Cloud Computing: Key Security Factors
In an exclusive interview (full transcript below), Wah, who formerly played a key role in the Department of Health and Human Services' Office of the National Coordinator for Health Information Technology, offers advice for those considering using cloud computing:
- Specify in the contract that the vendor will pay the cost for any additional layers of security needed to comply with emerging regulations;
- Ask the vendor to pinpoint who will have access to the data in the remotely hosted environment and confirm that they are trained in HIPAA compliance;
- Make sure your organization has multiple paths to link to the data center hosting the application to avoid loss of access to data;
- Include in the contract requirements for how often the vendor will back up data;
- Make sure the company is willing to have a third party audit the processes and procedures used at its data center.
Wah, a practicing physician and surgeon, is vice president and chief medical officer of CSC's North American public sector civil and health services group. He focuses primarily on the firm's federal health information technology business.
He formerly served as HHS' deputy national coordinator for health information technology. Earlier, he served as associate CIO for the military health system in the Office of the Secretary of Defense. He also spent 23 years in the Navy Medical Corps. He is chair-elect of the board of trustees of the American Medical Association.
HOWARD ANDERSON: Across the country many physician group practices implementing their first electronic health record systems are considering using remotely hosted applications using the cloud computing model. Many hospitals also are considering using remotely hosted applications for certain specialized functions. So what are the most critical security risks that physicians and hospitals should consider before they use a remotely hosted application?
DR. WAH: We want to make sure physicians and hospitals consider who will have access to the data when it is in the remotely hosted application environment. As the data moves through the system it can be on storage area networks or drives or tapes or in other parts of the data center. It is important to know who will have access to that data.
It is particularly important in healthcare, given the fact that personal heath information is so vital to keep secure. There are clearly federal and local regulations and laws on the handling of the data. And there are a lot of opportunities for different hands actually touching that data once it leaves the hospital or clinic. So it is important to make sure that the organization that will be offering the remotely hosted application has HIPAA compliant/HIPAA trained people who understand the importance of keeping personal health information, whether it be on paper or in electronic form, private and secure.
But the other thing one has to think about when looking at remotely hosting an application like this is it is important to have multiple paths to the data center so that you are not reliant on a single point of failure. Because the classic worry that people have, and certainly I had this when I was in the Department of Defense, is...we used to always talk about what happens if a backhoe digs up the cable that runs to our data center...if you have multiple pathways to the data center so you can fail over to another pathway and not lose connectivity.
The other thing is to make sure that the technology provider is experienced in this area of remotely hosted applications....You obviously want to shoot for the highest reliability, highest availability and highest security at the lowest cost. But all of those choices will have tradeoffs, and you want to use somebody who can give you advice based on a great deal of experience.
ANDERSON: Companies remotely hosting clinical software are considered business associates and so they must comply with HIPAA. What specific security information should be added to business associate agreements with these vendors beyond what is included in agreements with other business associates?
DR. WAH: One of the things that people need to be thinking about when they write these contracts is making sure that it is absolutely clear in the contract who has the responsibility for security and what is the time phasing of that responsibility.
In many cases, these contracts are written for multiple years. It is not uncommon to see language something like, "The provider of the service will comply with all current federal regulations," which sounds very reasonable. But it is important to remember that current federal regulations may, in fact, change.
It has been a long time since the initial HIPAA regulations came out, and with the HITECH Act, there were some additional changes to data security. They really focused a lot on information security, encryption, the need to do an annual risk assessment.
It is important to have in the contract what is the plan when new regulations come out; whose responsibility is it to comply with those; what is the timeframe for achieving compliance; and who bears the cost of changing the system or adding new layers of security to become compliant.
ANDERSON: What questions should potential users ask about how the company hosting the application uses encryption specifically?
DR. WAH: Well when we consider encryption, you think about data at rest, in transit or in use. And so it is important to think about those three phases in which data exists and how encryption is going to be used to protect that data in those various phases. It is also important to think about the encryption keys and make sure that they are not stored in the same place as the data. That is fairly standard in the industry, but it is important to keep those keys separate so that if there is a failure at the source.
