Following up on my last post regarding data protection in the cloud and the new European Data Protection laws, I’m sharing ZDNET’s latest article on Will your cloud be HIPAA compliant?

It’s a good article and makes the point that where there’s a need, the industry will find a way to fulfill the need. But that brings me to the here and now. With the advent of online learning and hosted learning management systems and the move towards SaaS LMS systems in the cloud, there are some real issues regarding security of information that I don’t think most educational technology teams are even aware of. The medical industry is well aware of HIPAA, but I find that at medical/health provider training schools the ed tech team sometimes forgets about the necessity of data and privacy protection. Or, they are simply overwhelmed by the topic and prefer to pass-the-buck of ownership onto the faculty – meaning, make the faculty responsible for privacy and security of information in their course.

I think this is backwards thinking. I believe that the issue needs to first be addressed on a systems-level and then implemented on an individual level. That means decision makers, policy makers, systems administrators, and trainers all need to know the security of the hardware and software on the system to varying degrees based upon role, and then they need to educate their end-users on how to use the system in ways that aid in maintenance of that security.

For example, one can imagine that in an online component of a medical course that emphasizes discussion, that PHI (patient health information) may be shared as a fundamental component of the learning environment, especially in case studies or in residency programs as a part of write-ups on rounds. Now, in this case, what are the possible security breaches and violations of HIPAA? Let me lay out a few:

  1. Use of open source software for the LMS
  • Okay, open source software can be made secure, but has it?
  • Has the institution gone to the lengths to ensure security of the system?
  • For example, has Google indexing of the system been disabled at a site level? (Especially for Moodle….)
  1. Roles and permissions on the system (ACL – Access control lists)
  • Does the system allow “guest” (as in public, Internet accessible, guest) access? If so, then already there may be a breach of security if that “guest” has been assigned access to this course where PHI is being discussed.
  • Are the students and/or faculty aware of any “guests” accessing their course and reading their interactions (especially discussions)?

I have actually seen this happen. The teaching institution wants to allow guest faculty, residents, interns, access to what is being taught. However, there aren’t procedures in place that educate the decision makers (from departments to faculty) on how to allow access to the course for these guests without also opening up their course to the general public, and the students are not informed of who is viewing their participation in the course – so the PHI data is publicly out there on the Internet (and may even be Google indexed) which is a violation of HIPAA, AND the student’s own FERPA (Family Educational Rights and Privacy Act) rights have been violated as well.

It is EASY to fall into this breach of security trap for an institution that does not understand the practical ramifications of not having policies, procedures, and training in place to prevent this scenario.

So what’s my point? The scenario above was on a hosted environment, not a SaaS environment, but could easily be translated to that SaaS environment. So, not only does the SaaS need to have security protocols in place but the USERS must also be educated on system settings and role assignments and the misnomer of “guest” access. If the system is secure and FERPA and HIPAA compliant, then the easiest way to do a second-line defense is to simply not allow guest access on the system. Instead, implement a way for each user on the system to have a unique login (that’s just good sense, on many levels). That way each user on the system can be tracked. It may sound “big brother-ish” but where the integrity and privacy of data on your system is concerned, this is important. (And further, anything conducted on the Internet can be tracked – never assume that anything you do online is 100% fool-proof secure, and act accordingly. All “we’re” responsible for is protecting your data to the extent reasonably possible; there are always new hackers out there….) The third-line defense is to educate your users (faculty, TAs, students, staff, etc.) on what can and cannot be posted on the system as well as who is observing or shadowing in a course. PHI can be protected by anonymizing the data posted.

So, that’s my thoughts on data protection today – and the Cloud…in a round about way.