File sharing, as well as cooperation tools, present many advantages to HIPAA-covered firms, although the devices may also introduce risks to the safety and also the privacy of electronic health info. Many organizations use these tools, which include healthcare organizations, however, they can easily result in the exposure or disclosure of sensitive files.
The Department of Health, as well as Human Services’ OCR, has recently issued a reminder to protected entities and BAs of the potential dangers associated with sharing of files and collaboration of tools, describing the risks these facilities can introduce and how protected entities may use these services and remain in compliance with HIPAA Rules.
Although file sharing tools and cloud computing facilities may include all of the necessary defenses to ensure files are secured and can’t be accessed by illegal individuals, over the past couple of years there have been numerous instances where a human error has led to misconfigurations. Those errors have resulted in data breaches.
A Metalogix analysis performed by the Ponemon Institute showed that 1 in 2 firms that uses the data sharing tool SharePoint had a verified data breach in SharePoint during the last two years. That doesn’t imply that SharePoint shouldn’t be used, nor those medical organizations ought to avoid other cloud and sharing files tools. If these cloud facilities and tools are to be used, protected entities and BAs must carry out a complete risk analysis to recognize potential dangers to the confidentiality, availability, and integrity of ePHI. Danger management plans must then be implemented to ensure those dangers are reduced to an appropriate level.
Misconfigurations should be found in a risk analysis, even though OCR also recommends that companies conduct weakness scans. Scans should help protected entities identify possible vulnerabilities like misconfigurations of computer software, outdated software or missed bits. The latest illegal computer software attacks (WannaCry and NotPetya) have demonstrated that missed sections and/or outmoded software can allow cybercriminals to get access to networks and set up malevolent software.
OCR also points out that protected entities and BAs must sign a business associate agreement with cloud service suppliers prior to services/tools being applied.
OCR draws attention to advice released last year on cloud computing facilities. The guidance assists covered organizations wishing to use cloud computing services to apply the solutions while complying with HIPAA Laws.
The guidance can be downloaded from OCR through this link.