Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Healthcare cloud security: Staying current with BAAs, SLAs

From: InfoSec News <alerts () infosecnews org>
Date: Mon, 7 Oct 2013 07:36:18 +0000 (UTC)
http://healthitsecurity.com/2013/10/03/healthcare-cloud-security-staying-current-with-baas-slas/

By Patrick Ouellette
Health IT Security
October 3, 2013
BOSTON -- No healthcare privacy and security discussion would be complete with the mention of cloud computing and last week’s HIMSS Privacy and Security Forum didn’t disappoint. The “Managing Security Risks of Health Data in the Cloud” keynote featured Lee Kim, JD, Director of Privacy and Security for HIMSS and Phil Curran, Chief Information Security Officer for Cooper Health Systems.
Kim and Curran explained what needs to be accomplished from a healthcare provider’s point of view when dealing with cloud providers as business associates (BAs) to ensure that the data remains secure and the organization is contractually protected.
Curran, who has used five different cloud applications at Cooper, said that there should be four elements in vetting a cloud provider: Technical evaluation (penetration tests), physical site visit, audits every 3 years and ongoing monitoring from organizations such as the Nation Health Information Sharing & Analysis Center (NH-ISAC) or Health Information Trust Alliance (HITRUST), though those options can get expensive.
SLAs should define specific security objectives (i.e., what the cloud provider should actually do, such as implementation of access controls and otherwise), monitor security compliance and measure cloud provider’s performance and resources, such as their power, network and hardware in place. Curran added that SLA contract language should include objectives in contract, a technical evaluation as an exhibit and monitoring details. “Putting SLA agreements into place is difficult – it may be a push to get the language that you want into there,” Curran said. “Part of it is making sure on your part the vendor does what they say they’re going to do” 

[...]

--
Find the best InfoSec talent without breaking your
recruiting budget! Post a Job, $99 for 31 days.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
Previous By Date Next
Previous By Thread Next

Current thread: