what every physician needs to know about cloud storage
TRANSCRIPT
1 GROWING TREND
CLOUD-BASED STORAGE IS A GROWING TREND IN HEALTH CARE.
• Healthcareprovidersareusingcloudstoragefordatacollection,aggregation,analytics,anddecisionmaking.
• By2020,80percentofhealthcaredatawillpassthrough“thecloud”atsomepointinitslifetime.1
1.http://www.fiercehealthit.com/story/2015-healthcare-predictions-growth-analytics-mobile-security-risks/2014-11-21
2 BUSINESS ASSOCIATE
• AccordingtotheHIPAAOmnibusrule,cloudstorageprovidersarebusinessassociatesandmustcomplywithprivacyandsecurityrules.
A VENDOR DOES NOT HAVE TO VIEW PATIENT DATA TO BE CONSIDERED A BUSINESS ASSOCIATE.
3 BUSINESS ASSOCIATE AGREEMENT (BAA)
BAA’S MAIN PURPOSE:• Tolegallydocumentandacknowledgetherelationshipbetweenthe
coveredentityandthecloudstorageprovider,whilealsosettingrulesandexpectationsforeachparty.
• Thecloudstorageprovidermustunderstandthattheyarerequiredtotakecertainstepstoappropriatelysafeguardtheprivacyandsecurityofthedataitstores.
ASK YOUR CYBER LIABILITY INSURANCE PROVIDER ABOUT WHAT TO INCLUDE IN A BAA.
4 HIPAA COMPLIANCE
JUST BECAUSE CLOUD STORAGE VENDORS CLAIM THEY ARE “CERTIFIED HIPAA COMPLIANT”
DOES NOT MEAN THEY ACTUALLY ARE.
• Propervettingmusttakeplaceonanyvendoryouareconsidering.• SomethirdpartieswillassessHIPAAcomplianceamongcloudstorage
providers,butsuchHIPAAcertificationisnotrecognizedbyHHSoranyothergovernmentbody.
- Acloudprovider’s(orathirdpartyreviewer’s)definitionofHIPAAcompliancemaynotequatetotheHHSdefinitionofcompliance.
5 HIPAA COMPLIANCE
YOU MIGHT WANT TO ASK1.Aboutobtainingdocumentationofaqualitythirdpartyassessmentofvendor’s
HIPAAcompliance.2.Howoftendoesthecloudproviderconductariskanalysisandwilltheyprovide
informationfromtheirmostrecentriskanalysis?3.Whatspecificsecuritycontrolsdotheyhaveinplace?(Forexample,whatform
ofencryptionisusedandonwhatinformation?Whohasaccesstothekeys?)
6 HIPAA COMPLIANCE
• AccordingtotheHIPAAOmnibusrule,coveredentitiessharetheresponsibilitywhenabusinessassociatehasasecuritybreach,meaningbothareresponsibleforsendingpropernotificationsifasecuritybreachoccurs.
• Twoseparateriskassessmentsmustoccur–onemustbeconductedbythecloudproviderandonemustbeconductedbythecoveredentity.
7 DATA STORAGE POLICY
QUESTIONS TO ASK• Howwillthevendorbackupthedata?Howwillthedataberestored?• Willthevendor’sstaffeverreadorlookatthedata?Ifso,inwhatsituations?• Underwhatcircumstanceswouldthevendorturndataovertolaw
enforcement,withorwithoutawarrant?• Whathappensifyousurpassyourstoragelimits?• Doesthevendorhaveaplanforreturningyourdataifthevendorweretosell,
gooutofbusiness,oryourcontractisterminated?
8 CONCLUSION
• Whenchoosingacloudstorageprovider,becautiousaboutclaimsofHIPAAcompliance.
• AppropriatelyvetthevendorandsignanappropriateBAAtoensurepatientprivacyandsecurity.
• ChooseaproviderthatunderstandstherequirementsoftheHIPAAOmnibusrule.
9 SOURCES
• CloudSecurityToolkit,NavigatingHIPAAWhileMovingtotheCloudbyAdamH.Greene,JD,MPHhttp://www.himss.org/ResourceLibrary/genResourceDetailPDF.aspx?ItemNumber=28307
• Top10ThingstoConsiderAboutOmnibusforCloudStoragehttp://www.ironmountain.com/~/media/Files/Iron%20Mountain/Knowledge%20Center/Reference%20Library/Best%20Practices/Top_10_Things_to_Consider_About_Omnibus_for_Cloud_Storage.pdf?dmc=1&ts=20150810T1230482174
10ABOUT TMLT:Withmorethan17,500physiciansinitscare,TexasMedicalLiabilityTrust(TMLT)providesmalpracticeinsuranceandrelatedproductstophysicians.Ourpurposeistomakeapositiveimpactonthequalityofhealthcareforpatientsbyeducating,protecting,anddefendingphysicians.www.tmlt.org
Find us on:
PROTECTION FOR A NEW ERA OF
MEDICINE