09-23-13 | Blog Post
It wouldn’t be a privacy and security forum if we didn’t speak to health data in the cloud. Lee Kim, Director of Privacy & Security for HIMSS had a panel discussion with Phil Curran, Chief Information Security Officer of Cooper Health Systems, named “Managing Security Risks of Health Data In the Cloud”, where they dug into potential pitfalls with some cloud service providers, and how to circumvent some of those risks.
Lee provided many practice tips for safeguarding health data being put in the cloud. Having an inventory of where PHI resides, and doing a continual risk analysis to re-evaluate vulnerabilities were just a few of the things mentioned to help manage cloud security risks.
There was also a list (Lee notes that this list is non-exhaustive) of considerations when choosing and vetting your potential cloud provider:
Phil Curran has the perspective of the Covered Entity. He stated plainly that in the end, the business owner needs to accept the risks. In order to choose a cloud service provider, Phil puts them through the ringer with question after question:
It’s a living document, Phil said, that has questions added to it all the time.
Once the technical requirements are met, Phil sends a team to the data center to evaluate physical safeguards. Every 3 years he sends an audit team to make sure they’re following their SSAE 16 audit controls. He also puts a copy of the technical evaluation into the contract to ensure that the services he’s getting are the ones he was assured during contract discussions. Notification within 10 days is also a must for Phil. At most, 15 days. He noted that most providers offer notification within 60 days, but it doesn’t give him as a CE enough time.
Phil’s experience was that there are many vendors who don’t understand the requirements associated with HIPAA privacy and security. It’s important to do the due diligence to find a provider that has taken the time to learn about the responsibilities of a Business Associate.