The Security Scrutinizer with Howard Anderson

Cloud Computing: Factors to Consider

Investigate Security Before Signing a Contract

The latest evidence of the growing interest in cloud computing in healthcare is the Department of Veterans Affairs' announcement that it's considering enabling its medical staff to use cloud collaborative tools. But experts advise healthcare organizations considering using cloud computing to ask vendors tough questions about privacy and security and carefully consider whether they need additional liability insurance coverage to address the risks involved.

In a recently issued request for information, the VA asked vendors for suggestions for using web-based collaborative software that will integrate with the VA's existing systems. The project would start with a pilot including up to 5,000 participants. That could lead to the use of collaborative tools by all of the VA's 134,000 medical staffers.

The VA figures that because physicians, residents and other clinicians want to use cloud collaborative tools, they should develop a comprehensive strategy that includes security precautions, rather than risking medical staff using the tools on their own in an unsecure manner.

The VA's November 2010 report to Congress on breaches listed an incident at a Chicago VA hospital in which four residents were inappropriately sharing information on more than 1,000 patients via a Yahoo calendar application. So the VA wants to make sure such cloud collaborative applications are used with the appropriate security precautions, including accessing the applications through a secure VA network.

In its RFI, the VA lists 47 questions for vendors to address before it considers whether to solicit bids for collaborative tools.

While the VA ponders its next move, a growing number of hospitals, clinics and other healthcare organizations across the country are considering the cloud computing model for a wide range of uses, from remote hosting of electronic health records to storing of huge diagnostic image files.

Privacy, Security Questions

Before negotiating a contract with a cloud computing vendor, organizations should ask plenty of questions about privacy and security, says consultant Chris Witt of Wake Technology Services Inc. (see: Questions to Ask Cloud Vendors).

"If you're not comfortable with how the cloud vendor runs their operation, and you're not 100 percent confident that they can provide similar or even better protections than you are already providing, then you probably should not be moving forward with that vendor," Witt says.

Witt advises organizations to ask cloud vendors about how they:

  • Provide physical security for their servers;
  • Track who has access to servers and all storage media; and
  • Apply encryption to protect data.

Plus, healthcare organizations entering cloud computing contracts should carefully consider whether they need additional liability insurance coverage to address the risks involved, says Gerard Nussbaum, a consultant with Kurt Salmon (see: Cloud Computing: Insurance Issues).

Because some cloud computing contracts assign certain liabilities to the customer, Nussbaum stresses that, in certain cases, the healthcare organization may need additional insurance coverage.

"A hospital may find that standard business [liability insurance] coverage does not cover cyber-liabilities ... including things like breaches, security violations and the like," he notes. If this is the case, the organization may need to buy a "rider" to the insurance policy to cover these events. Unfortunately, Nussbaum says, "Insurance companies are still exploring ... how they would measure the potential liability if they were to issue such riders. So [the riders] may either be unavailable or extremely expensive."



About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.