Recent data breaches have put thousands of medical records, health insurance information, driver’s license numbers, financial accounts, and Social Security numbers at risk of identity theft, false medical care claims, and credit card fraud. In just one case that was reported in February, up to one million records of protected health information (PHI) were exposed in a wave of zero-day attacks targeting Fortra’s MFT platform. These cyberattacks have not only exposed sensitive patient information, they are also costing organizations millions of dollars to settle class-action lawsuits. One settlement reached a staggering $3.5M for a ransomware attack.
Now more than ever, healthcare organizations, insurance providers, and pharmacies must take action and make cloud security a priority. Without the proper security process and procedures in place, a data breach is bound to happen. Healthcare records in particular are valuable to cyber-attackers as they can be used to commit a multitude of crimes. In order to help prevent a data breach, your organization should only utilize cloud services that meet stringent data protection requirements and regulatory compliance standards.
The following best practices can ensure you choose a cloud-based document exchange provider that protects PHI and business-critical data at all times. Here is how to prevent a data breach in healthcare:
1: Require cloud vendors to be third-party audited.
Self-attestations or self-audits should be a red flag for any organization that processes confidential information. Independent software vendors (ISVs) that offer products utilizing cloud services must do their due diligence to ensure that all their cloud services providers have third-party certifications to protect their customers’ data, as well as their reputation as trusted vendors. We are proud to report that etherFAX services operate in a HIPAA and SOC 2® compliant environment that is both HITRUST CSF® and PCI DSS certified. Many ISVs integrate with etherFAX services due to our attestations of compliance and commitment to meeting these cybersecurity standards.
2: Choose a cloud provider that has security built into its technology.
etherFAX owns and operates private, redundant, and geographically dispersed data centers to ensure high availability. Each data center is housed within environments that are SOC2, ISO27001, NIST cybersecurity framework v1.1, and NIST 800/53 (US only) compliant, thus meeting or exceeding regulatory requirements of HIPAA and other federal/state/local cybersecurity regulations.
In addition to our third-party compliance certifications, etherFAX has also implemented multiple defense-in-depth strategies into our patented technology such as end-to-end encryption and two-factor authentication to ensure that patient data and business-critical information remain protected.
3: Look for a cloud provider that maintains up-to-date compliance certifications and meets the latest requirements for security.
etherFAX recently maintained its HITRUST Risk-based, 2-year Certification, further validating our commitment to meeting key regulations and protecting sensitive information. The r2 Assessment offers coverage against NIST SP 800-53, NIST CSF, ISO 27001, HIPAA, FedRAMP, FISMA, FTC Red Flags Rule Compliance, MARS-E Requirements, PCI DSS, CCPA, GDPR, AICPA Trust Services Criteria for Security, Confidentiality and Availability, plus more than 30 other industry-recognized frameworks, standards, and authoritative sources.
We are also in the early stages of the Federal Risk and Authorization Management Program (FedRAMP) certification. FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring of cloud products and services.
A Trusted Advisor
Our commitment to security is the main reason why many organizations have switched to etherFAX, especially after a data breach. Most recently, etherFAX worked with a radiology organization to stabilize their systems and build a new secure workflow from the ground up after they experienced a data breach.