Critical Questions for Your Healthcare Data Storage Vendor

Data storage may not be your favorite topic, but it’s a critically important one when looking at the larger idea of a healthcare tech stack. The “tech stack” is a term pulled from industries like marketing and sales where many different software platforms have to work in concert with each other to provide a viable end result. The growth of healthcare technology over the last few years has built the need for a health tech stack, but also the need for greater data security.

When it isn’t being accessed, data needs to be digitally secured and stored in accordance with all the rules and regulations that the law requires. The law that requires most of that compliance is the Health Insurance Portability and Accountability Act, otherwise known as HIPAA. This is the law by which most of the regulations surrounding the healthcare space stem from, and the storage of data is a very important subject, so it’s imperative to get this section of the healthcare technology stack correct. To make sure that it’s done the right way, here are a few topics and questions to ask vendors that are handling your population health data.

Data Loss Prevention Questions

One of the biggest hurdles for effective data loss prevention is simultaneously securing the digital side of data and the physical side of data. “Securing access to a data location” can mean controlling who can access the data through the web, but also securing who can access the actual server where the data is stored. These vendors have had plenty of time to specialize in their craft, so they should be very familiar with the needs of companies looking to them for health tech security, but these are a few boxes to check when deciding on who to choose:

• How easy is it to add and revoke access privileges? How many consoles does it take?
  Data systems are only as secure as the people that have access to them. Data Loss Prevention (DLP) vendors should be forthcoming about how users can add and revoke access privileges to help data leaks from happening.
• Are they HIPAA compliant?
  This industry knows that healthcare is a huge market. Most of the large players in this space will have information about how they meet HIPAA’s rules and regulations ready to give to you if you ask.
• What happens in case of an incident?
  Of course, a good question to make sure to cover is what happens in case of a data loss incident. DLP vendors should have the insight to share on the steps they will take if member health data is lost for whatever reason. It’s always good to have a backup plan.

Overall, the point of these questions is to make sure that every eventuality is planned for. What will not work is a vendor that doesn’t have a plan for if things happen to go wrong. The importance of member health data is too high to leave the chance that it might be stolen, lost, or compromised.

Questions for Cloud Security Solutions

When you place data in a cloud, it means that the information is hosted on a decentralized server that gives access to the data across multiple points. Moving to this virtual environment changes the playground, but the rules of information security mostly stay the same with a few variations. When searching for a suitable cloud security offering, be sure to cover the following questions:

• Is there a virtual firewall protecting the data?
  Just because the data isn’t stored in a centralized location doesn’t mean there can’t be a firewall to protect the data. Leading cloud security vendors should be able to offer a virtual firewall to protect data breaches from unauthorized users.
• Do you have DDoS protection?
  Distributed Denial of Service (DDoS) attacks are becoming a much more common cyber attack that can leave systems nonfunctional and compromised without preparation. Make sure that your chosen solution has a plan in place for this eventuality.
• Is there data monitoring along the system?
  As a way to search for potential breaches, some cloud security solutions offer real-time data monitoring. This can help to keep a closer eye on the overall system to make sure that the people and systems accessing the data are supposed to be there.

Another thing to keep an eye out for is the line between security and accessibility. Keeping paper records locked tight in a lockbox completely away from the internet sounds like a pretty secure solution, but also wildly inaccessible. Having member health records behind nothing but a password-protected webpage might be the most accessible option, but also open for invasion by certain determined individuals. The questions we’ve posted above help to try and establish the line between these two extremes that work the best for your organization.