Medical Cyber Security

Technology offers amazing advantages to medical practitioners, from performing teleoperated surgery to making it easier to see a patients records. Keeping medical staff and devices connected is part of the Internet of Things (IoT) which has become commonplace in everyday life. Your thermostat, calendar and cell phone all communicate and share data with each other. Your devices keep track of where you go, what you buy and how you buy it. Companies strive to keep your data safe and secured, but the breaches do occur.

When they do, you change your passwords and security questions and go about your business. That doesn’t work in the medical business however. Losing control of the da Vinci Surgery System while it’s operating inside a patient could lead to a malpractice suit or worse, a patient fatality. Cloud computing is so powerful because it gives smaller companies and organizations access to massive computing power without the investment and overhead. Cloud storage lets them seamlessly continue their operations from anywhere with an internet connection.

Medical records are protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and they’re extremely confidential. Allowing them to be uploaded to a cloud service makes them vulnerable. They could be intercepted during the upload or download, or be stolen in a data breach. Their is published guidance on the issue of using cloud storage or computing in conjunction with protected health information (PHI), and it’s strict. A cloud service provider (CSP) that has anything to do with PHI is considered a business associate for liability, even if all they do is store the data. The HIPAA guidance calls out that “even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data” that they are still a business associate.

All businesses and business associates must enter a HIPAA compliant Business Associate Agreement (BAA) and the CSP is held liable for meeting the terms of the BAA and all applicable HIPAA rules. Some of these regulations include:

The Business & CSP must perform vulnerability, reliability and availability tests of their networks
Analysis of their emergency procedures, in response to a data breach or ransomware attack
Establish procedures for returning or removing data after a customer leaves
Establish Risk Management protocols and procedures that must be up to HIPAA standards

It is possible for the CSP to be exempt from some the security rules and regulations, or for the customer (the medical practice) to be exempt as well due to the actions of the other. If a customer is contracted to a CSP for no-view services only (the CSP has no decryption key and cannot see the contents of the PHI) and the customer implements unique authentication procedures on their end, then the CSP does not need to do the same, as they normally would.

CSP’s are not covered by legislation that covers transmission only services because they store and maintain the data in some way, even if they explicitly no-view services.

Currently the Office of Civil Rights (OCR), which manages HIPAA, and offers guidance on the issues pertaining to it does not officially endorse, certify or recommend any services as being HIPAA compliant. If you see a CSP claiming to be endorsed, certified or recommended by the OCR, report it to them immediately.