OCR Gets Awareness to Dangers from Data Sharing Devices and Cloud-computing

Data sharing and cooperation devices present lots of benefits to HIPAA-covered organizations, even though the devices can also create dangers to the security and privacy of digital health info.  Several organizations use these devices, which include healthcare companies, however, they can very easily result in the revelation or disclosure of confidential files.

The Division of Health, as well as Human Services’ OCR, recently circulated a reminder to protected organizations and BAs of the possible dangers linked with sharing files and cooperation tools, describing the dangers these facilities can create and how protected organizations may use these facilities and remain in conformity with HIPAA Laws.

Although file sharing devices and cloud-computing facilities might include all of the required defenses to make sure files are safe and can’t be viewed by illegal people, over the last couple of years there have been several instances where a human mistake has led to misconfigurations. Those mistakes have resulted in data breaches.

A Metalogix analysis carried out by the Ponemon Institute showed that one out of two firms that uses the file sharing device SharePoint had a verified data breach-in SharePoint within the last two years. That doesn’t imply that SharePoint shouldn’t be used, nor that healthcare companies must evade other cloud and sharing files devices. If these cloud facilities and devices are to be used, protected organizations and BAs should carry out a complete risk evaluation to recognize possible dangers to the integrity, confidentiality, and availability of ePHI. Danger administration plans should then be implemented to make sure those dangers are diminished to an appropriate level.

Misconfigurations must be found in a danger analysis, even though OCR also suggests that companies carry out weakness scans. Scans will help protected organizations identity possible weaknesses like misconfigurations of a software program, outdated software or missed sections. The latest ransomware attacks (WannaCry and NotPetya) have demonstrated that skipped sections and/or outdated software can allow cybercriminals to get into networks and set up malevolent software.

OCR also highlights that protected organizations and BAs should sign a business associate contract with cloud service suppliers before services/tools being applied.

OCR draws awareness to advice issued previous year on cloud computing facilities. The advice assists protected organizations desiring to use cloud computing facilities to apply the solutions when complying with HIPAA Laws.

The advice can be downloaded from OCR through this link.