How Healthcare Organizations Can Securely Transition to the Cloud

by Austin Herrington
December 13, 2018

The paramount role of security and protecting patient data in healthcare poses unique concerns for healthcare organizations that transition to cloud-based unified communications (UC). The dilemma: How can we ensure we’re not introducing new vulnerabilities that compromise compliance and introduce risk? The key is to partner with a UC service provider that is focused squarely on healthcare to minimize the possibility of damages.

The inherent security advantage in cloud-based UC

Transitioning to cloud-based UC can inherently improve security, as it eliminates the costly and resource-intensive burden of maintaining a legacy PBX system. When a locally hosted PBX falls behind the latest security standards, it becomes vulnerable to cyberattacks. This is especially risky as, according to a report by the U.S. Department of Health and Human Services, nearly three out of four hospitals do not have a designated security professional on staff.

Healthcare organizations securely transitioning to cloud-based unified communications and using cloud UC services for patient communications.

Partnering with a cloud UC provider shifts the burden of communications security to the UC service provider – an essential first step. By following a few important additional steps, you can ensure that your organization is optimally covered.

Validating the UC provider’s compliance

While many UC providers meet the basic standards of HIPAA compliance, those most dedicated to healthcare undergo third-party HIPAA HITECH assessments. Successfully completing this assessment provides peace of mind that the provider can back up its claims of HIPAA compliance with an impartial, objective review covering a wealth of critical items that include:

  • Breach notifications
  • ePHI encryption
  • Information and facility access management
  • Workforce security awareness trainings
  • Policy and procedure reviews

Further value: Obtaining a BAA

For additional assurance, you should secure a signed Business Associate Agreement (BAA) with your UC service provider.

BAAs are written contracts between the customer (“covered entity”) and the service provider (“business associate”). The BAA specifies each party’s responsibilities regarding the use and safeguarding of protected health information, and typically specifies a lead role for UC provider participation in any audits. The BAA may also specify that the UC service provider is liable for any damages resulting from data breaches, which transfers risk traditionally incurred by the covered entity to the business associate.

In assessing a UC provider’s BAA, confirm that the provider has signed subcontractor agreements with vendors who will be involved in providing your UC service, which eliminates downstream gaps in liability protection.

Final note: Proactive UC provider defense

The most suitable cloud UC providers go beyond checking the boxes on standard regulation and policy compliance. They monitor trends in cybersecurity threats, and proactively arm your organization against them.

For the highest level of security, look for a UC provider that embraces the healthcare industry’s security challenges as its own. In an age of rampant cybercriminal activity, your healthcare organization deserves nothing less.