Almost 78% of small businesses have invested in SaaS (Software-as-a-Service) technology, and the adoption of SaaS in the healthcare industry has increased by 20% annually. As a result of COVID-19, there’s been increased reliance of virtual visits and telehealth, which means the use of technology needs more attention. With the adoption of SaaS comes the need for a robust security and compliance.
According to the APWG (Anti-Phishing Working Group) report, phishing of SaaS and webmail surged past the phishing of financial services. Around 36% of the phishing attacks are on SaaS and webmail. Healthcare businesses using SaaS need to consider ways to avert cyber attacks and improve overall security.
HIPAA (Health Insurance Portability and Accounting Act)
Obviously, healthcare businesses want to maintain trust with patients. But perhaps just as critical is staying compliant with law requirements and avoid potential penalties for noncompliance. HIPAA is a federal law regulated by the Department of Health and Human Services. It focuses in part on assuring the security of ePHI (Electronic Protected Health Information) and privacy of EHR (Electronic Health Records).
Healthcare HIPAA compliance states clearly what data should be protected, which include names, Social Security numbers, zip codes, etc. To create this protection, one step for a healthcare HIPAA compliant SaaS business is to use a firewall for data. Other actions, including controlling access to data and creating a remediation plan in case of breaches, are detailed in an Arkenea blog.
Responsibility of data protection falls to covered entities—health care providers, health plans, and healthcare clearinghouses for example. But covered entities must ensure that their business associates, such as cloud service providers—maintain privacy; they need to sign a BAA (Business Associate Agreement), without which the covered entities can be penalized for HIPAA non-compliance.
HITRUST (Health Information Trust Alliance)
HITRUST is an organization that helps healthcare businesses manage data in compliance with HIPAA and handle information breach risks. It also offers a certification for covered entities and vendors to demonstrate HIPAA compliance. HITRUST provides objectives and criteria for implementing technical, administrative, and physical security.
Impact on Employers
The HIPAA privacy rule doesn’t apply to employers, only to their health plans. Nonetheless, employers should maintain the privacy of employees’ health information. And Employers should ascertain whether their health plans are in compliance with HIPAA.
The healthcare industry has numerous rules and regulations for patient safety and security. The major concern for SaaS in healthcare is data privacy and security. Healthcare businesses can invest in SaaS that follows rules and keeps healthcare organizations free from privacy violations and penalties.