Privacy & Security Forum: Health Data Cloud Security Risks

Posted 9.23.13 by

There are many vendors who don't understand the requirements associated with HIPAA privacy and security. It's important to do the due diligence to find a provider that has taken the time to learn about the responsibilities of a Business Associate.

The only clouds today are inside the InterContinental hotel. A beautiful view of Boston from inside the forum.

It wouldn’t be a privacy and security forum if we didn’t speak to health data in the cloud. Lee Kim, Director of Privacy & Security for HIMSS had a panel discussion with Phil Curran, Chief Information Security Officer of Cooper Health Systems, named “Managing Security Risks of Health Data In the Cloud”, where they dug into potential pitfalls with some cloud service providers, and how to circumvent some of those risks.

Lee provided many practice tips for safeguarding health data being put in the cloud. Having an inventory of where PHI resides, and doing a continual risk analysis to re-evaluate vulnerabilities were just a few of the things mentioned to help manage cloud security risks.

There was also a list (Lee notes that this list is non-exhaustive) of considerations when choosing and vetting your potential cloud provider:

  •  Have you looked at the cloud provider’s application and/or network architecture?
  • Have you conducted business due diligence on the cloud provider (e/g/ how long have they been in business, do they service other healthcare providers, etc)?
  • Have you reviewed the cloud provider’s policies, procedures, processes, and any relevant reports (SSAE16, SOC 2)?
  • Can you periodically audit the cloud provider?
  • Have you interviewed key cloud provider personnel?
  • Does the cloud provider use a third party data center, and where is it located?

Phil Curran has the perspective of the Covered Entity. He stated plainly that in the end, the business owner needs to accept the risks. In order to choose a cloud service provider, Phil puts them through the ringer with question after question:

  • Have you ever had a 3rd party audit, and can we see it?
  • Can we come for a visit?
  • What’s your security response?
  • Have you ever had a penetration test?

It’s a living document, Phil said, that has questions added to it all the time.

Once the technical requirements are met, Phil sends a team to the data center to evaluate physical safeguards. Every 3 years he sends an audit team to make sure they’re following their SSAE 16 audit controls. He also puts a copy of the technical evaluation into the contract to ensure that the services he’s getting are the ones he was assured during contract discussions. Notification within 10 days is also a must for Phil. At most, 15 days. He noted that most providers offer notification within 60 days, but it doesn’t give him as a CE enough time.

Phil’s experience was that there are many vendors who don’t understand the requirements associated with HIPAA privacy and security. It’s important to do the due diligence to find a provider that has taken the time to learn about the responsibilities of a Business Associate.

About Otava

Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.

Get in touch with an Otava Rep today – just provide us with a bit of information below to get started and we’ll reach out to you shortly!