ANDERSON: What should potential users ask about how data will be backed up and about how the vendor handles security in its data center?
DR. WAH: It is important to understand at the beginning...what is the normal schedule for backup, and whether that meets the requirements of your situation.... We have a client that is a major medical center at one of the Ivy League schools. Every month, we drop a tape with the latest full backup so if anything happened to the data and they were not able to get to our system, they would be able to rely on an actual backup and the gap between the time they got it and the time they needed it would be fairly short.
It is important to remember that when you look at security there is really two pieces: The physical or technology security and the people and the process. Many times breaches do not occur because there is a technology failure, but because there is a human process failure where somebody loses something or somebody leaves something unattended....
I would also point out that many companies undergo a third-party audit of their entire data center on a regular basis. We bring in a third-party, like an accounting firm, to analyze what they call an SAS70 Evaluation. So the whole data center, from a technology standpoint, but also...that workflow of who does what process, is evaluated by an outside auditor...
ANDERSON: How should the issue of ownership of the data be addressed, especially if the vendor goes out of business or if the customer terminates the contract?
DR. WAH: Should an agreement terminate between two organizations, it is important that the data sanitation process is in place to make sure that all the systems that contain that data are, in fact, sanitized and the data that resided on them is destroyed so as to protect privacy and security.
Data can reside on storage area networks, tapes, or even failed hard drives, which actually still contain data -- even though the mechanism may not work, the disc that the data is written on may still be viable inside that failed drive. So it is important to make sure that data sanitation occurs.
Clearly it also is important that data transfer is occurring at the same time so that the data that was in the application or the hosted centers is transferred to the people who will need it to continue operations with another provider.
So we have to make sure again, contractually, at the beginning of a relationship, that there is a provision that outlines very specifically how that eventuality will be handled should it come up. It is always better to deal with it at the outset of the contract as opposed to at the last minute when it comes up at the end of the contract.
ANDERSON: Finally, are there any other security questions that are important to address before using cloud computing?
DR. WAH: Well I think it is important to remember that when we are talking about healthcare, in most cases we are talking about mission-critical data. So it is important to deal with it just like other industries deal with mission-critical data.
Financial industries obviously have dealt with this issue for a long time, because if they don't have access to financial data, they are sort of out of business. Lack of access to data in healthcare can actually be detrimental to patient care, which makes it even more mission-critical than financial information.
So I think it is important to have good transparency into how a data center runs. The data center operations must be transparent to the client so that they know and have good reassurance that, as I said before, the highest level of security is being maintained both from a technology standpoint but also from a policy and procedure standpoint. The client also must be assured that the people who are working in that data center are trained, are very complaint with HIPAA guidelines, and understand the importance of electronic personal health information and are very cognizant of the mission criticality of the system that they are running.
Some people actually go visit the data center to actually see the physical plant and meet the people who are going to be involved with handling their systems. Because it is, as I said before, a mission-critical data set that they are dealing with and they want to know that they have put that in the right hands. I would say transparency is a question that you always want to bring up when you are dealing with trying to select someone to handle your mission- critical data. I think it is also important to talk about maintenance. Sometimes it is necessary to shut down the system to do maintenance....So it is important to make sure that everyone understands what the procedure would be when that maintenance occurs.
In some systems, it is possible to do it during the off hours when no patient care is going on. When I was in the Department of Defense, we had a problem where we were operating our system in 12 time zones, so there really was no "middle of the night." Everybody was accessing the system all of the time, so we had to have backup systems put in place while maintenance was done on the main system. But other systems that are not spread as globally as we were in the Department of Defense may not have that same problem.
Knowing when the system is going to go down and when it will come back up is critical so that people know to prepare and have a contingency plan where they can go to some sort of an alternative format, whether that be paper or another system, while the maintenance is going on.
ANDERSON: Thanks very much. We have been talking today with Dr. Robert Wah of CSC. This is Howard Anderson of Information Security Media Group.