Security Questions to Ask Cloud VendorsCISO Offers Insights Based on Experience
For example, it's important to ask whether the cloud vendor has had a third-party security audit and can share the results, says Curran, chief information security and privacy officer at Cooper University Health Care. Plus, healthcare organizations should confirm that the vendor has a thorough security incident response plan, he says.
"There's a whole host of questions we ask the vendors, and, if necessary, we visit the vendor to do an onsite review," he says in an interview with Information Security Media Group during the recent HIMSS Privacy and Security Forum in Boston.
The New Jersey-based health system has outsourced to five cloud vendors a number of mission-critical enterprise applications, including electronic health records, patient registration, human resources and portions of its billing system, he says. Although Cooper's organization hasn't yet used cloud services from large, mainstream cloud services providers, such as Google, Amazon or Microsoft, "We're beginning to look at those," he says.
In the interview, Curran also:
- Describes a major project for next year to upgrade medical devices that use the Microsoft XP operating system. "XP won't be supported anymore [by Microsoft], no patches will be available ... and that is a concern for us," he says;
- Outlines the biggest challenges involved in complying with the HIPAA Omnibus Rule;
- Offers suggestions for organizations still working on their compliance efforts;
- Describes current projects, including mobile security, Web file sharing and secure texting.
Cooper University Health Care in Camden N.J., includes more than 700 physicians and a hospital that's the clinical campus of Cooper Medical School of Rowan University. Curran has more than 20 years of experience in information technology, regulatory compliance and risk management. He also spent 20 years in the U.S. Air Force.