A framework for embracing cloud in health and healthcare

Last week, I shared information about the progress we are making on Windows 10 and some really cool new technologies, like HoloLens, that I believe will have a significant impact in health and medicine down the line. This week, I’d like to focus on something much more immediately relevant to healthcare organizations—decisions about streamlining IT operations and reducing costs by moving applications and services to the cloud.

When considering such a move, health organizations wrestle with how to evaluate the security and privacy aspects of the cloud and how these relate to their hospital’s or clinic’s existing risk profiles. There are benefits and challenges in whether applications and infrastructure are hosted on premise, off-premise or a combination of the two. There are many choices and many risks that go along with each choice and it’s important to evaluate what will be optimal for each organization.

To help, Microsoft recently announced the availability of a Health Risk Assessment Framework–a guide to privacy and security considerations for the adoption of cloud service in the health sector. Although this document was specifically prepared to address the concerns of health organizations in Europe, I believe it is completely relevant to organizations anywhere in the world. Therefore, I’d like to share some of the key points with you. If desired, you can access the full document at the end of this post.

The shift to cloud computing offers health organizations enormous efficiencies, allowing far greater flexibility and capital cost reductions, while most importantly improving provider and patient access to real-time information. However, this shift often changes the way that organizations operate, and presents challenges to data privacy officers (DPO’s) and information security professionals.

Among the privacy and security-focused questions health organizations should ask when considering the cloud are:

Has an effective data classification and governance procedure been implemented to identify sensitive information and to apply the correct level of control for maintaining the security and privacy of the information? If not, what are the required steps to establish this procedure?
What rights does the cloud service provider reserve over customer data stored in the cloud? In particular, will the cloud service provider use sensitive health information stored in the cloud for its own independent purposes, such as advertising and marketing?
Who is ensuring data integrity for the computer systems? Are these systems stable?
Do the cloud computer systems implement any data encryption mechanisms for data-in-transit or for data-at-rest?
Does the security architecture of such systems comply with industry standards?
Does the cloud service provider offer comprehensive and easy-to-understand information about its privacy and security practices?
What assurances does the cloud service provider offer regarding the handling of law enforcement requests to access data stored in the cloud?
What happens to the data after the cloud service comes to an end? In particular, is the customer data securely deleted after expiration of the cloud contract?
What measures does the cloud service provider use to safeguard personal data transferred outside the EEA (e.g., Safe Harbor, European Commission’s Model Clauses, binding corporate rules)?

These are just a few of the questions that DPOs and IT security professionals need to ask as they develop a data protection and security strategy for their cloud environment.

Before cloud computing technologies emerged, many inherent security and privacy risks existed in traditional (non-cloudbased) computing environments. However, since the boundaries of a traditional computing environment typically existed within the scope of an organization’s IT structure, organizations had greater control of management of such risks. With the introduction of cloud technologies, risk management responsibility is no longer confined to the internal IT organization. In this environment, health organizations may find it challenging to understand the scope of their responsibility across the enterprise and beyond. Understanding this new playing field and the players is very important to managing risk. In a traditional computing environment, the risk existed but it was fully owned by the organization in the health sector. In a cloud-based scenario, the equation changes from a single risk owner to shared risk ownership between the cloud service provider and the cloud customer.

The Health Risk Management Framework provides an effective and continuous approach model inspired by the ISO/IEC 27001. This is the – Plan, Do, Check, Act cycle. This framework focuses primarily on risk management and incorporates several industry best practices to bring an effective framework for managing health risk. It has four phases.

1. Identify – Identify the organizational assets, classify them and provide relative rank of the organizational assets.
2. Assess – Assess the threats and vulnerabilities associated with those assets using qualitative and quantitative approach.
3. Implement – Once the assessment is complete, deploy and implement control solutions to reduce risk to the business.
4. Monitor – Monitor the risk management process for effectiveness and re-affirm if the controls are providing the expected degree of protection.

The Figure below illustrates the four phases of the Health Security Risk Management Process.

Shared responsibility for privacy and security compliance in the cloud is inevitable and it is advocated by Microsoft. Understanding what “shared responsibility” means in practice is important to the success of effective risk management and compliance.

The Health Risk Management Framework provides a Privacy and Security Matrix that illustrates the shared responsibility between the vendor (cloud service provider) and the cloud customer to achieve the highest levels of compliance. The Matrix goes through some of the most important privacy and security controls arising from EU data protection laws and outlines the ownership associated with the controls when using Windows Azure & Office 365.

In the Matrix, the responsibilities for privacy and security safeguards belong either exclusively to the cloud service provider, the customer, or they are shared between the parties. In addition, some of the safeguards are the responsibility of the customer but the cloud service provider is required to assist the customer to implement the control, e.g., by providing information about the IT infrastructure of the cloud service provider. The Matrix, available in the full report, can be read with the help of the following key:

Performing risk management as defined both in terms of traditional computing environments and cloud-related environments will allow organizations to successfully manage their risks. Additionally, when organizations purchase new products and services (which diminish the security boundaries of an organization) it is paramount to evaluate the products and service offerings from a health security perspective.

The Health Risk Assessment document provides an effective framework for health risk management and discusses the shared risk strategy for cloud services. Organizations utilizing this framework and understanding the shared mode of responsibility in a cloud environment will be better positioned to focus on their competitive strategy and take on greater challenges in the future knowing that their risks are well managed. I would encourage anyone responsible for a healthcare organization’s data privacy and security or anyone involved in making decisions about moving a healthcare organization’s data and information services to the cloud, to review the full report.