Important Considerations for File Sharing and Cloud Computing
Included in recent guidance regarding file sharing and cloud computing published by the Office for Civil Rights (OCR) were recent survey results regarding file sharing and collaboration tools used by organizations from a variety of industries including the healthcare industry. Results of the survey revealed:
- Just under half of the surveyed organizations stated they had at least one confirmed file sharing data breach in the last two years.
- Respondents of the survey listed their top security concerns as temporary workers, contractors, or third parties accessing data they should not see; followed by employees accidently exposing data; and broken security management processes.
- 28% of respondents listed external hackers as one of their top concerns.
According to OCR, misconfigurations of file sharing and collaboration tools, as well as cloud computing services, are common issues that may result in the disclosure of sensitive data. This is because access, authentications encryption or other security controls, are either disabled or left with default settings, which can lead to unauthorized access to or disclosure of data.
File Sharing and Cloud Computing Guidance
- Security Risk Analysis and Risk Management – misconfiguration and errors should be detected as part of an organization's Security Risk Analysis. From there, a corrective action plan must be in place to address the identified deficiencies, including adoption of policies to ensure risks are reduced to a reasonable and appropriate level.
- Training – all employees must understand safe file sharing and cloud computing practices. Employees should be trained on your organization's policies and procedures, and any updates. Employees should understand the importance of accessing only the minimum necessary information needed to complete and intended task, and how to properly safeguard any ePHI that will be transmitted or stored.
- Business Associate Agreements – a cloud services provider is a business associate when a covered entity or business associate engages the services that required the cloud service provider to create, receive, maintain, or transmit ePHI on its behalf. A HIPAA compliant Business Associate Agreement is required between the covered entity or business associate and the cloud service provider.
Did you know Healthcare Compliance Pros can help you with these requirements and more? Feel free to contact us with any questions, by phone 855-427-0427 or by email [email protected].