By Allen Allison
Regardless of your industry, customer base, or product, it is highly likely that you face regulatory compliance requirements. If you handle Protected Health Information (PHI), the Health Insurance Portability and Accountability Act (HIPAA) – along with the HITECH enhancements – are a primary concern for your organization. If you work with government agencies, you may need to be compliant with the Federal Information Security Management Act (FISMA) or National Institute of Science and Technology (NIST) requirements. In addition, most states have privacy laws protecting Personally Identifiable Information for residents.
It is a common misunderstanding that these regulatory compliance requirements preclude many organizations from being able to leverage outsourced, managed cloud services. Depending on the cloud services provider you choose, you may not only be able to meet your existing compliance concerns, but the cloud provider is likely to have controls and processes that improve your compliance program.
When HIPAA was enhanced by the Health Information Technology for Economic and Clinical Health (HITECH) Act, companies with PHI began to panic. Not only were they expected to protect patient health information, but they had the added requirement of ensuring that third-party providers enabled the same stringent controls on the systems they support. Furthermore, these organizations had the added responsibility of providing breach notification in the event of a loss of confidentiality.
If nothing else, HITECH gives us two things. First, the heightened awareness of the sensitivity of each individual’s health information provides more enhanced security programs and assurance to the public that privacy is being protected. Second, because no organization wants to be in the headlines for a security breach, HITECH spurs organizations to improve their information security, enhance their response services, and enable a platform to notify affected individuals if their information has been compromised. I can, with all honesty, say that I do feel a bit more secure with my Protected Health Information.
I use HIPAA and HITECH as an example, not because it is the model information security regulation (it is not), but because it is a topic that everyone can relate to. Similar security requirements stretch across most industries. What HITECH has done for cloud service providers is enable them to build a common control platform, implement technologies that may be too expensive for some organizations to implement themselves, and leverage a world class security and compliance platform to ensure that the PHI, which is vital to the ongoing management of health care, remains secure, protected, and confidential.
When searching for a cloud provider, it is important to understand which controls the provider has built into the underlying platform are applicable to your compliance. I recommend asking these three questions:
- How many customers in my industry do you have as a customer in your cloud platform?
- May I see your most recent SSAE 16 SOC report or other applicable audit?
- What is the development lifecycle process your team undergoes to build cloud services and the underlying platform?
With a complete understanding of how ingrained security is in a cloud service provider’s technology and processes, you can begin to understand how it will deal with your sensitive data.
I would like to point out one pitfall. Not all compliance programs apply to a cloud service provider’s customers. For example, the SSAE 16 program is of great benefit to customers of cloud service providers. And customers to whom SSAE 16 extends can rely on the SOC report as part of their own internal controls and compliance. On the other hand, a provider’s compliance with, for example, Safe Harbor does not extend to the customer; the customer must pursue Safe Harbor, separately.
You must remember, working with a reputable cloud service provider may be an excellent way to leverage expertise and processes you may not otherwise have in-house, and mitigate some risk by assigning responsibility to a third party you can hold accountable to protect your data. The cloud is rapidly becoming the hosting platform of choice for highly regulated industries because more organizations are leveraging the expertise of these pure information-centric service providers.
Allen Allison is chief security officer at NaviSite. During his 20-plus-year career in the information security industry, Allison has served in management and technical roles, including the development of NaviSite’s cloud computing platform; chief engineer and developer for a managed security operations center; and lead auditor and assessor for information security programs in the healthcare, government, e-commerce, and financial industries. With experience in the fields of systems programming, network infrastructure design and deployment, and information security, Allison has earned the highest industry certifications, including CCIE, CCSP, CISSP, MCSE, CCSE, and INFOSEC Professional. A graduate of the University of California at Irvine, Allison has lectured at colleges and universities on the subject of information security and regulatory compliance.