The Cloud Security Alliance (CSA) has issued new guidance for so-called telehealth organizations. The guidance, which is available for free download from the CSA’s website, aims to help health care delivery organizations (HDOs) implement processes and controls to ensure the security and privacy of their patient information stored in the cloud.
CSA is the world’s leading organization dedicated to defining and promoting best practices for secure cloud computing.
The CSAs’ Health Information Management working group has developed a publication titled Telehealth Risk Management that provides best practices for the storage, use, and destruction of Telehealth data related to governance, privacy, and security domains.
The Coronavirus pandemic prompted many HDOs to update their risk management and governance programs, according to a new paper, according to Jim Angle, the paper’s main author and co-chair of the CSAs’ workgroup.
Angle says that with the rapid regulatory changes for telehealth, it is essential that HDOs have robust risk management programs in place to ensure a smooth transition and minimize risk:
“Now, with the rapidly changing demands and regulatory requirements for telehealth, it’s essential that HDOs have effective governance and risk programs to ensure a smooth and seamless transition while improving their current risk postures,” Angle said.
While John Morgan, CEO of Confluera, noted that when organizations look at the new guidance for securing patient information in the cloud, they should remember the importance of addressing modern threats such as multi-stage ransomware, which can seriously affect the security of patient data and organizations themselves. As organizations review their data security policies and procedures taking into account the new guidelines, they should ensure that their threat detection and response strategies also undergo the same analysis:
“Even a very well-planned data lifecycle can be compromised if attackers have already infiltrated the healthcare cloud environment and navigated through the network undetected,” Morgan said. “As organizations review and reassess their patient data security per the published guideline, they should ensure the same analysis is applied to their threat detection and response plans.”