WHAT EVERY PHYSICIAN NEEDS TO KNOW

ABOUT CLOUD STORAGE

1 GROWING TREND

CLOUD-BASED STORAGE IS A GROWING TREND IN HEALTH CARE.

• Healthcareprovidersareusingcloudstoragefordatacollection,aggregation,analytics,anddecisionmaking.

• By2020,80percentofhealthcaredatawillpassthrough“thecloud”atsomepointinitslifetime.1

1.http://www.fiercehealthit.com/story/2015-healthcare-predictions-growth-analytics-mobile-security-risks/2014-11-21

2 BUSINESS ASSOCIATE

• AccordingtotheHIPAAOmnibusrule,cloudstorageprovidersarebusinessassociatesandmustcomplywithprivacyandsecurityrules.

A VENDOR DOES NOT HAVE TO VIEW PATIENT DATA TO BE CONSIDERED A BUSINESS ASSOCIATE.

3 BUSINESS ASSOCIATE AGREEMENT (BAA)

BAA’S MAIN PURPOSE:• Tolegallydocumentandacknowledgetherelationshipbetweenthe

coveredentityandthecloudstorageprovider,whilealsosettingrulesandexpectationsforeachparty.

• Thecloudstorageprovidermustunderstandthattheyarerequiredtotakecertainstepstoappropriatelysafeguardtheprivacyandsecurityofthedataitstores.

ASK YOUR CYBER LIABILITY INSURANCE PROVIDER ABOUT WHAT TO INCLUDE IN A BAA.

4 HIPAA COMPLIANCE

JUST BECAUSE CLOUD STORAGE VENDORS CLAIM THEY ARE “CERTIFIED HIPAA COMPLIANT”

DOES NOT MEAN THEY ACTUALLY ARE.

• Propervettingmusttakeplaceonanyvendoryouareconsidering.• SomethirdpartieswillassessHIPAAcomplianceamongcloudstorage

providers,butsuchHIPAAcertificationisnotrecognizedbyHHSoranyothergovernmentbody.

- Acloudprovider’s(orathirdpartyreviewer’s)definitionofHIPAAcompliancemaynotequatetotheHHSdefinitionofcompliance.

5 HIPAA COMPLIANCE

YOU MIGHT WANT TO ASK1.Aboutobtainingdocumentationofaqualitythirdpartyassessmentofvendor’s

HIPAAcompliance.2.Howoftendoesthecloudproviderconductariskanalysisandwilltheyprovide

informationfromtheirmostrecentriskanalysis?3.Whatspecificsecuritycontrolsdotheyhaveinplace?(Forexample,whatform

ofencryptionisusedandonwhatinformation?Whohasaccesstothekeys?)

6 HIPAA COMPLIANCE

• AccordingtotheHIPAAOmnibusrule,coveredentitiessharetheresponsibilitywhenabusinessassociatehasasecuritybreach,meaningbothareresponsibleforsendingpropernotificationsifasecuritybreachoccurs.

• Twoseparateriskassessmentsmustoccur–onemustbeconductedbythecloudproviderandonemustbeconductedbythecoveredentity.

7 DATA STORAGE POLICY

QUESTIONS TO ASK• Howwillthevendorbackupthedata?Howwillthedataberestored?• Willthevendor’sstaffeverreadorlookatthedata?Ifso,inwhatsituations?• Underwhatcircumstanceswouldthevendorturndataovertolaw

enforcement,withorwithoutawarrant?• Whathappensifyousurpassyourstoragelimits?• Doesthevendorhaveaplanforreturningyourdataifthevendorweretosell,

gooutofbusiness,oryourcontractisterminated?

8 CONCLUSION

• Whenchoosingacloudstorageprovider,becautiousaboutclaimsofHIPAAcompliance.

• AppropriatelyvetthevendorandsignanappropriateBAAtoensurepatientprivacyandsecurity.

• ChooseaproviderthatunderstandstherequirementsoftheHIPAAOmnibusrule.

9 SOURCES

• CloudSecurityToolkit,NavigatingHIPAAWhileMovingtotheCloudbyAdamH.Greene,JD,MPHhttp://www.himss.org/ResourceLibrary/genResourceDetailPDF.aspx?ItemNumber=28307

• Top10ThingstoConsiderAboutOmnibusforCloudStoragehttp://www.ironmountain.com/~/media/Files/Iron%20Mountain/Knowledge%20Center/Reference%20Library/Best%20Practices/Top_10_Things_to_Consider_About_Omnibus_for_Cloud_Storage.pdf?dmc=1&ts=20150810T1230482174

10ABOUT TMLT:Withmorethan17,500physiciansinitscare,TexasMedicalLiabilityTrust(TMLT)providesmalpracticeinsuranceandrelatedproductstophysicians.Ourpurposeistomakeapositiveimpactonthequalityofhealthcareforpatientsbyeducating,protecting,anddefendingphysicians.www.tmlt.org

Find us on:

PROTECTION FOR A NEW ERA OF

MEDICINE