Security Considerations for Running Your Medical Practice Management Software in the Cloud

The responsibility of all health care providers is not just medicine. Healthcare providers and medical practitioners are also responsible for protecting their patent’s most sensitive information.  This requires a cultural shift in thinking for many practices, and unfortunately too many practices have been slow to adapt. As a consequence, the Australian Government has made some changes to the rules for software providers connecting to the Medicare system for processing payments.  This is preventative measure and in addition to last years’ Notifiable Data Breach legislation.

Understanding Cloud-Based Software

A lot of data gets stored on “the cloud” these days. However, not everybody understands what that means exactly.

The cloud refers to remote servers capable of storing and accessing data programs over the internet rather than a computer in your office. The actual process is called cloud computing.

The computing part may comprise file storage and sharing, e-mail, inventory management, data collection, accounting information, etc. This is all done by the remote servers at the data centers owned and provided by a third-party cloud service infrastructure provider. Typically you would rent the computing resources and associated software as a service, rather than purchase outright and have to manage, maintain and secure everything yourself.

This allows businesses to cut costs on the expensive hardware and maintenance needed to store all of their necessary information. While this makes for a great technological solution, it can also leave sensitive information vulnerable to digital criminals—otherwise known as hackers.

Hackers are the last people you want with your most sensitive and private information.

Why Should Doctors and Practice Managers Care?

Today with everything online, hackers are the biggest threat to any business. But the most vulnerable of all is arguably the health sector. Medical practices far and wide contain databases with some of the most sensitive information there is. Patient information, hospital records and the like are all at stake without the proper security implementations.

According to the Office of Australian Information Commissioner (OAIC), the health sector encounters more data breaches than any other industry on a regular basis. The majority of these data breaches are noted to be criminal attacks, while the rest are due to both human and system errors.

To keep information secure from invisible criminals, it must be unreachable. However, this is not necessarily an option in the health sector since patient information must be reachable by multiple parties. Those parties include medical practitioners, specialists, hospitals and healthcare centers, Medicare and private funding for health care.

This is exactly what leaves the health sector so vulnerable to data breaches.

The Dark Web and Your Information

You’re probably wondering where all of that sensitive information ends up during a successful data breach. While there are those hired to hack servers for specific information, there are also those who hack to sell information to the highest bidder.

In other words, any sensitive information obtained during a breach will most likely wind up on the dark web. What began as a way to purchase illicit drugs, dark web marketplaces have expanded to sex trafficking, weapons dealings, and things of a much worse caliber.

So why should the dark web matter to the health sector?

Simply put, fraud and identity theft—that’s why. Now, any business with holes in their security can fall victim to stolen personal data. This includes Medicare policy numbers, bank account numbers, credit card information, and other private documents that may be of value.

Individual health records can be worth up to USD $30 each on the dark web since the data is so useful in social engineering attacks on individuals.

Once information is stolen and broadcast over the dark web, not much can be done about it. Hospitals and private practices who lose their patients’ private information are susceptible to fines, lawsuits, damage to their brand, and in the worst case risk of losing their status or entire practice.

The Australian Government is Cracking Down

To help address this threat and to keep businesses who use cloud services safe, the Australian government has recently implemented new requirements for third-party service providers. This is a part of the Digital Transformation Agency’s Software Cloud Strategy.

The Department of Human Services (DHS) has adopted the Secure Cloud Strategy in an effort to tighten the security for all parties that connect with the department. Those parties all refer to the health sector.

Part of their requirements are for applicable Australian software companies to complete am accreditation and compliance process. The accreditation process includes a certification known as the Certified Cloud Services List (CCSL). The companies also have to be vetted by the Australian Government Security Vetting Agency (AGSVA).

Third-party cloud service providers with a negative vetting clearance are encouraged to be physically separated from sensitive information. They are also encouraged to be restricted from the access of citizens’ private information.

Under this same strategy, the DHS requires that all third-party software companies only use on-shore solutions. In other words, any and all third-party software companies used within the DHS are limited to Australian companies only.

Changes such as these take time. In the meantime, there are a number of security of measures which healthcare providers can take.

Next Steps: What You Should Be Asking Your Cloud Service Provider

While you may not be totally up to date on the new requirements that comply with the DHS, your software company is – or at least, it should be. If your practice or company utilizes third-party software that connects with the DHS or Medicare, there are questions you can ask to ensure the safety of your patients’ information:

• Is patient data stored in the cloud?
• Is your cloud service provider certified by the Australian Signals Directorate (ASD)?
• Is all data located/backed-up in Australia?
• Is my data stored in a publicly accessible cloud?
• Can they guarantee that their engineers and technical staff maintain the high security clearance measures of the DHS?

Of course, no matter how prepared you think you are, a data breach can still happen. In this case, you should equip yourself with knowledge of the data breach notification laws in Australia.