Evaluating and choosing healthcare cloud services providers

As healthcare moves from on-premise to cloud services, the evaluation and selection of “HIPAA compliant” cloud service providers becomes an import task. I don’t like the description “HIPAA compliant” because it’s imprecise and not meaningful. However, it’s something that many non-technical people look for when evaluating providers so I’m using it here. My friend Alex Ginzburg, VP of Technology at Intervention Insights, and I have done this kind of healthcare cloud services providers evaluation and selection many times so it was natural for me to reach out and ask him to provide some guidance for the community. ...

Who should be held accountable for risk management and cybersecurity in healthcare institutions?

_I’ve been involved in building many life-critical and mission-critical products over the last 25 years and have found that, finally, cybersecurity is getting the kind of attention it deserves. We’re slowly and steadily moving from “HIPAA Compliance” silliness into a more mature and disciplined professional focus on risk management, continuous risk monitoring, and actual security tasks concentrating on real technical vulnerabilities and proper training of users (instead of just “security theater”). ...

Encryption at rest and encryption in transit for HIPAA compliance are not easy questions to answer

Given the number of breaches we’ve seen this Summer at healthcare institutions, I’ve just spent a ton of time recently on several engineering engagements looking at “HIPAA compliant” encryption (HIPAA compliance is in quotes since it’s generally meaningless). Since I’ve heard a number of developers say “we’re HIPAA compliant because we encrypt our data” I wanted to take a moment to unbundle that statement and make sure we all understand what that means. ...

Guest Article: Secure message exchange using the Direct Protocol is not a myth, there really are people using it

I recently chaired a couple of conferences and my next HealthIMPACT event is coming up later this month in NYC. At each one of the events and many times a year via twitter and e-mail I am asked whether the Direct Project is successful, worth implementing in health IT projects, and if there are many people sending secure messages using Direct. To help answer these questions, I reached out to Rachel A. ...

The causes of digital patient privacy loss in EHRs and other health IT systems

This past Friday I was invited by the Patient Privacy Rights (PPR) Foundation to lead a discussion about privacy and EHRs. The discussion, entitled “Fact vs. Fiction: Best Privacy Practices for EHRs in the Cloud,” addressed patient privacy concerns and potential solutions for doctors working with EHRs. While we are all somewhat disturbed by the slow erosion of privacy in all aspects of our digital lives, the rather rapid loss of patient privacy around health data is especially unnerving because healthcare is so near and dear to us all. ...

Guest Article: 8 Mistakes to Avoid when Securing Cloud Services

There’s solid demand these days for services like DropBox.com or Box.net that allow easy but secure file sharing to occur with proper privacy restrictions and audit tracking. I was pleasantly surprised to learn that there are a few companies, such as FolderGrid, trying to solve the problem of HIPAA-compliant file sharing. What FolderGrid is doing, though, is quite unique in healthcare – creating infrastructure software for other health IT developers to build on top of. ...