http://healthitsecurity.com/2013/10/03/healthcare-cloud-security-staying-current-with-baas-slas/
By Patrick Ouellette
Health IT Security
October 3, 2013
BOSTON -- No healthcare privacy and security discussion would be complete
with the mention of cloud computing and last week’s HIMSS Privacy and
Security Forum didn’t disappoint. The “Managing Security Risks of Health
Data in the Cloud” keynote featured Lee Kim, JD, Director of Privacy and
Security for HIMSS and Phil Curran, Chief Information Security Officer for
Cooper Health Systems.
Kim and Curran explained what needs to be accomplished from a healthcare
provider’s point of view when dealing with cloud providers as business
associates (BAs) to ensure that the data remains secure and the
organization is contractually protected.
Curran, who has used five different cloud applications at Cooper, said
that there should be four elements in vetting a cloud provider: Technical
evaluation (penetration tests), physical site visit, audits every 3 years
and ongoing monitoring from organizations such as the Nation Health
Information Sharing & Analysis Center (NH-ISAC) or Health Information
Trust Alliance (HITRUST), though those options can get expensive.
SLAs should define specific security objectives (i.e., what the cloud
provider should actually do, such as implementation of access controls and
otherwise), monitor security compliance and measure cloud provider’s
performance and resources, such as their power, network and hardware in
place. Curran added that SLA contract language should include objectives
in contract, a technical evaluation as an exhibit and monitoring details.
“Putting SLA agreements into place is difficult – it may be a push to get
the language that you want into there,” Curran said. “Part of it is making
sure on your part the vendor does what they say they’re going to do”
[...]
--
Find the best InfoSec talent without breaking your
recruiting budget! Post a Job, $99 for 31 days.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
