Cloud Computing: Factors to ConsiderInvestigate Security Before Signing a Contract
In a recently issued request for information, the VA asked vendors for suggestions for using web-based collaborative software that will integrate with the VA's existing systems. The project would start with a pilot including up to 5,000 participants. That could lead to the use of collaborative tools by all of the VA's 134,000 medical staffers.
The VA figures that because physicians, residents and other clinicians want to use cloud collaborative tools, they should develop a comprehensive strategy that includes security precautions, rather than risking medical staff using the tools on their own in an unsecure manner.
If you're not comfortable with how the cloud vendor runs their operation, and you're not 100 percent confident that they can provide similar or even better protections than you are already providing, then you probably should not be moving forward with that vendor.
The VA's November 2010 report to Congress on breaches listed an incident at a Chicago VA hospital in which four residents were inappropriately sharing information on more than 1,000 patients via a Yahoo calendar application. So the VA wants to make sure such cloud collaborative applications are used with the appropriate security precautions, including accessing the applications through a secure VA network.
In its RFI, the VA lists 47 questions for vendors to address before it considers whether to solicit bids for collaborative tools.
While the VA ponders its next move, a growing number of hospitals, clinics and other healthcare organizations across the country are considering the cloud computing model for a wide range of uses, from remote hosting of electronic health records to storing of huge diagnostic image files.
Privacy, Security QuestionsBefore negotiating a contract with a cloud computing vendor, organizations should ask plenty of questions about privacy and security, says consultant Chris Witt of Wake Technology Services Inc. (see: Questions to Ask Cloud Vendors).
"If you're not comfortable with how the cloud vendor runs their operation, and you're not 100 percent confident that they can provide similar or even better protections than you are already providing, then you probably should not be moving forward with that vendor," Witt says.
Witt advises organizations to ask cloud vendors about how they:
- Provide physical security for their servers;
- Track who has access to servers and all storage media; and
- Apply encryption to protect data.
Plus, healthcare organizations entering cloud computing contracts should carefully consider whether they need additional liability insurance coverage to address the risks involved, says Gerard Nussbaum, a consultant with Kurt Salmon (see: Cloud Computing: Insurance Issues).
Because some cloud computing contracts assign certain liabilities to the customer, Nussbaum stresses that, in certain cases, the healthcare organization may need additional insurance coverage.
"A hospital may find that standard business [liability insurance] coverage does not cover cyber-liabilities ... including things like breaches, security violations and the like," he notes. If this is the case, the organization may need to buy a "rider" to the insurance policy to cover these events. Unfortunately, Nussbaum says, "Insurance companies are still exploring ... how they would measure the potential liability if they were to issue such riders. So [the riders] may either be unavailable or extremely expensive."