Leveraging Managed Cloud Services to Meet Cloud Compliance Challenges
Blog Article Published: 11/04/2011
By Allen Allison Regardless of your industry, customer base, or product, it is highly likely that you face regulatory compliance requirements. If you handle Protected Health Information (PHI), the Health Insurance Portability and Accountability Act (HIPAA) – along with the HITECH enhancements – are a primary concern for your organization. If you work with government agencies, you may need to be compliant with the Federal Information Security Management Act (FISMA) or National Institute of Science and Technology (NIST) requirements. In addition, most states have privacy laws protecting Personally Identifiable Information for residents. It is a common misunderstanding that these regulatory compliance requirements preclude many organizations from being able to leverage outsourced, managed cloud services. Depending on the cloud services provider you choose, you may not only be able to meet your existing compliance concerns, but the cloud provider is likely to have controls and processes that improve your compliance program. When HIPAA was enhanced by the Health Information Technology for Economic and Clinical Health (HITECH) Act, companies with PHI began to panic. Not only were they expected to protect patient health information, but they had the added requirement of ensuring that third-party providers enabled the same stringent controls on the systems they support. Furthermore, these organizations had the added responsibility of providing breach notification in the event of a loss of confidentiality. If nothing else, HITECH gives us two things. First, the heightened awareness of the sensitivity of each individual’s health information provides more enhanced security programs and assurance to the public that privacy is being protected. Second, because no organization wants to be in the headlines for a security breach, HITECH spurs organizations to improve their information security, enhance their response services, and enable a platform to notify affected individuals if their information has been compromised. I can, with all honesty, say that I do feel a bit more secure with my Protected Health Information. I use HIPAA and HITECH as an example, not because it is the model information security regulation (it is not), but because it is a topic that everyone can relate to. Similar security requirements stretch across most industries. What HITECH has done for cloud service providers is enable them to build a common control platform, implement technologies that may be too expensive for some organizations to implement themselves, and leverage a world class security and compliance platform to ensure that the PHI, which is vital to the ongoing management of health care, remains secure, protected, and confidential. When searching for a cloud provider, it is important to understand which controls the provider has built into the underlying platform are applicable to your compliance. I recommend asking these three questions:
- How many customers in my industry do you have as a customer in your cloud platform?
- May I see your most recent SSAE 16 SOC report or other applicable audit?
- What is the development lifecycle process your team undergoes to build cloud services and the underlying platform?