Law firm: When assessing cloud risks, health organizations must prepare for failure

Develop services levels based on criticality of process, sensitivity of data
Tools

With the growth of cloud services within healthcare, it's important to assess the associated risk and develop strategies to mitigate that risk, according to a post from law firm Foley & Lardner, which has offices New York, Boston and Washington, D.C., among several locations.

The risk includes certain security vulnerabilities to hacking, multi-tenancy used by cloud providers and increased physical risk associated with storage at multiple locations. With data stored in multiple locations, state and national law may differ on data privacy and data breaches. There's also the possibility of outages by vendors and subcontractors.

The post recommends plotting the risk on a grid with two variables: "How critical is the business process being supported by the cloud computing solution?" and "How sensitive is the data being stored in the cloud?"

Before signing an agreement with a cloud provider, the firm recommends using a questionnaire to determine how well it can meet expectations. In that pre-agreement due diligence, pay particular attention to the provider's financial condition and corporate responsibility; use of subcontractors; location of data centers, including disaster-recovery facilities; security infrastructure, and policies and procedures.

Service availability is a vital issue, whether an outage is due to a server being down, failure of a telecommunications link, natural disaster, the provider withholding services because of a fee dispute, or the provider closing its business because of financial difficulties. That could mean no access to data. Contractual protections are essential to healthcare organizations that must continue service even amid natural disasters and other outages.

But some services are more critical that others – that's why it's essential to establish the appropriate service level in any agreement, according to the post. Service providers want to measure uptime over a longer period of time because it dilutes the time spent down. Healthcare organizations need to measure uptime over a shorter period, it says. Response time needs to be spelled out in the agreement as well.

The post includes examples of contractual language to address these issues that could be helpful to organizations in their pre-agreement phase.

The cloud market in healthcare is expected to reach $5.4 billion by 2017 as more physician offices as well as hospitals turn to cloud-based EHRs. However, a six-hour Cerner outage in July further illustrated the importance of planning for such a scenario.

To learn more:
- read the Foley & Lardner post

Related Articles:
Security must be top priority when selecting a cloud provider
Cerner outage raises new fears of cloud-based EHRs
Healthcare cloud market to hit $5.4 billion by 2017
More docs gravitating to cloud-based EHRs