“Being in the cloud means you may have other companies using that same platform, because you’re sharing a server,” says Randy Rupp, security and compliance analyst with ICS Medtech. “If one of those companies is not secure, and the provider doesn’t hold everyone to a standard, then you’re exposed.”
Practices now host far more than electronic health records (E H R s) in the cloud. Other data include records backups, email, Microsoft Office 365, data analytics, and – more recently – VDI systems (virtual desktop infrastructure).
A VDI device connects to a monitor, turning it into a virtual computer by hosting the operating system, software and files in the cloud. “So you don’t have to invest in the software or physical hardware of a computer, like a tower or hard drive,” Rupp says.
“The VDI is more secure for the client as long as the person hosting it is doing their job,” says Curtis Woods with Dynamic Quest. The same holds for anything hosted in the cloud, though vulnerabilities still exist.
“There have been a few cloud-based EMRs that have had a breach,” Rupp says. He knows of seven clients who got infected with ransomware because they were all hosted in the same data center. “They’re still triaging it.”
“You could be at risk with a cloud EMR,” Woods says. “But good companies do not allow access to the servers.” Configured properly, only the application opens in the cloud, so when other files outside of that application open on the user’s computer – such as ransomware – they have no avenue into the EMR’s server.
“The risk is always there, though,” Woods says. “Nothing is flawless.” Closely vetting cloud providers, however, serves as a strong deterrent.
The cloud provider should spell out everything in understandable terminology in the contract. “How will this keep me secure and how are you going to prove it?” Rupp says. “Get a third-party advisor to look at it if you don’t have the tech knowledge.”
Ensure the contract spells out details, such as the exact location of their servers. “You want to be in a Tier 2 data center where you have multiple internet paths, multiple grids, and a generator backup,” Woods says. “Because if they’re down, you’re down.”
Because cloud-based EHRs should be closed environment – unreachable by other software on the client’s system – “they should only be opening their system to do upgrades and then it’s closed again,” Wood says.
That procedure, however, can open them to attack. Three years ago, Target introduced a security flaw in their systems during an upgrade. In that breach, they lost 40 million credit card numbers and 70 million addresses, phone numbers, and other pieces of personal information.
“It’s important for clients to understand how their EMR company reports breaches back to their customers and how long that takes,” Woods says. Some states, like California, have laws requiring companies to report breaches almost immediately. “Most don’t, though. It has to be reported, obviously, but you might find out about it 30 days later after they’ve done an investigation, which could mean HIPAA fines for the client,” Woods says.
When using the cloud, “you are just as liable as the company that got breached,” Rupp says. “It may not seem fair, but the due diligence is not just on the provider of the service but on you. Because you’re supposed to do checks before you go into an agreement like that.”
Rupp knows of one practice using a cloud-based EMR that got attacked by ransomware. And then got breached again. “They had backups but they didn’t know those backups were infected. Six months later, they got hit by the ransom ware again,” he says. The EMR provider did not have adequate safeguards in place. It cost thousands to replace the server and reload the data.
“Never put all your eggs in one basket,” Rupp says. “If you’re using the cloud, back up your data to local storage.” Local storage means immediate access to the data, as long as the practice has a server on-hand that can run that data. “If the EMR uses a name-brand server with a proprietary database, you may need that exact kind of server handy to use your backup.”
Practices can also enlist a business continuity and disaster recovery provider who can back up any server. “So if any connection is lost with your EMR or data,” Rupp says, including from a lost internet connection, weather disaster, or malware, “they can spin up an exact copy and have you running.”
Many things in the cloud are insecure. But the typical applications, like business-level email programs, should be fairly well secure, though file sharing still remains vulnerable. EHRs, however, have come a long way. “Cloud-based EMR is getting pretty mature,” Woods says. “In the early days, we’d have been having a different conversation.”
40% of businesses will incorporate the anywhere operations model to accommodate the physical and digital experiences of both customers and employees (Techvera).
More than 33 billion records will be stolen by cybercriminals by 2023, an increase of 175% from 2018.
The cost of cybercrime is predicted to hit $10.5 trillion by 2025, according to the latest version of the Cisco/Cybersecurity Ventures “2022 Cybersecurity Almanac.”.
Forty-three percent of attacks are aimed at SMBs, but only 14% are prepared to defend themselves (Accenture).
It takes an average of 287 days for security teams to identify and contain a data breach, according to the “Cost of a Data Breach 2021” report released by IBM and Ponemon Institute.
The average cost of a data breach in the United States is $8.64 million, which is the highest in the world, while the most expensive sector for data breach costs is the healthcare industry, with an average of $7.13 million (IBM).
The three sectors with the biggest spending on cybersecurity are banking, manufacturing, and the central/federal government, accounting for 30% of overall spending (IDC).
The internal team was energized. With the Level 1 work off its plate, the team turned its attention to the work that fueled company growth and gave them job satisfaction.
We did a proof of concept that met every requirement that our customer might have. In fact, we saw a substantial improvement.
We did everything that we needed to do, financially speaking. We got our invoices out to customers, we deposited checks, all the things we needed to do to keep our business running, and our customers had no idea about the tragedy. It didn’t impact them at all.
“We believe our success is due to the strength of our team, the breadth of our services, our flexibility in responding to clients, and our focus on strategic support.”