Many of you are just getting started in Health Tech and perhaps have not yet undergone your first technology review. If so, you have not had the hammer of Fedramp or HIPAA come down upon you. Look out! Health data security is a huge issue.
One of the big ‘MUST HAVE’ items is an auditable trail of who can access your data and how. Modern technologies provide ways to lock down your servers and to control access through private VPN services. But do they meet the strict requirements of governing bodies?
For example, if you are using managed hosting service and SAML connections with a federated authority, you probably do not have a list of every person who can access that server. Do you know who is working at that hosting company and who might actually be able to put their hands on the server? And if your access permissions are being managed by a third-party, how do you know what disgruntled employee of that firm could possibly access your data?
I know that many managed services providers are secure and well managed and audited in their own right. But what happens when that hack happens? You are expected to provide a finite list of everyone who can access that server in any way and to provide logs of all accesses. You’ll have logs for the ‘front’ end through your VPN, but what about those working in the data center? Or those who you are paying to ‘manage’ your servers?
Just something to think about. The important part is to plan how you will answer these questions in the event of a breach. The average cost of health data breaches os in the tens of millions of dollars. (needs verification, but last I heard). Beware of the possibilities and do your due diligence on any managed services providers you engage.
As always, I welcome your comments.