SaaS Data Security More Critical Now Than Ever Before in Healthcare

If, as healthcare payer and provider, you are using Software-as-a-Service (SaaS) solutions to provide better service to your patients and customers, data security might be as critical to you as your business. Healthcare industry has shifted to cloud based solutions to maintain electronic Protected Health Information (ePHI), and hence considering the sensitivity of information, it has become more important now than ever before.

In order to keep pace with growing demand, healthcare industry has faced the heat to provide faster, better, and more accessible care by adopting new technologies while complying with industry mandates like the Health Insurance Portability and Accountability (HIPAA) Act and Health Information Technology for Economic and Clinical Health (HITECH) Act.

Why Healthcare needs Data Security in SaaS applications?

It is because of the astonishing number of data breaches and attacks on healthcare data that has forced involved organizations to look for higher and stronger methods of data security at various levels, be it at physical level or application level.

According to a recent study by Symantec Corporation, approximately 39 percent of breaches in 2015 occurred in the health services sector. The same report found that ransomware and tax fraud rose as increasingly sophisticated attack tactics were being used by organized criminals with extensive resources. These criminals utilize professional businesses and adopt best business practices to exploit the loopholes prevailing in the security of ePHI. They first recognize the vulnerabilities and then exploit the weakness of unsecured system. The stolen health records are then sold in black market for ten times more value than that of stolen credit card.

In a statement given by Kevin Haley, director, Symantec Security Response, he said, “Advanced criminal attack groups now echo the skill sets of nation-state attackers. They have extensive resources and a highly-skilled technical staff that operate with such efficiency that they maintain normal business hours and even take the weekends and holidays off.”

Loopholes in Healthcare Data Security

Public cloud services are cost-efficient because the infrastructure often involves shared multitenant environments, whereby consumers share components and resources with other consumers often unknown to them. However, this model has many associated risks. It gives one consumer a chance to access the data of another and there is even a possibility that data could be co-mingled.

Cloud services allow data to be stored in many locations as part of Business Continuity Plan (BCP). It can be beneficial in case of an emergency such as a power outage, fire, system failure or natural disaster. If data is made redundant or backed up in several locations, it can provide reassurance that critical business operations will not be interrupted.

However, consumers that do not know where their data resides lose control of ePHI at another level. Knowing where their data is located is essential for knowing which laws, rules and regulations must be complied with. Certain geographical locations might expose ePHI to international laws that change who has access to data in contradiction to HIPAA and HITECH laws.

Many employees use their smartphones that do not have the capability to send and receive encrypted email. So, while answering emails at home from their phone, employees may be putting sensitive data at risk.

Bring Your Own Device (BYOD) policies also put data at risk if devices are lost or stolen. Logging on to insecure internet connections can also put business and patient information at risk. Storing sensitive data on unsecured local devices like laptops, tablets or hard drives can also expose unencrypted information at the source.


It is obvious from such startling statistics that large number of data breaches and cyber-attacks can occur only if the applications and storage of data are not secure. Also, all the employees involved should be given unique username and password and must be trained on how to keep login credentials secure apart from training sessions on Privacy and Security Rules.

Transferring data to the cloud comes with various issues that complicate HIPAA compliance for covered entities, Business Associates (BAs), and cloud providers such as control, access, availability, shared multitenant environments, incident readiness and response, and data protection. Although storage of ePHI in the cloud has many benefits, consumers and cloud providers must be aware of how each of these issues affects HIPAA and HITECH compliance.

The need of the hour is that all the involved parties must come together and take the responsibility of data security from their end till next level.

It is better to invest in securing SaaS applications and medical data instead of paying huge fines which could be in millions of dollars!

Related Posts :-

Steps to HIPAA Compliance for Cloud-Based Systems

Why Healthcare Organizations Need to Turn to Cloud

Steps to HIPAA Compliance for Cloud-Based Systems

The rapid growth of cloud computing has also led a rapid growth in concerns pertaining to security and privacy in cloud-based infrastructure. Hence, such fears create a huge requirement to understand and implement cloud computing for healthcare organizations, while being compliant with the Health Insurance Portability and Accountability Act (HIPAA).

