The assessment of cloud-based solutions in healthcare requires new ways of thinking about risk assessments, governance, and technical integration. In an eHealth Initiative presentation on Dec. 15, Mitch Parker, chief information security officer at Temple University Health System in Philadelphia, shared some of his thoughts on how to approach vendor relationships in the cloud.
Parker said the cloud is attractive in healthcare because it can reduce costs of supporting non-core systems such as human resources, supply chain, and e-mail, and it can turn capital costs to operational costs. Also, he said, cloud providers can provide better support and maintenance as they focus on your systems. “The good ones plan in aggregate and leverage costs across customers,” Parker said. The cloud could also reduce costs of supporting your core systems, he explained. Hosting the EHR elsewhere allows for predictable costs, maintenance and upgrades. It also reduces risk to the core environment by having patients access a third-party site instead of the hospital/healthcare environments.
But use of cloud systems must fall under the same governance framework as other systems, Parker warned. “Cloud applications need to fall under the same rules and regulations that on-premise applications do, with no exceptions,” he said. One danger is the rise of “shadow IT” applications in the cloud that are not going through a standard risk assessment and evaluation. “That is very dangerous because your data is going somewhere where your CIO or security doesn’t know about it,” he said. “You have to have one set of rules apply to everyone. The second you sanction shadow IT, you do not have that one set of rules. You do not have the criteria by which you can evaluate risk. This is not just because you want to, this is a HIPAA Security Rule and Joint Commission requirement.” He said Temple once had a city health department offering a cloud-based application to one of its departments. “We found out about it when the department called the help desk because they couldn’t access the application. Make sure departments are well aware of one set of rules,” he said.
Parker recommends being very comprehensive in security evaluations, with a standardized questionnaire for vendors. “We have 163 questions we ask every vendor when they come in, and we follow them up with interviews based upon the answers,” he said. He said they look not just at a one-time view of security, but how they continually maintain security in that environment. “You have every right to ask questions and ask vendors for changes,” he said. “Don’t accept it when a vendor says it is an accepted configuration. Ultimately you are still responsible for that data even though it is housed at a third party. When you move a core system to hosted is you have to make sure it is better. If you mess it up, you may not be able to move anything else to the cloud for a while.”
Moving to the cloud changes the relationship from transactional to a partnership, he said. “You need to have very tight relationships.” They are business partners now, not adversaries. You should not have an adversarial relationship, but make sure the contract spells everything out, he added. Make sure that preliminary questionnaires cover major areas of security. (Temple’s cover hosting, development, ongoing maintenance, upgrades, downtime.)
The Joint Commission Information Management Standards state that organizations need to focus on downtime procedures and disaster recovery plans. The cloud does not obviate your need to do this planning, he said. Now that your applications aren’t on premise, even if they are redundant, there is still increased risk of loss of connectivity. “You need to be able to function without the cloud,” he said.
Parker gave one example of a cloud-based system deployed at Temple: a new double-blind system for research subject selection. An on-premise solution would not work across institutions like the cloud solution will. This provides significant benefit to the research community. “We were able to verify and validate the entire development and management process with the vendor,” he said. “We were able to present a solution to executive leadership that was more secure than on-premise.”
