Cloud Storage: How Should Providers Protect their Interests?

December 23, 2013
| Reprints
A legal expert offers his advice for moving data to the cloud

With pressure on reimbursements and efforts by all provider organizations to cut their operating costs, the cloud is rapidly becoming an attractive option. To be sure, the various models of the cloud—including data storage as part of software-as-a-service (SaaS) agreements—are becoming viewed as viable options for an increasing number of hospitals and medical groups.

Yet the cloud includes legal and financial risks for provider organizations as well. After all, cloud service providers and SaaS vendor are business associates of the provider organization that are being entrusted with very important data, both for the patient’s health and the organization’s financial wellbeing. What should provider organizations be doing to protect their interests and their clinical and business/financial data?

For insight, Healthcare Informatics recently interviewed Daniel F. Gottlieb, a partner in the law firm McDermott Will & Emery, based in the firm’s Chicago office, who leads its health information technology and data protection practice.

Gottlieb says he is seeing a significant number of provider organization clients moving their data to cloud service providers—including “public” cloud service providers such as Amazon—or entering into SaaS agreements with software vendors.

In general, Gottlieb says, policy changes such as the Health Insurance Portability and Accountability Act (HIPAA) Final Rule has put greater emphasis on privacy and security than in the past. Added to that, press accounts of hackers and data breaches have also raised awareness of the issue on the part of the hospital’s management and boards of directors.

“In general, on privacy and security matters, we are seeing a higher level of managers in the organizations being involved. For example, the audit and compliance committee of the board, or the full board, is asking the CIO to do periodic presentation or regular presentation regarding security issues,” he says. “Likewise, at CEO level, and the c-suite in general, folks realize that there are costs associated with not only breach of confidentiality, but also downtime from system downtime. It interferes with patient care, and it can slow down the revenue cycle process.”

Here’s his advice to provider organizations considering use of the cloud:

1. Check references. Call other provider organizations that have used a service, and ask them if they have been satisfied with uptime, customer service and other issues. “Broadly speaking, due diligence is very important on the front end before entering into a service agreement,” he says.

Gottlieb cautions provider organizations not to overlook due diligence when working with software vendors under SaaS agreements that include hosting their data. He says that an over-eagerness to move forward with a particular solution runs the risk of not doing adequate due diligence or spending enough time on the implementation plan or making sure that there are adequate protections in the contract. He observes that under SaaS agreements, it could be more difficult to migrate to different software as well as a different vendor to host the data if things go awry.

2. Have a solid contract. “The contract is super important,” he says. “You don’t want to get stuck in a bad situation, and while you may have remedies under contract, it’s not desirable to be in dispute, particularly with a company that has all of your confidential data.”

3. Make sure the vendor has a comprehensive set of security policies and procedures. Those policies should at a minimum be compliant with Health Insurance Portability and Accountability Act (HIPAA) security standards. He also recommends that the vendor has type of third-party vendor certification, such as Service Organization Control (SOC) 2 or compliance with a security framework such as the HITRUST Alliance, which offers the Common Security Framework. “Various organizations provide certification; and there are various security consultants that will do audits,” he notes.

He suggests hiring a reputable security consultant who will review under an agreed-upon set of standards, such as HIPAA, Health Information Technology for Economic and Clinical Health (HITECH) standards for secure protected health information (PHI), International Organization for Standardization (ISO) standards, or proprietary standards of the consultant.

Gottlieb advises that these requirements can be included in an agreement with the service provider or vendor, either at the front end, or as part of an annual or bi-annual re-certification. “Some cloud vendors will agree to periodic re-certification; others will agree to it only if the customer is willing to pay for it; so that can be an issue in the negotiation of the contract,” he says.

Page
of 2Next
Sharpening Awareness of Today.s Cyber Threats...

Don't Miss: The Top Ten Security Concerns in the New Healthcare
Thursday, May 1st at the 2014 Healthcare informatics Executive Summit in San Francisco.

Learn More Or Register Today
Topics

Comments

I found some good news in an interesting report

I agree that "cloud service providers and SaaS vendor are business associates of the provider organization that are being entrusted with very important data, both for the patient’s health and the organization’s financial wellbeing".

We know that in January of this year, the HIPAA Omnibus Final Rule was published, implementing more specific requirements for protecting PHI and steeper penalties for failing to comply. The trend is that more and more types of information is covered by different privacy laws and the enforcement activities are now escalating.

Current threats to data and escalating regulations are rapidly changing the security landscape. The fact is that you are actually using somebody else's computer when using cloud computing. In many popular public cloud environments, my data is NOT under my control, NOT in a computer within in my organization and potentially NOT in a country or location that I know about. My Data may NOT even be stored or processed in a compliant way in an accepted country, by a 3rd party and/or cloud provider. I may not have information about who can access my data, maybe administrators or other tenants. I may be sharing disk, memory and other infrastructure components with parties that I don’t know about. They maybe stealing my data.

Therefore I think that all sensitive data should be encrypted or tokenized before it is sent to the cloud. Below are a few words of guidance from the payment card industry, PCI SSC. The guidance is applicable for all sensitive data that is sent to the cloud.

If you outsource to a public-cloud provider, they often have multiple data storage systems located in multiple data centers, which may often be in multiple countries or regions. Consequently, the client may not know the location of their data, or the data may exist in one or more of several locations at any particular time.

Additionally, a client may have little or no visibility into the controls protecting their stored data. This can make validation of data security and access controls for a specific data set particularly challenging.

In a public-cloud environment, one client’s data is typically stored with data belonging to multiple other clients. This makes a public cloud an attractive target for attackers, as the potential gain may be greater than that to be attained from attacking a number of organizations individually.

I found some good news in an interesting report from the Aberdeen Group that revealed that “Over the last 12 months, tokenization users had 50% fewer security-related incidents (e.g., unauthorized access, data loss or data exposure than tokenization non-users”. The name of the study is “Tokenization Gets Traction”.

Ulf Mattsson, CTO Protegrity

Mitigating Risk

Thank you for your perceptive reply, and especially for the information on tokenization. Applying the experiences of the financial services industry makes sense. I agree that there are significant risks associated with the cloud, and that every provider organization needs to weigh the risks and balances according to its own needs.

With the explosion in the volumes of data that are only going to rise, I believe the cloud is a viable alternative; but only after making sure that a potential cloud service provider is able to meet the hospital's own policies and procedures to safeguard data: encryption, transparency, and assurances that the data is stored within this country's borders, to name just a few.