The benefits offered by cloud-based technology are too good to let go. The agility and flexibility that can be gained by utilizing public, private, and hybrid clouds are quite compelling.  We need cloud based environment that can provide secure and HIPAA compliant solutions.

But, how do you achieve HIPAA compliance with cloud?


Image Source: Mednautix

Follow below steps to better understand how to ensure HIPAA compliance and reduce your risk of a breach.

1.      Create a Privacy Policy

Create a comprehensive privacy policy and make sure your employees are aware of it.

2.      Conduct trainings

Having a privacy policy in place wouldn’t be enough. You would require to make sure that they are implemented as well. For that employees must be given all required trainings during the on-boarding process. You should also require this training for all third-party vendors. Develop online refresher courses in HIPAA security protocols and make it mandatory for all employees and vendors to go through such courses at regular intervals.

3.      Quality Assurance Procedure

Make sure all the quality assurance standards are met and are HIPAA compliant. Conduct surprise drills to find out loopholes, if any.

4.      Regular audits

Perform regular risk assessment programs to check the probability of HIPAA protocol breach and evaluate potential damage in terms of legal, financial and reputational effects on your business. Document the results of your internal audits and changes that need to be made to your policies and procedures. Based on your internal audit results, review audit procedure and update with necessary changes.

5.      Breach Notification SOP

Create a standard operating procedure (SOP) document mentioning details about what steps should be taken in order to avoid a protocol breach. Mention steps to be followed in case a patient data breach occurs.

Most often you would have a cloud service provider who will take care of your wide range of requirements ranging from finding resources, developing apps & hosting them to maintenance of cloud based infrastructure. While the primary responsibility of HIPAA compliance falls on healthcare company, compliance requirements can extend to the cloud service provider as “business associates”.

Are your cloud service providers HIPAA business associates?

Figuring out if your cloud service provider can be considered as HIPAA business associate can be tough. The decision may vary depending on the type of cloud usage. Considering that the cloud provider agency is an active participant, it must also adhere to security requirements, such as including encryption, integrity controls, transmission protections, monitoring, management, employee screening and physical security.

Investing in HIPAA compliance procedures can save you from many hassles. Follow these steps and minimize your risk of being found noncompliant.

Ransomware on the Rise: What You Can Do To Protect Your Organisation From The Attack

Ransomware is malicious software used by the cyber criminals to hold your computer files or data and demand for a payment from you to release the data back. This is the popular method used by malware authors to extract money from organisations or individuals. Different ransomware varieties are used to get on to a person’s computer, but the most common technique is to install a software or use social engineering tactics, like displaying fake messages from law enforcement department, to attack on a victims computer. The criminals do not restore the computer access until the ransom is paid.

Ransomware is very scary as the files once damaged are almost beyond repair. But you can overcome this attack if you have prepared your system. Here are a few measures that will help you to protect your organisation from the attack.

Data Backup

To defeat ransomware, it is important to regularly backup your data. Once you get attacked, you will lose all your documents; but if you could clean your machine, restore your system and other lost documents from backup then you need not worry. So backup the files to an external hard drive or backup service, then you should can turn off your computer and start over with a new setup after attack.

Use Reputable Security Precaution

Using both antivirus software and a firewall will prevent you. It is critical to keep the software up-to-date and maintain a strong firewall, otherwise the hacker might easily exploit through security holes. Also purchase antivirus software from a reputable company because there are many fake software.

Ransomware Awareness Training

It is important to be aware of the cyber security issues and get properly trained to identify the phishing attempts. Creating awareness to staffs will help them to take action and deal with the ransomware. As the methods used by hackers constantly change it is necessary to keep your users up-to-date. Also, it is tough for untrained users to question the origin of a well-crafted phishing email. So, providing security training to staffs is the best way to prevent malware infection through social engineering.

