● Thought Leaders: Cloud Compliance
How to maintain security in the cloud
Seven factors to consider. By Oren Hamami
t’s no lie. Complying with the updated Health Insur- ance Portability and Accountability Act, or HIPAA, and other related federal and state regulations is arduous and expensive. But the costs of not complying are even more
injurious, especially if a breach occurs and regulators pile on signifi cant fi nancial penalties (as they now can). T is matters when considering a move of healthcare data to the cloud. While more healthcare organizations engage in cloud computing, a 2013 survey found just 30 percent of surveyed healthcare organizations, including hospitals and practices, plan to employ or maintain a cloud environment this year. Yet employee use of cloud applications and mobile devices continues to increase in popularity. T e principal concern: the cloud’s ability to meet privacy and security requirements. For some, the cloud seems so nebulous that cyber thieves must be able to breach patient and medical information more easily. More than half of respondents in one survey even thought stormy weather could interfere with cloud computing. Actually, the cloud can be much more secure than on-site
facilities. While 100 percent protection can’t be assured, data in the cloud may be backed up, encrypted and insulated by layers of security. How does a healthcare organization stay compliant in the
cloud? Here are seven factors to consider when mulling a move to the cloud and staying compliant in the cloud. 1. Conduct a cloud risk assessment. HIPAA veterans should be familiar with the need to conduct a risk assess- ment, and special care should be taken to understand the risks when considering a move to the cloud. Consider what data will be moved; how and by whom it will be accessed; and whether the specifi c cloud solution will provide suffi cient protections to meet your security and compliance requirements.
2. Consider using a “private” or “hybrid” cloud solu- tion. Many organizations decide to take a phased ap- proach when moving to the cloud. Rather than move all their data to a public cloud provider, they opt for private clouds, which aren’t shared with other customers, or hybrid clouds that allow them to keep some data under their control while leveraging a cloud provider for less sensitive functions.
28 June 2013
Oren Hamami is director of security strategy, SunGard Availability Services. For more on SunGard: www.rsleads. com/306ht-210
3. Understand exactly what you are – and aren’t – getting. Considerable variation exists among cloud providers in terms of the security functions they perform and those that remain the customer’s responsibility. Unless your provider states otherwise, assume that any particular requirement, such as encryption or data backup, remains your responsibility.
4. Ensure your cloud vendor complies with HIPAA and other regulations. T e Department of Health and Human Services on Jan. 25, 2013, published new rules that signifi cantly expand the defi nition and responsi- bilities of business associates and subject them to civil and criminal penalties. Be particularly wary of cloud providers who insist they are not business associates under the new rules.
5. Know where your data is today – and where it will be tomorrow. Consider not only where your cloud pro- vider is hosting your data, but also what happens to it when you exit the service, including how you will meet HIPAA/HITECH data-retention and data-destruction requirements.
6. Consider the so-called cloud security “donut hole.” Your cloud provider may only attest to the security of its physical infrastructure, excluding the shared virtu- alization systems that support the cloud service. T is can leave the so-called “donut hole” between the host’s coverage and the point where the healthcare organiza- tion handles its own security. You should seek a host who closes this gap.
7. Determine what the cloud provider will and won’t sign. Considering HIPAA compliance, will the vendor attest to what protections the healthcare provider has in place and its responsibilities? If not, can it provide a third-party audit report attesting the healthcare provider possesses such security protections?
HIPAA’s days as the “Toothless Tiger” are over. Healthcare entities must follow its tougher compliance regulations and the data-breach notifi cation requirements in the 46 states that have them. Migrating data to the cloud will require much thought and planning by healthcare organizations. But you shouldn’t get too uptight about the move if you’ve done the necessary due diligence.
HMT HEALTH MANAGEMENT TECHNOLOGY www.healthmgttech.com