Looking at the Pros/Cons of a Cloud Service Provider for Medical Practices

By RON FRECHETTE

The demand for healthcare practices to adopt cloud computing solutions has become extremely popular, almost to the point of necessity for building a profitable practice and providing optimal patient care. This cloud adoption phenomenon in the healthcare industry will only continue to grow as we journey further into the Digital Age. There are many benefits to be gained by transitioning to the cloud. There are also several security and compliance risks to consider.

Starting with a high-level overview of the benefits and risks of cloud computing, followed by looking at a security and compliance checklist will help determine if cloud service providers are right for your practice.

Cloud Computing Defined

Cloud computing is a model for enabling on-demand network access to a shared pool of configurable computing resources such as, networks, servers, storage, applications, and services that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Advantages of Cloud-Computing

• Cost - the most significant benefit to cloud computing is IT cost savings. Healthcare practices can eliminate in-house client server storage and application requirements. This also eliminates associated costs such as power, air conditioning and administration.

• Accessibility - cloud computing allows healthcare providers access to electronic health records, test results and other important info from any PC or mobile device.

• Continuity of Care - The ability to access the system outside of the office allows physicians, staff, patients and authorized third party administrators to collaborate more effectively in a secure environment and provide better continuity of care.

• Dependability - cloud computing is much more dependable and consistent than in-house IT infrastructures. Most providers offer service level agreement (SLA) guarantees of around the clock access and little to no downtime. Medical practices can benefit from redundant IT resources and quick failover mechanisms - if a server fails, hosted applications and services are transferred to back-up servers.

• Scalability On-Demand - healthcare practices can expand and contract their IT needs by simply making a call or sending an email. This makes it easy to add new services, users or locations.

• Shared Security and Compliance - most cloud service providers have a full time IT security and compliance staff to ensure they are providing their clients state of the art security and they are up to date on all compliance mandates. It is the responsibility of the practice manager to ask the cloud service provider to share their security standards and compliance certifications.

Disadvantages of Cloud Computing

• Outages - cloud service providers manage several clients simultaneously. This can create support challenges. There is also the risk of the cloud service provider experiencing technical outages. This can lead to services being temporarily suspended.

• Accessibility - If your practice experiences a power outage, you will not have access to applications, server or data from the cloud services provider.

• Security - Although cloud service providers are mandated to implement the best security standards and industry certifications, storing data and important files on external service providers always opens up risks. The ease in procuring and accessing cloud services can also give bad actors the ability to scan, identify and exploit loopholes and vulnerabilities within a system. However, such exploits and loopholes are not likely to surface if cloud service providers have a sound security program in place.

• Limited Control - Since the cloud infrastructure is entirely owned, managed and monitored by the service provider, it transfers minimal control to the customer.

Six Questions to ask Cloud Service Providers:

1. What type of compliance certifications does your company hold?
   1. HITRUST certification would be of most interest in healthcare providers.
   2. Also, ISO 27001, SSAE 18 (SOC1, SOC 2, SOC 3 Reports) are important to have
   3. PCI DSS Report on Compliance should be required if they process, store or transmit credit card data on behalf of your practice.
2. Can you share third-party auditor reports?
3. Do you perform annual security risk assessments? Can you provide the results?
4. Do you perform annual penetration testing? Can you provide the results?
5. Do you have a disaster recovery and business continuity plan in place?
6. Is your facility open for a physical walk-through inspection?

The answers to these questions can determine quickly if a cloud service provider is worth pursuing as a partner.

Protecting Patient Health Information

Protected Health Information (PHI) records are especially valuable to cyber criminals due to the amount of data each record possesses and the diverse ways in which they can be exploited. We are all patients. As custodians of protected healthcare information, patients trust healthcare providers to uphold their professional and moral obligations to protect their medical records from getting into the wrong hands.

As the data breach trend continues to rise in the healthcare industry, especially in smaller practices, patients are beginning to ask the hard questions about how the practice is protecting their personal healthcare information. Not having the right answers could lead to a loss of patients.

The challenge many physician offices face is access to qualified security professionals to provide accurate and affordable guidance. Performing an independent security risk assessment is a great first step toward identifying vulnerabilities within the practice and ultimately reducing the risk of a data breach.

As physician practices are forced to rely more on cloud computing in the Digital Age, beginning to assess the security posture of a practice, which includes thoroughly vetting and identifying cloud service providers will help keep patient data safe and secure in cyberspace.

Ron Frechette, is managing partner of GoldSky Security, a cybersecurity and healthcare firm. Questions: ron.frechette@goldskysecurity.com

For more information:

https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html

https://en.wikipedia.org/wiki/Cloud_computing_security