The Number One Security and Privacy Mistake You Can Make in the Cloud (and How to Avoid It)
As a payer, you know how important it is to build solid, scalable, and sustainable solutions for your customers — ones that can evolve over time to meet their changing needs. Security is also a major concern, particularly in healthcare, where there’s so much sensitive data at play and so many regulatory requirements. You have to be focused on keeping protected health information (PHI) confidential, treating every customer touch point with integrity, and recognizing the importance of both availability and the ability to scale up or down with demand.
These are just a few of the reasons why moving to the cloud makes so much sense and why the healthcare cloud computing market is projected to reach $45 billion by 2023, up from an estimated $19 billion in 2018. Not only does the cloud bring cost-savings, it also allows you to scale and create a more engaging member experience. Perhaps most important of all, it saves you time and gives you the confidence that you’re compliant with regulations like HIPAA so you can focus on more important initiatives.
Unfortunately, sometimes payers make security and privacy mistakes when they go into the cloud that have serious downstream effects.
In the pages that follow, we’ll look at one of the biggest of those mistakes and provide several solutions to it. Keeping the advice outlined below in mind will help ensure that your company reaps all of the benefits of the cloud, without exposing you to unnecessary risk or waste.
Putting the Cart Before the Horse
The way some payers think about managing and protecting patient data is fundamentally flawed. That’s because they make the mistake of treating security and privacy as an afterthought, rather than starting with security and compliance and building their cloud environment around it.
And while that’s understandable on some level — they’re eager to get new solutions out to market, such as offering members new solutions for better engagement in their portals — the need for speed can be dangerous. When payers fail to build security and privacy into the design of their solutions, the results can be catastrophic. Issues that could have been addressed early on, such as ensuring that your new solution is compliant with the latest regulatory requirements, can quickly snowball into much larger problems that take more time and money to fix and leave you vulnerable to hackers.
When an organization doesn’t build with privacy by design constructs, teams wind up having to spend vast amounts of time and money trying to retrofit their product to fix a problem that they never should have had to deal with in the first place. Here’s a simple example: Imagine failing to understand the implications of collecting certain types of data through the cookies on your website. If that were to happen, you could have to overhaul the site after launch, negatively impacting the overall customer experience in the process.
The problem is that some payers don’t appreciate the impact certain regulations can have on their business. Likewise, some don’t understand when in the development lifecycle they need to work through the implications of those laws. Payers who find themselves in this situation should be asking themselves a few questions, including if they can actually do something, whether or not they should be doing it in the first place, and what the ramifications of doing so will be.
As a result, companies can end up spending vast sums of money trying to fix the problems that ensue. And that’s if they get lucky and are able to fix the problem before there’s a security incident and PHI is compromised. Once that happens, audits ensue, as can investigations, class action lawsuits and OCR fines. In addition to the financial hit, the loss to reputation can actually undermine the overall success of the business they have worked so hard to build. And, worst of all, they can expose member PHI that harms the health and financial outcomes of those who trusted them.
What Do You Need to Do?
There are several things you can do to help ensure your success in the cloud. To reap the benefits of the cloud, while avoiding any potential security or privacy risk, keep the following best practices in mind:
Know where security and privacy belong in your development life cycle.
No matter what application or piece of software you’re working on, you need to take security and privacy considerations into account from the very beginning. If you’re not, figure out why and adjust accordingly. Have your security and legal teams sit in on the design phase of any application build and bake in security and privacy checks along the way, as well as compliance reviews. Unfortunately, the further along in the development process this happens, the greater your risk of failure. This means more potential rework and waste down the line.
Companies that incorporate security and privacy into everything they build from the outset are able to generate massive cost savings over time. Meanwhile, those that don’t can wind up spending roughly 1,000 times more to fix the problem after the fact than if they’d simply taken the time to think it through at the beginning of the process.
Understand all of the data you’re collecting.
Do you actually appreciate all of the different types of data you collect? Not just the data you’re purposefully collecting from your end users, but also all of the other data that inadvertently comes with it. For example, you may have a form on your website that you intend to use to capture email addresses. In reality, however, the service you’re using to make that possible may also collect the user’s IP address, information about the web browser they’re using, and more.
It’s important to understand every bit of data you’re utilizing as part of any service so you know what your responsibilities are. Involve the relevant teams to determine if you are actually permitted to collect that data (your legal team), how to best protect that data (your security team), and whether you actually need it in the first place (your tech team). Companies often wind up collecting data they don’t actually need, increasing their risk and adding the burden of having to protect it all.
Be prepared to make an organizational mind shift.
If you’re going to put security and privacy first, it can’t happen in a silo. Rather, it has to be an organization-wide initiative that starts at the top and works its way down. Practically speaking, this means it’s about more than just training people on what HIPAA is so you can check a compliance box. Rather, it’s asking whether each person in the organization knows what they have to do to deliver a product that meets all of the relevant requirements they have. Create a culture of compliance.
The only way to do this is through understanding what each person is doing and how their role impacts the larger picture. Then, give them the education and tooling to impact the big picture positively. To be clear, making this kind of shift can be a painful process at first and won’t happen overnight. Nevertheless, it is critical to the overall success of your business.
The Way Forward
Payers already have a lot on their plate. Keeping up with the breakneck speed of change is one thing. Trying to ensure that you’re keeping all of your data private and secure, and complying with all of the relevant industry regulations, is quite another.
While moving your data to the cloud makes sense — it’s a great way to gain operational efficiencies and reduce costs — you want to make sure that you’re partnering with a vendor that can really help you.
Any cloud service provider can get you into the cloud. Very few have the healthcare expertise and deep regulatory knowledge to not only ensure that the transition is smooth, but also that your data is secure and you’re compliant with the latest regulatory requirements.
Bear in mind that while some payers may choose to move all of their data to the cloud at once, it doesn’t have to be all or nothing. You can also start incrementally and partner with a vendor that has healthcare and cloud expertise and can advise you on which workloads to move first.
No matter what approach works best for you, finding the right partner is critical to minimizing your risk while staying focused on business objectives.
 “Healthcare Cloud Computing Market to Hit 18.2% Growth Rate, led by PACS, EMR/HER, VNA, PHM and RECM by 2023,” (2018, Aug 6) retrieved from https://www.prnewswire.com/news-releases/healthcare-cloud-computing-market-to-hit-18-2-growth-rate-led-by-pacs-emr-her-vna-phm-and-recm-by-2023-816151881.html.