Privacy & Security Forum: Health Data Cloud Security Risks

It wouldn’t be a privacy and security forum if we didn’t speak to health data in the cloud. Lee Kim, Director of Privacy & Security for HIMSS had a panel discussion with Phil Curran, Chief Information Security Officer of Cooper Health Systems, named “Managing Security Risks of Health Data In the Cloud”, where they dug into potential pitfalls with some cloud service providers, and how to circumvent some of those risks.

Lee provided many practice tips for safeguarding health data being put in the cloud. Having an inventory of where PHI resides, and doing a continual risk analysis to re-evaluate vulnerabilities were just a few of the things mentioned to help manage cloud security risks.

There was also a list (Lee notes that this list is non-exhaustive) of considerations when choosing and vetting your potential cloud provider:

•  Have you looked at the cloud provider’s application and/or network architecture?
• Have you conducted business due diligence on the cloud provider (e/g/ how long have they been in business, do they service other healthcare providers, etc)?
• Have you reviewed the cloud provider’s policies, procedures, processes, and any relevant reports (SSAE16, SOC 2)?
• Can you periodically audit the cloud provider?
• Have you interviewed key cloud provider personnel?
• Does the cloud provider use a third party data center, and where is it located?

Phil Curran has the perspective of the Covered Entity. He stated plainly that in the end, the business owner needs to accept the risks. In order to choose a cloud service provider, Phil puts them through the ringer with question after question:

• Have you ever had a 3rd party audit, and can we see it?
• Can we come for a visit?
• What’s your security response?
• Have you ever had a penetration test?

It’s a living document, Phil said, that has questions added to it all the time.

Once the technical requirements are met, Phil sends a team to the data center to evaluate physical safeguards. Every 3 years he sends an audit team to make sure they’re following their SSAE 16 audit controls. He also puts a copy of the technical evaluation into the contract to ensure that the services he’s getting are the ones he was assured during contract discussions. Notification within 10 days is also a must for Phil. At most, 15 days. He noted that most providers offer notification within 60 days, but it doesn’t give him as a CE enough time.

Phil’s experience was that there are many vendors who don’t understand the requirements associated with HIPAA privacy and security. It’s important to do the due diligence to find a provider that has taken the time to learn about the responsibilities of a Business Associate.