“What’s our cloud strategy?” is a common question in IT these days. A somewhat lengthy answer is required. Few technologies have grown as fast as the cloud. It is a profound shift to have your data – your precious, regulated data – stored not just out of your control, but out of your sight. This change provokes a wide range of responses, from “Never in a thousand years” to “Take my data, please”. A better reaction might be “Yes, but.” As with many things in life, and certainly in healthcare, the extreme reaction is not the best one.
Many of the entries on the “Wall of Shame” at CMS (the web page that lists mass data breaches) are there not due to their own actions, but those of a third party. Even the smallest healthcare company is likely to send its data out to many business associates, and to offer system access to many other third parties. Either of these options greatly increases the risk to that company. A Business Associate’s data breach rebounds to the responsibility of the Covered Entity, per HIPAA. And most organizations have excellent perimeter controls, but are far more vulnerable to an authenticated user, which means a compromised account of an external user will leave its partners very vulnerable to the same attacker. