Safeguard your organization when using the cloud

BOSTON—In just a few short years, cloud computing has gone from being viewed with caution and skepticism in the healthcare industry to organizations seeing it as an aid to fight information silos and achieve interoperability, according to speakers at the second annual HIMSS Privacy & Security Forum. But, be proactive to make it work effectively.

“Know the risks, assess the risks and manage the risks,” said Lee Kim, JD, HIMSS director of privacy and security. Many people don’t understand the difference between threats and vulnerability, she said. Threat is the potential for the exercise of a particular vulnerability that exists on a device level, app level, operating system or some other component. Vulnerability indicates a flaw or weakness in any aspect of a system. It can be technical, administrative or physical but it takes a human actor to exploit it for it to become something that can exploit data, Kim explained.

Cloud computing is a resource that can be divided into slices and bought on a subscription basis. It’s “powerful because it can be configured on demand in accordance with your organization’s requirements,” she said.  

All cloud providers are not created equally, however, Kim said. She discussed several aspects to include when building a good service agreement.

Healthcare organizations must tailor agreements to meet their priorities. That should include a framework for security incident handling. “Make sure there is some kind of organization wrapped around what happens when an incident occurs on your system. If it rises to the level of breach, have a process.”

Cloud providers offer various levels of security. “Make sure to look at their network architecture to see what they have for a security infrastructure.” Kim also advised conducting business due diligence to ensure the provider will be around in the future. While there are numerous cloud providers out there, only a handful have been around for more than 10 years. “Review the provider’s policies and procedures and look at relevant reports. It’s important to make sure your provider takes security seriously.”

Kim also recommended interviewing key personnel to check on appropriate security processes. If the provider uses a third-party data center, where is it located—a country with weaker data protection laws?

She also advised providers to scrutinize their legal agreements. “The legal agreement might be very different from what was discussed. Make sure it reflects exactly what you discussed. Often, the agreement does not reflect the promises made by the business or salesperson.” Most agreements are bare bones, she said, so you want to build in your specific security objectives. The agreement can be used as a tool to enhance your organization’s risk management process.

Measure the performance of your cloud provider, Kim said. How often is it down? Have they had security incidents? “You could build an out in case the provider is not performing up to your standards. The agreement is just words—it does not necessarily reflect the technical reality of the cloud. Make sure you're comfortable with the provider and that they have a good track record. Establish a good baseline before signing on the dotted line."

Cooper Health Systems in Camden, N.J., developed a technical evaluation to vet cloud providers, said Phil Curran, chief information security officer. The extensive list of questions includes finding out whether the provider has ever had a third-party audit, can Cooper representatives visit, how do they manage incident response and what is their security architecture. Every time Cooper goes through a technical evaluation, they learn something new, Curran said. “It’s an ongoing process. Questions are added all the time.”

Cooper has struggled with determining the best way to conduct ongoing monitoring of these vendors, he said. Some cloud providers don’t want to change their standard contract but “we try to put in certain service level agreements. A copy of the technical evaluation goes into the contract because it holds them to what they said.” Curran prefers that providers respond with 15 minutes of detection. “That’s hard to get in there. You need to push but push for whatever service level agreements you want. They will bend.”

Once the agreements are signed, monitor them, Curran advised. “Make sure the vendor is doing what they’re supposed to be doing. You have to be willing to break out the contract and get your legal department involved.”

Business associate agreements raise other issues, he said. Smaller companies may not even be aware of their responsibilities regarding their roles and responsibilities for protecting healthcare data. “You’re going to find that you’re going to spend a lot of time educating BAs on what needs to happen. We recently had a BA breach and I was on the phone for eight hours educating them.”

After an incident, “you need to work with the vendor in getting their report, including how it happened, what they’re going to do about it and how they’re going to prevent it from happening again.” Curran said you might have to sit with them and explain how to write the report. And, when it comes to prevention, you need to monitor what they’re doing and put them on your audit plan for the next year.