6 tips to mitigate cloud-computing risks
May 30, 2012 in Medical Technology
A recent Healthcare IT News survey found 48 percent of respondents planning to incorporate cloud computing into their health IT endeavors; 33 percent had already taken the plunge. But 19 percent answered with a “no,” and according to Rick Kam, president and co-founder of ID Experts, one of their biggest fears could very well be security issues surrounding the cloud.
“Cloud computing poses great risks for healthcare organizations, providers and entities responsible for safeguarding protected health information (PHI),” said Kam. “Healthcare entities are responsible under Federal HITECH and HIPAA regulations for the security of PHI in the cloud, though they often have little or no control where or how this data is moved, processed, or stored.”
Kam outlines six tips to mitigate your cloud computing risks.
1. Have business associates sign an agreement. According to Kam, covered entities should review the terms and conditions of a cloud provider’s service-level agreement (SLA) to fully understand what their liabilities and risks are, and to be prepared to “absorb” those risks. “Detecting responsibility for a data breach among cloud managers, storage providers, and application developers is nearly impossible,” he said.
2. Limit user access. Larger, covered entities can offset dangers with a private cloud, said Kam. “They simply limit access to their own organization and subsets, such as business associates,” he said. “Smaller covered entities are at the mercy of the cloud providers they can afford.”
[See also: Cloud computing, digital signatures speed clinical trials.]
3. Research applications. Cloud-level applications present problems when it comes to security, said Kam. Not to mention, federal law requires access to PHI be controlled and limited to the “minimum necessary” data fields required for the purpose involved. “This means access is limited to only authorized and authenticated users, and that IT can log and audit all accesses,” he said. “But this is a function of the application itself – and not all applications are designed to meet such security needs.” Additionally, he continued, another issue remains with application interoperability and the inability to move data smoothly and securely between applications, leaving data at risk for exposure. “Developing standards and protocols for interoperability between two applications is important,” said Kam. “[It's] up to the vendors but is often not a high priority.”
4. Secure third-party validation. Smaller covered entities have little say in the way a cloud provider secures the PHI in their care, said Kam. In turn, one way to “level the playing field” is for clinics and other small covered entities to as a medical association or organization to create a certification for cloud providers that meets HITECH and HIPAA security requirements. A similar program already exists in the federal government, he pointed out: FedRAMP, or the Federal Risk and Authorization Management Program.
[See also: Clouds roll in to handle stratospheric capacity needs.]
5. Take an inventory of PII and PHI. According to Kam, an inventory provides a complete account of every element of personally identifiable information (PII) and PHI an organization holds with either paper or electronic format. “It helps determine how an organization collects, uses, stores, and disposes of its PHI,” he said. “A PHI inventory reveals the risks for a data breach, so organizations can strategically protect PHI data and the best plan for a response based on real information.” An inventory of PII and PHI, he added, as well as a privacy and security risk assessment, can help demonstrate compliance and mitigate the impact of a data breach.
6. Develop an incident response plan (IRP). An IRP is an effective, cost-efficient way to help organizations meet HIPAA and HITECH requirements while developing guidelines related to data breach incidents. “The IRP designates roles and provides guidelines for the response team’s responsibilities and actions during a privacy incident and provides instructions on determining notification requirements, including to regulatory authorities,” said Kam.