The answer is “maybe.” While top-tier services such as OneDrive, Dropbox, and Google Drive all have some strict HIPAA-level or higher security options, using these providers does not automatically make your data safe. The problem is that most cloud and data hosting providers offer various levels of security. Configuring these services can be complex.
The key to “data security” is to first understand fully your compliance requirements. Then, you must accurately configure the tool or hosting services to those requirements. In the case with Google, you must notify them that you are storing private health information (PHI) and sign their business associate agreement (BAA) before they even activate HIPAA-level protections.
We often hear prospects say, “I’ve got Google so we’re HIPAA compliant, right?” Our next question is: “Did you sign the Business Associate Agreement? Often the prospect says, “No. We didn’t realize that was required. We assumed that by signing up for services, we were all set.” Upon a closer technical look, we often find that their services are not adequately configured to provide the protection they need.
Securing your most valuable asset – your data – does not occur in a vacuum and it’s only as strong as the weakest link. So to ensure your cloud-based data is safe, we recommend using this checklist as a starting point to evaluate your security status:
- Where does your data travel to? Specifically – which devices store it after or during access? Are these devices secure? Do they require encryption? Does your data leave the country and is that legal in your particular industry?
- Are the entry points into your network or data access properly controlled, secured and defined? Remember to consider all entry points including your company Wi-Fi, mobile devices and remote workers’ home PCs.
- Who has authorization to access your data? Are they trained on your data security policies? For example, are they allowed to store data on sites like Dropbox without your knowledge?
- Is data sharing activated and if so to which devices, users or networks? Are those networks secured at the same level that you require?
- Do you require data and user access logging to prove your due diligence in protecting sensitive information such as PHI?
The best approach to cloud security is first to ensure that your data footprint is as small as possible, map out where data goes and then use a layered security approach at entry or transit points. If you have questions about your data security or are considering moving systems to the cloud or cloud-based applications, talk to your IT security professional or give us a call. We’d be happy to help you navigate through the options, pitfalls and choices to help keep your data protected and secure.