Healthcare industry best practices for cloud security and transparency

Moving your organization's healthcare applications to the cloud is a major move—and one that requires a lot of trust in the service you choose.

When vetting your cloud software vendor or managed service provider for your healthcare or hospital environment, you cannot be too cautious, so it helps to go into your meeting with a thorough list of questions prepared. By covering all of your bases, you can quickly draw distinctions between various options and select the best cloud solution for your organization.

Ready to start your search? Here are six key categories to cover to ensure that your healthcare organization is maintaining best practices for cloud security and transparency.

1. Service level agreements for healthcare uptime

Do you offer a Service Level Agreement (SLA) for uptime? What is it? Is it included in the cost, or is there an additional charge for providing an SLA for uptime? Is there a financial penalty for downtime? How do we apply for credits? Exactly how is the credit calculated? Are there any exclusions or limits? Can the SLA be incorporated into our written agreement so that we are assured that it is documented at a specific level and cannot change for the term of the agreement?

Can we terminate our agreement if we do not have adequate uptime performance? How many customers in the last three years have terminated, if any? Can we speak with some of your longtime customers about their uptime experience?

2. Unplanned downtime and maintenance work

Is unplanned downtime tracked, and do we have access to the metrics? What are the hours and days of the week that maintenance is performed? Do we get advanced notice of unplanned downtime and how much notice? How will we be notified?

How often do you push out new releases? Are new releases executed in the regular planned maintenance windows?

Will the service always be unavailable during these windows or just sometimes? Will we receive notifications when the service will be down during a maintenance window? How much advance notice?

3. Service level agreements for healthcare application responsiveness

Do you provide a Service Level Agreement for application responsiveness? If so, what is it?

Do you measure and monitor application responsiveness on an ongoing basis? If so, how do you measure it? Do you use a commercially available service that we can access such as Keynote Systems? Your service may not be down, but how do we know if it will be responsive and usable? See questions above about termination terms and conditions.

4. Healthcare security and compliance certifications

Is your cloud application hosted at a managed service provider data center or is it hosted on your own servers?
If you provide HIPAA compliance for hospitals and healthcare organizations, will you sign our Business Associates Agreement (BAA)?

What compliance and security certifications do you offer? How often are they renewed?

Does your data center use a third-party security assessment firm to determine whether the data center meets Payment Card Industry Data Security Standard and security requirements related to the protection of private and confidential data? Does your data center use a third-party security assessment firm for intrusion penetration testing and monitoring?

5. Data center operations and security

Is there data center redundancy so that our applications or infrastructure are replicated across a minimum of two geographical sites? If so, can we review a network diagram of the fault-tolerant infrastructure with mirrored data centers that replicate production database and web servers? Is the replication real-time or near real-time?

Do you use data center managed services, or does your company rent a "colocation" space with power and network access, but your company maintains all of the server infrastructure?

With respect to the data center:

• Does the data center have experience with HIPAA compliance and an installed base of hospital and healthcare customers?
• How often are back-ups performed? Is there a daily incremental back-up? Is there a full back-up at end of the week?
• Is the back-up automated to assure that it occurs without fail?
• Is the back-up to tape or disk?
• How long of a back-up history is maintained? Is there a minimum of 30 days of data on-site and 60 days off-site for safe keeping?
• Are back-ups stored on-site or off-site at secured locations?
• Is transportation to off-site locations secured?
• What is the data center disaster recovery plan?
• What happens if the data center power is knocked out? How many days can it stay powered on generator failover without refueling?
• Is the data center physically guarded 24x7x365?
• How is physical access to the data center protected?
• How is virtual access to the data center protected?
• Is there a hardware-based firewall that protects your data from the Internet?
• Are there Certified Network Engineers on site 24x7x365?
• How long would it take to recover from a complete server failure?
• Are there ample spare parts on-site?
• What level of data center redundancy is built in?
• What level of Internet access redundancy is built in?
• Does the data center have strategic partnerships with Microsoft, Oracle, Cisco, etc. to be among the first to receive important security information and updates? How fast are security patches applied?
• Is there virus protection on the servers?
• Do you maintain responsibility for database administration and maintaining the application code base, or is this the responsibility of the managed service provider?
• Can the database be restored to a specific day and time? How long will it take? Will you provide a Service Level Agreement (SLA) for time to restore? If so, what is it?
• Who is responsible for managing firewalls, patching the operating system with service packs, applying patches and security fixes?

6. Business considerations

As our healthcare organization grows or experiences spikes in business, can additional licenses and disk storage space be quickly provided on-demand as necessary for peak times?

Can we get a copy of our data file at any time in an industry standard format, so it can be imported into other healthcare applications? Is there a charge? Is it explicit in your contract that my company's data is owned by us? How will our data be protected from a privacy and disaster recovery perspective?

What contract lengths do you offer, and what are the discounts that apply? Is there any flexibility in payment terms?

Is a source code escrow service available? What events trigger a release of the source code? Is there a fee for this service? Is there a fee if an event triggers a release? How often are you making deposits of source code to the escrow provider? After every release? What hardware and software environment are you running and can we easily recreate that environment in our hospital so we can get the source code quickly running?

While this may seem like a lot of questions to ask, do not hold back and do not cut corners. Any quality vendor will understand and appreciate your diligence, knowing that you have your organization's needs and safety in mind.

Ron Avignone founded Giva in 1999 and is based in Silicon Valley, California, serving customers worldwide. Giva was among the first to provide a suite of HIPAA compliant help desk and customer service and call center applications architected for the cloud. Ron holds an MBA from the University of Chicago and is a New York State Certified Public Accountant with a minor in English. Ron is also an avid endurance athlete, vegan and mindfulness advocate.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.​

 

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.