Cloud Computing: Timely TipsImportant Privacy and Security Issues to Consider
Chris Witt, president of Wake Technology Services, sums it up this way: "If you're not comfortable with how the cloud vendor runs their operation and you're not 100 percent confident that they can provide similar or even better protections than you are already providing, then you probably should not be moving forward with that vendor regardless of how good of a contract you can negotiate."
Demand Transparency"Transparency into cloud operations is vital," Nussbaum stresses. Potential users should ask cloud vendors a series of questions, he says, including: Who is handling administrative rights? Who is managing the virtual machine environment? Who has database and network access?
Cloud computing customers should demand access logs, he adds. "If the hosting provider is not going to provide you with good logs on who is handling your information ... then you have to be circumspect about the overall quality of the vendor."
Organizations also should demand the right to audit "pretty much anything within the cloud environment," Nanji adds. "If the vendor is doing a good job, then they really have nothing to hide."
Ask for DocumentationTo help ensure that a cloud vendor has all appropriate security measures are in place, organizations should demand a copy of their security risk analysis, as well as any independent reviews, such as a SAS 70 Audit, Nussbaum says. Also ask for evidence that the vendor has taken the corrective actions necessary to address any deficiencies identified in these reviews, he advises.
Address Physical SecurityBe sure to understand how the vendor provides physical security for servers, Witt advises. "You should be confident that the vendor employs a strong operational framework that sets the rules for access to the devices, how they handle removable media and, of course, the eventual destruction of that media ... Then, once you're satisfied that the vendor is doing all the right things, you can negotiate a contract that legally binds them to doing those things correctly."
Size Up Use of EncryptionBefore signing a cloud computing contract, organizations should get precise answers on how the vendor uses encryption, Witt says.
"In a perfect world, end-to-end encryption provides the best protection; however, this is not always feasible," he says. "Any tape or other removable media should be encrypted. That's a no-brainer. All network communication should be encrypted. Again that's straightforward."
But Witt urges cloud computing users to also ask vendors about encryption of data in storage area networks, or SANs. "There is technology available today to encrypt all data on the drives, and it is able to do it without a significant performance penalty. Encrypting those drives protects the organization from someone pulling a drive out of a SAN and walking away with it. That's really what you want to do."
Ask About Breach HistoryOne of the most important questions to ask a cloud vendor, Nussbaum says, is "Have you had a breach yet?"
If the vendor has had an incident, organizations should demand details about "the root cause analysis process [the vendor] went through to establish what needed to be corrected and the corrective action it took."
Demand Prompt Reporting of BreachesBusiness associate agreements, which spell out details of HIPAA and HITECH Act compliance for vendors serving healthcare organizations, must carefully address breach notification issues, Nussbaum says.
Because hospitals, clinics and other covered entities must report major breaches to federal authorities within 60 days, a business associate agreement should require a cloud vendor to report incidents immediately, Nussbaum says. That way, the healthcare organization will have enough time to investigate the incident and notify those affected, as well as regulators, in compliance with federal healthcare breach notification requirements.
What Happens When Contract Ends?"You need to know how you'll get your data returned upon termination of the contract," Witt says. "This is not always an easy area, only because we're dealing with large volumes of data, especially in healthcare ... that you just can't copy onto a thumb drive and go down the street and move to another vendor. The challenge is to make sure that all those ground rules are set in stone upfront so you know how to proceed in the event that you would terminate the contract."
The contract also should define the customer's rights in the event that the vendor is acquired, Witt says. "The cloud market is still relatively young, and we'll probably see some more mergers and acquisitions. In most cases, this shouldn't present any problem, but if the acquiring organization is one that you do not care to do business with, then you definitely need an out."
Check Your Liability InsuranceBecause many cloud computing contracts assign certain liabilities to the customer, Nussbaum stresses that, in certain cases, the healthcare organization may need additional insurance coverage.
"A hospital may find that standard business [liability insurance] coverage does not cover cyber-liabilities ... including things like breaches, security violations and the like," he notes.
If this is the case, the organization may need to buy a "rider" to the insurance policy to cover these events. Unfortunately, Nussbaum says, "Many insurance companies are still exploring ... how they would measure the potential liability if they were to issue such riders." As a result, he says, the riders "may either be unavailable or extremely expensive."