarding a copy of all cloud application data in a separate cloud structure, this type of backup solution ensures that even if the primary data set is compromised, a pristine copy exists in a separate cloud structure and can be quickly restored to your SaaS environment – which means virtually uninterrupted care and access to data.

While many cloud application users believe their primary cloud service provider (like Google, Salesforce, or Microsoft) can handle backup and recovery in case of a data disaster, the truth is that they are quite limited in their ability to assist you in recovering from data loss due to hacking, malicious insiders, and other risk factors in the cloud.

Is your cloud strategy on solid ground? Learn how to protect health-related data in your SaaS environment
How do you safeguard your organization’s cloud application data, compliance, and privacy of information? Here are a few tips to get started:

  • Be sure to fully understand your relationship with your selected cloud vendor – where your compliance responsibilities lie and how cloud vendors and applications fit in.
  • Learn about the notable gaps in the native data protection provided by cloud providers. There are many risks in the cloud from which CSPs like Microsoft, Google, and Salesforce cannot protect you.
  • Create a SaaS data protection plan to fill those gaps in order to ensure compliance with HIPAA and other standards surrounding data protection, retention, and accessibility.

You can begin developing your SaaS data protection plan and learn more about managing e-PHI in your SaaS environment with the help of a free whitepaper by Spanning, Getting your cloud strategy on solid ground: Ensuring data protection in SaaS applications containing PHI.

About the Author: Melanie Sommer