Inside TDV - The Data Vault Blog
Was Hospital ‘Cloud Breach’ Really a Cloud Security Issue?
More and more we hear about healthcare-related security breaches, and the latest sign that it’s become a “thing” is this headline from mHealthNews.com: ‘Latest hospital data breach involves cloud services.’ Uh-oh. Cloud security has been called out.
This will make ardent supporters of cloud-based backup and recovery solutions cringe without even reading the story. It will make those who scoff at cloud security as they pack up their data tape case for transport beam with vindication. But a closer look reveals something critically important: This wasn’t a cloud security issue so much as it was an employee ignorance and poor administration issue.
The story correctly points out that the usual culprits in a healthcare data breach are lost or stolen smartphones, laptops, tablets or thumb drives. Clearly, that’s not the fault of the media involved – it’s the fault of a careless employee (or a vengeful one).
For example, if a company employee (let’s call him “Dave”) in, say, Chicago transports some files home to work on over the weekend on his prized Chicago Cubs logo flash drive, and that drive ends up falling down into the bleachers at Wrigley Field during the seventh inning stretch, no one’s going to reprimand the thumb drive. Or at least they shouldn’t. Dave was careless and needs to be held accountable.
Now consider the details of this particular “cloud security breach”: Oregon Health & Science University officials recently notified 3,000-plus patients that their private health records had been compromised after residents and physicians-in-training at the hospital used Google cloud services to share data.
Furthermore: “Officials said the university doesn’t have a contractual agreement to use the cloud-based ISP.”
Let’s get this straight: Hospital employees took it upon themselves to share patient records on (we can only presume) Google Drive – more than once, and in two different hospital departments, according to the story. Plus, it’s the hospital’s fourth HIPAA violation since 2009, and somehow it’s a “cloud security” problem?
Cue “fail” trombone sound effect: Wah-wah-waaaaaaah.
This problem is about poor administration, not cloud security. If administration at OHSU were fearful of cloud security, they should have had policies in place specifically stating cloud services were not to be used for storing or sharing HIPAA-regulated information, and also should have made sure all employees were aware of those policies.
Furthermore, if cloud-based backup services were to be utilized at such a healthcare facility, administrators could have done minimal research and learned that, ta-da, a service such as TDV Cloud is fully FIPS 140-2 Certified and secure. We’re talking more than 20 years of Asigra-powered backup and recovery software with zero data breaches or compromised systems.
All data protected by TDV Cloud is encrypted and password-protected, and in addition to HIPAA compliance TDV Cloud is compliant with regulations like Sarbanes Oxley, Gramm-Leach-Bliley and more. Your IT professionals will have the tools to securely manage your data at all times and identify risks.
In short, Google Drive is fine for your family photos and iTunes library, but if HIPAA is involved – no, more importantly, if any critical and private information is involved – it’s irresponsible and reckless to not seek out a solution like Asigra-powered TDV Cloud.
Cloud security isn’t the problem in this case. The problem is cloudy policy and administration.