SaaS Data Security More Critical Now Than Ever Before in Healthcare

If, as healthcare payer and provider, you are using Software-as-a-Service (SaaS) solutions to provide better service to your patients and customers, data security might be as critical to you as your business. Healthcare industry has shifted to cloud based solutions to maintain electronic Protected Health Information (ePHI), and hence considering the sensitivity of information, it has become more important now than ever before.

In order to keep pace with growing demand, healthcare industry has faced the heat to provide faster, better, and more accessible care by adopting new technologies while complying with industry mandates like the Health Insurance Portability and Accountability (HIPAA) Act and Health Information Technology for Economic and Clinical Health (HITECH) Act.

Why Healthcare needs Data Security in SaaS applications?

It is because of the astonishing number of data breaches and attacks on healthcare data that has forced involved organizations to look for higher and stronger methods of data security at various levels, be it at physical level or application level.

According to a recent study by Symantec Corporation, approximately 39 percent of breaches in 2015 occurred in the health services sector. The same report found that ransomware and tax fraud rose as increasingly sophisticated attack tactics were being used by organized criminals with extensive resources. These criminals utilize professional businesses and adopt best business practices to exploit the loopholes prevailing in the security of ePHI. They first recognize the vulnerabilities and then exploit the weakness of unsecured system. The stolen health records are then sold in black market for ten times more value than that of stolen credit card.

In a statement given by Kevin Haley, director, Symantec Security Response, he said, “Advanced criminal attack groups now echo the skill sets of nation-state attackers. They have extensive resources and a highly-skilled technical staff that operate with such efficiency that they maintain normal business hours and even take the weekends and holidays off.”

Loopholes in Healthcare Data Security

Public cloud services are cost-efficient because the infrastructure often involves shared multitenant environments, whereby consumers share components and resources with other consumers often unknown to them. However, this model has many associated risks. It gives one consumer a chance to access the data of another and there is even a possibility that data could be co-mingled.

Cloud services allow data to be stored in many locations as part of Business Continuity Plan (BCP). It can be beneficial in case of an emergency such as a power outage, fire, system failure or natural disaster. If data is made redundant or backed up in several locations, it can provide reassurance that critical business operations will not be interrupted.

However, consumers that do not know where their data resides lose control of ePHI at another level. Knowing where their data is located is essential for knowing which laws, rules and regulations must be complied with. Certain geographical locations might expose ePHI to international laws that change who has access to data in contradiction to HIPAA and HITECH laws.

Many employees use their smartphones that do not have the capability to send and receive encrypted email. So, while answering emails at home from their phone, employees may be putting sensitive data at risk.

Bring Your Own Device (BYOD) policies also put data at risk if devices are lost or stolen. Logging on to insecure internet connections can also put business and patient information at risk. Storing sensitive data on unsecured local devices like laptops, tablets or hard drives can also expose unencrypted information at the source.


It is obvious from such startling statistics that large number of data breaches and cyber-attacks can occur only if the applications and storage of data are not secure. Also, all the employees involved should be given unique username and password and must be trained on how to keep login credentials secure apart from training sessions on Privacy and Security Rules.

Transferring data to the cloud comes with various issues that complicate HIPAA compliance for covered entities, Business Associates (BAs), and cloud providers such as control, access, availability, shared multitenant environments, incident readiness and response, and data protection. Although storage of ePHI in the cloud has many benefits, consumers and cloud providers must be aware of how each of these issues affects HIPAA and HITECH compliance.

The need of the hour is that all the involved parties must come together and take the responsibility of data security from their end till next level.

It is better to invest in securing SaaS applications and medical data instead of paying huge fines which could be in millions of dollars!

Related Posts :-

Steps to HIPAA Compliance for Cloud-Based Systems

Why Healthcare Organizations Need to Turn to Cloud