Disconnect from Internet

If you are suspicious about a file or receive a ransomware note then immediately stop communicating with server. By disconnecting from the internet you might lessen the damage, as it takes some time to encrypt all your files. This isn’t foolproof but disconnecting from internet is better than nothing. As you can always re-install software if you have backed up your data.

Check File Extensions

Always see the full file extension, it helps to easily spot suspicious files. If possible try to filter the files in your mail by extension, like you can deny mails sent with ‘.EXE’ files. In case you exchange .EXE files in your organisation then it is better to use ZIP files with password-protection.

Exercise Caution, Warn Authorities, Never Pay

Avoid any links inside emails and suspicious websites. It is better to use another computer to research details if your PC falls under attack. Also, inform the local FBI or cybercrime about the attack. Finally, never pay them as it would be a mistake because they may continue to further demand from you and will not release your information as well. So, taking precautions to protect your data and being alert are the best ways to prevent ransomware attack.

In reality, dealing with ransomware requires an effective backup plan so you could protect your organisation from the attack.

Why Healthcare Organizations Need to Turn to Cloud

It is important for every healthcare organization to develop an effective IT roadmap in order to provide best services to customers and patients. Most healthcare payers and providers are moving to cloud based IT infrastructure in order to utilize the benefits that were once considered unimaginable.

But, before moving ahead, let’s check out some industry statistics and research studies.

Healthcare Organizations and Cloud Computing Statistics

Healthcare Organizations and Cloud Computing Statistics

Source: Dell GTAI

According to Dell’s Global Technology Adoption 2015, adoption of cloud technology increased from 25% in 2014 to 41% in 2015 alone.

Spending on cloud computing or in simpler terms – hosted medical services – in global healthcare was $4.2bn in 2004, but this will grow by 20% every year until 2020, reaching $12.6bn.

North America is the biggest consumer of cloud computing services and by 2020 its spending on cloud based solutions will reach $5.7bn.

What kind of data can be moved to Cloud?

Critical healthcare applications can be hosted on cloud platform in order to increase their accessibility and availability. Apart from them, below mentioned hardware, software and data can also be moved to cloud.

  • Email
  • Electronic Protected Health Information (ePHI)
  • Picture archiving and communication systems
  • Pharmacy information systems
  • Radiology information systems
  • Laboratory information systems.
  • Disaster recovery systems
  • Databases & Back up data

Why Healthcare Organizations should move to Cloud?

1.      Low Cost

Healthcare organizations can reduce IT costs to a significant extent by moving to the cloud. Cloud based software require lesser resources for development and testing. This implies fewer resources for maintenance and more robust solutions at a lesser cost. It is believed that over a period of 10 years, cloud based applications cost 50% lesser than traditional in-house hosted applications.

2.      More Accessibility

It is important that healthcare data is available to doctors as quickly as possible so that they can diagnose and analyze the situation of patient soon and take the right steps to improve the condition. Cloud computing improves web performance for users in remote locations as well without having to build out additional data centers.

3.      Higher Flexibility

Cloud based platform allows organizations to scale up or down based on their needs. With conventional on-premise hosted solutions, it can be tough to align their physical infrastructure quickly to varying demands. Migrating to cloud can help to deploy scalable IT infrastructure that can adjust itself as per the requirements, making sure that the resources are always available when required.

4.      Improved Efficiency

Moving to cloud also helps to avoid money being spent on infrastructure to be under-utilized. With early access to wide range of data, businesses can gather valuable insights about the performance of systems and plan their future strategy accordingly. Pharmaceutical companies, hospitals and doctors can focus on their core objective – giving the best possible treatment and service to patient – while the cloud service providers take care of their IT needs.

5.      More Reliability

Cloud based software remains available 24*7 from anywhere to any authorized personnel having an internet connection. Apart from that, it is easier to recover from loss due to natural disasters because of its distributed architecture.


The cloud’s resiliency and high availability make it a cost-effective alternative to on-site hosted solutions. However, security has been a major barrier to cloud adoption in many verticals. It’s especially critical in healthcare industry which is regulated by HIPAA and HITECH Acts and plays a major role in such organizations’ decisions to move their data into a public cloud app.