Cloud Computing: Security a HurdleHealthcare CISOs, Privacy Advocate Outline Concerns
While cloud computing can often provide cost-effective and convenient ways for healthcare organizations to store and share data and diagnostic images, two CISOs and a privacy advocate caution that security concerns are substantial.
At a recent conference, the CISOs spelled out their concerns, ranging from difficulty enforcing strong business associate agreements with cloud providers to vendors' lack of openness about the robustness of their security measures.
Meanwhile, patient privacy advocate Deborah Peel, M.D., has asked federal regulators to provide healthcare organizations with specific guidance about data security and privacy in cloud computing.
The 2012 Healthcare Information Security Today survey, conducted by HealthcareInfoSecurity and sponsored by RSA, found that only 36 percent of healthcare organizations are using cloud computing, such as for data or image storage or remote hosting of electronic health records or other applications. The biggest concern, the survey shows, is enforcing security policies and HIPAA compliance. (Complete survey results will be available soon).
During a panel discussion about cloud computing at the HIMSS Privacy and Security Forum in Boston in December, Jennings Aske, CISO and chief privacy officer at Partners Healthcare, said some cloud vendors seem to skirt responsibility for security and privacy issues. Partners recently tried to identify ways to securely share data via a cloud platform. "We selected a vendor who refused to sign a business associate agreement. That was a deal breaker," he said.
Darren Lacey, CISO at Johns Hopkins University and its health system, said that many consumer-grade cloud computing offerings aren't suitable for healthcare data. "A lot of cloud organizations use e-mail addresses as your identity," he said. Not only is that insufficient for healthcare data security, it also makes it too easy for healthcare users to establish their own consumer accounts, he contended.
Aske and Lacey also complained that cloud services providers often are reluctant to make available their security audit logs or penetration test results, which they see as essential to judging whether a vendor is trustworthy.
"The reality is that a lot of companies don't want to be transparent about their testing," Aske said.
"Any software-as-a-service provider should have robust testing methodology and security testing that should be done by a third party," Lacey said in an interview with HealthcareInfoSecurity following the panel. "There should be full-on penetration testing, and the results should be made available to customers. But the problem is even those tests results can be redacted."
Official Guidance Sought
The growing adoption of EHRs as a result of federal HITECH Act incentives is fueling interest in using EHRs remotely hosted in the cloud to cut start-up costs, said Peel, founder of the advocacy group Patient Privacy Rights. That underscores a need for the Department of Health and Human Services to address data security and privacy concerns about cloud computing, she said in a late December letter to HHS.
In her letter, Peel urged HHS to create guidance for healthcare providers moving data to the cloud.
"It is our understanding that other federal agencies, such as the Office of Management and Budget, National Institute of Standards and Technology, Federal Financial Institutions Examination Council, FedRAMP and the Department of Education already have issued guidance related to the provision of cloud services," Peel wrote. "We recommend [HHS develop] guidance for health information with standards at least as rigorous as those developed by NIST."
In her letter, Peel suggested the cloud guidance cover the following criteria:
- Administrative, physical, and technical safeguards for cloud vendors, such as comprehensive risk assessments by external auditors, audit controls that cannot be turned off, data encryption, robust access controls, intrusion detection and automated server management systems;
- Security standards that are consistent and compatible with the HIPAA Security Rule and the HITECH breach notification requirements;
- Standards for protecting the privacy of patient-identifiable health information in the cloud;
- Business associate agreement requirements on cloud privacy and security;
"We believe that by issuing guidance, HHS can advance the goal to protect patient information," Peel wrote.
In a statement provided to HealthcareInfoSecurity in response to an inquiry about whether HHS will consider developing cloud computing guidance, a spokeswoman for the HHS Office for Civil Rights said there is already "quite a wealth of guidance materials on this topic that has been developed by the National Institute for Standards and Technology, the Government Accounting Office and others. The HIPAA Security Rule requirements are technology neutral. Cloud computing is but one pathway among many for storing and transacting electronic protected health information."
Under the HIPAA Security Rule, OCR notes, a healthcare provider can permit a business associate, such as a cloud vendor, to create, receive, maintain or transmit electronic protected health information only if it obtains satisfactory assurances that the business associate will appropriately safeguard the information.
On Jan. 7, Joy Pritts, chief privacy officer for HHS' Office of the National Coordinator for Health IT, will participate in a panel discussion in Washington on cloud computing issues with Peel and others. The event is being hosted by Patient Privacy Rights.