Cloud Security: Ask The Right Questions

How to Help Ensure HIPAA Compliance
Cloud Security: Ask The Right Questions
Brian Evans
Before they sign a contract with a cloud vendor, healthcare organizations should ask a series of probing questions about data security to help ensure HIPAA compliance, says consultant Brian Evans.

Under the HIPAA Omnibus Rule that went into effect last year, business associates, including many cloud vendors, are directly liable for HIPAA compliance.

"The biggest issue I see for covered entities is gaining insight into how their data will be protected by their cloud vendor," says Evans, a principal security and privacy consultant at Tom Walsh Consulting, in an interview with Information Security Media Group. Evans will be presenting on breach incident response at the HIMSS14 conference in Orlando on Feb. 24.

"You need to start asking these questions: How will they respond in a breach? How are they conducting auditing and monitoring? Do they have an advance recovery plan, and is that periodically tested?"

Another topic that needs to be addressed, Evans stresses, is avoiding having a healthcare organization's data "co-mingled" on the same server with the data of a cloud vendor's other clients.

It's also important to pinpoint all the cloud vendor's subcontractors involved with providing services, as well as their physical locations, he says. "If you look at it from a compliance perspective, some of these locations can be outside of the U.S., and then the legal question is whether the HIPAA Security Rule or other regulatory requirements apply," he says.

In the interview, Evans also discusses:

  • The most common cloud services that healthcare organizations are using;
  • The biggest mistakes that organizations make with their cloud computing services vendors;
  • Issues to address in business associate agreements with cloud vendors.

Before joining Tom Walsh Consulting, Evans was information security officer at The Ohio State University Health System, Atlantic Health, Fletcher Allen Healthcare, New York Hospital Queens and University of Alabama Birmingham Health System. He also led the incident response and computer forensic investigations teams for Nationwide Insurance and was vice president of IT risk management at KeyBank and JPMorgan Chase. Evans started his career as a medic in the U.S. Air Force.

Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.