The healthcare IT HIMSS ’12 conference this year was full of great educational sessions and presentations from industry leaders and health IT professionals. One presentation with speakers native to our home-base of Michigan, Navigating the Cloud: Risk and Protections for Healthcare Data outlines a few key points when it comes to choosing a cloud vendor in the healthcare industry.
Margaret Marchak of the University of Michigan Health System Legal Office, Ann Arbor, MIs
Melissa Markey of Hall Render Killian Heath & Lyman, Troy, MI
Discussing the benefits of cloud computing in healthcare, privacy and security risks when healthcare data is stored in the cloud and the contracts and due diligence required to protect PHI were key learning objectives, according to the slideshow.
After defining RFP’s in cloud computing, they moved on to “picking the vendor” and listed a few factors a covered entity should consider when choosing a long-term, HIPAA compliant cloud vendor:
Willing to contractually commit to acceptable performance terms.
The presentation goes on to a covered entity’s due diligence on choosing a vendor – what should you check when choosing a HIPAA compliant cloud provider?
Is it a large company, or small start-up leasing space on a bigger company’s network? This is key when choosing a vendor, as many HIPAA compliant data centers, or those that claim to be, often do not actually own and operate their own data centers. Online Tech owns and operates all of our data centers and we have been independently audited (and found 100% compliant) for HIPAA compliance.
Financial stability and track record. Check for references and case studies of proven client success in the healthcare field.
Insurance; assets and recoverability. By this, I would assume the speakers are referring to PHI data breach insurance, which can cover costs of litigation and other losses incurred as a result of a data breach. By recoverability, they may also be referring to costs, but PHI recoverability can refer to a separate issue that healthcare companies should consider – in the event of a disaster, how quickly and accurately can they recover their data? Investing in a HIPAA compliant disaster recovery solution for the cloud and offsite backup can recover data and applications in a matter of hours as opposed to weeks or months using traditional disaster recovery methods.
Policies and procedures. An important part of compliance is evidence of a formally documented set of policies and procedures custom to your HIPAA cloud vendor. These should include documentation of physical, logical, network and technical security safeguards as well as day-to-day security operations implemented as part of employee training.
The next section goes over cloud contracting basics, which I’d like to cover in another blog post…