6 keys to selecting a cloud vendor for healthcare data

Published
  • May 10 2018, 4:00am EDT

6 keys to selecting a cloud vendor for healthcare data

As healthcare organizations continue to move toward cloud-based data hosting services, they face multiple regulations for how to handle and secure protected health information.

For example, virtually all healthcare providers, insurers and business associates understand their obligations under the HIPAA privacy, security and breach notification rules. But how many of these entities know that storing, processing or otherwise handling credit card information falls under standards established by the Payment Card Industry? Cloud hosting vendor iland offers a checklist for healthcare data security compliance in the cloud, as well as credit card standards, that could include significant fines for noncompliance.

Rules everywhere

Consider the role the cloud plays in complying with HIPAA regulations. Requirements, among others, include securing physical access to the facility storing data; encrypting sensitive information at all times regardless of the device that data is coming from or going to; pre-planning backup and data recovery documentation; securing disconnects of inactive sessions; ensuring vendor familiarity with HIPAA rules; and implementing audit controls and documentation to demonstrate compliance.

Content Continues Below

Evaluate your cloud vendor

Cloud vendors being considered should be well-versed in the above requirements. Providers should purchase analyst reports, and get referrals from application and network vendors already serving the organization.

Quiz time

When meeting with prospective vendors, bring a checklist to ensure all questions are answered. Expect an intense conversation, not an email exchange. Often, the significant costs of a data breach are not the HIPAA violation fines imposed by regulators, but the negative publicity and loss of patient or customer faith.

Conduct a walk-through

Arrange to tour the facilities of prospective vendors and request detailed analyses of compliance-related processes. Some considerations to include are qualities of the vendor, compliance technologies in place, reporting capabilities available and compliance-oriented customer support. For example compliance professionals should be available to meet the team, show applicable certifications, know how to align procedures with regulatory requirements that include final disposal of sensitive data, and be willing to discuss compliance and security procedures directly with the customer’s auditors.

Content Continues Below

Time to roll out

Develop comfort with the chosen vendor through a rollout plan. Work with the vendor to decide how best to configure workloads to ensure compliance. Possibly start with the least sensitive workloads or start with less compliance-critical information systems to see how well the compliance framework is working.

Don’t settle

From the beginning, ensure the vendor has the organization’s compliance and audit needs in mind. The vendor should put the organization’s needs first and has clearly demonstrated throughout the process that it wants the healthcare organization to benefit from the cloud.

More information

The complete checklist from iland is available here.