Sensitive Healthcare Data at Risk in Cloud; Spohn Security Solutions Explains

Many healthcare providers must decide whether they should store protected health information (PHI) in the cloud. There are benefits and concerns to storing PHI in the cloud, and the decision to do so should be based on carefully analyzed data.

The U.S. Department of Health and Human Services says that with the proliferation and widespread adoption of cloud computing solutions, HIPAA*-covered entities and business associates are questioning whether, and how, they can take advantage of cloud computing while still complying with regulations protecting the privacy and security of electronic protected health information (ePHI).

According to Timothy Crosby, chief of security for Spohn Security Solutions, “While there are benefits to storing personal health information in the cloud, hospitals and other healthcare providers must be careful to ensure that adequate security measures are being taken to protect this sensitive information.”

Recent breaches of many healthcare facilities’ data demonstrate that hackers are quite busy trying to invade and take PHI wherever they can. In the first 2 months of this year, nearly three-quarters of a million patients had their ePHI exposed through ‘Data Breaches’ of over half a million records.

Of these, 77% were compromised/lost as a direct result of hacking. 91% of the records compromised in the month of January were attributed to hackers and the largest breach reported in the first 2 weeks of March is attributed to hacking.

Computer security must ensure that no harm comes to sensitive data and that no one is able to read such data unless they’re meant to.This confidentiality aspect is particularly relevant to highly sensitive data such as personal health information.

PHI is any health-related or insurance payment information stored or managed by a healthcare provider, which data can identify a specific individual. Examples of PHI are patient names, addresses, Social Security numbers, X-ray images, lab results, insurance payment information and medical records. “ePHI” is electronically-stored PHI information.

Even information about a patient’s planned future procedures is PHI. Government regulation of PHI is covered in the HIPAA Privacy Rule,* and ePHI is covered by the HIPAA Security Rule.* All healthcare providers in the United States must adhere to this or face fines.

The primary benefit of cloud storage is to give users the ability to access data across a variety of electronic devices while eliminating the costs and technical challenges associated with maintaining such dataon-site.

Many healthcare providers would prefer to move their data infrastructure to the cloud so they can better focus on providing healthcare services. Additionally, the capital cost of managing a data center can vary from year to year; hosting data in the cloud can provide a more static cost, making budgets simpler and more predictable.

Spohn Consulting is expert at HIPAA* compliance, as well as all aspects of cyber security.

Crosby says, “The threat of a breach of protected health information exists if data is in a common server such as the cloud. In our experience, the most vital action is to take proper security measures to protect the information before actually going to a cloud-based service.”

Here are a just few examples of how you can ensure safety of data if you decide to use a cloud-based provider:

  1. Verify that your cloud provider’s security standards are appropriate. Make sure it has up-to-date procedures on patching, and that it actively upgradesits equipment.
  2. Review security policies as they pertain to the cloud environment. Your provider should have an actively managed compliance program that verifies its adherence with regulatory requirements and security standards, including HIPAA laws.
  3. Data protected by law, such as PHI or personal identifiers, should never be stored in the cloud unless encrypted. Only certain members of your organization withauthorized access should be able to decrypt this data.
  4. Create policies that detail the circumstances in which this information can be decrypted. All security-related policies should be reviewed and agreed upon in the terms of service within your agreement with the cloud service provider.

Spohn Consulting, Inc. is an authority in navigating Fortune 500 companies and medium tosmall businesses through the security business challenges of the 21st century.

HIPAA(Health Insurance Portability and Accountability Act of 1996) is U.S. legislation that provides data privacy and security provisions for safeguarding medical information.


  1. Dargin, Mark. “Is Protected Health Information Safe in the Cloud?”Network World, Network World, 18 May 2017.
  2. HHS Office of the Secretary, and OCR, Office for Civil Rights. “Cloud Computing.”, U.S. Department of Health and Human Services, 16 June 017.
  3. “The Biggest Healthcare Breaches of 2017.”Healthcare IT News, 6 Dec. 2017.
  4. HHS Office of the Secretary, and OCR, Office for Civil Rights. “U.S. Department of Health and Human Services Office for Civil Rights Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information.” U.S. Department of Health & Human Services – Office for Civil Rights, 27 Mar. 2018.
  5. Jones, Ed. “HIPAA ‘Protected Health Information’: What Does PHI Include?”, 1 Sept. 2009.
  6. HHS Office of the Secretary, and OCR, Office for Civil Rights. “Summary of the HIPAA Security Rule.”, US Department of Health and Human Services, 26 July 2013.