Today, a majority of healthcare providers are using a cloud solution for clinical and non-clinical data storage and sharing. In fact, cloud technology has become a critical component in the operation of healthcare organizations. The three most common reasons healthcare providers have embraced the cloud are: to save cost on IT maintenance, to share information quickly across locations, and because they lack staffing to support on-premise alternatives. Cloud services let healthcare organizations focus on what they do best: providing healthcare. Data centers and their physical housing and operation and maintenance are being left to skilled professionals.
Whether using a private, hybrid or public cloud, the benefits of using cloud services in health care are numerous. Doctor’s offices and hospitals have quick access to data and the ability to quickly share information, even to remote locations. Without this ability, patient care can be compromised. But with it, patient care and satisfaction increases and operational efficiency is greatly improved.
So, if you’re thinking of moving to the cloud or are looking for a new cloud service provider—for what exactly should you be looking?
First and foremost, your cloud service provider should give you confidence that your data will be secure. Look for a provider that is diligent about getting security certifications. Many certifications are not required to be a cloud service provider, but LightEdge has successfully completed a SSAE 16 SOC 3 Type II for its facilities and processes. We are also ISO 20000 and ISO 27001 certified. ISO certification promotes continued improvement in our practices. You and your team are likely familiar with many of the certifications, but if not, don’t be intimidated by the fancy acronyms. Ask questions and have the provider walk you through what each one means and what that means for you.
In addition, we routinely perform risk analysis and internal and third-party audits of security practices. Our senior management team performs regular health checks of our security program.
LightEdge has also chosen to go through a formal Payment Card Industry (PCI) audit. Some of our clients require this, but it gives peace of mind to all our clients. Other service providers either don’t have these certifications and perform these audits, or they hold lower subsets of certifications.
You should ask to review all audit reports and certificates for any service provider you’re looking into. They should be easy to obtain, and if they’re not—that could be a red flag and you may want to move on. In short, you want to look for a provider who has taken pains to go that extra mile to make sure your data is secure.
LightEdge signs a Business Associate Agreement (BAA) for all of our healthcare clients, which clearly outlines the roles and responsibilities in securing their data. You should always require a BAA and ensure its detailed and clear.
Many providers will state that they’re HIPAA compliant, but they’re simply not. LightEdge is diligent about HIPAA compliance. Not only do we have an on-staff attorney who is well-versed in HIPAA, but we have an independent, third-party audit to verify we are adhering to HIPAA compliance. This gives our clients visibility into what we do for security best practices, which helps them focus on areas where they may have security gaps or what things we have in our toolbelt that they can use to their advantage.
When you’re looking at cloud service providers, ask to tour their data centers. It’s imperative that you know where your data is located, as it’s hard to protect the unknown. Offshore data centers bring a unique set of challenges and localized data centers are typically easier to navigate and work with, but regardless, make sure you have a handle on where your data is and why. When touring a center, bring a list of HIPAA security and safeguards to use as sort of a checklist. Are practices being followed? Is the facility secure? Are employees adhering to rules?
One final piece of advice for a healthcare organization, or any organization for that matter, who is looking for a cloud service provider: Review your vendors annually at a minimum. This will help identify and prevent weaknesses that could lead to data breaches.
At the end of the day, it’s like going to see a doctor. Get a diagnosis, ask a lot of questions to make sure you’re comfortable with the treatment—and if you’re not comfortable with the answers, seek a second opinion. It’s not just for the health of your company, but your customers as well.
This piece was prepared by Jake Gibson, Chief Security Officer and Chief Compliance Officer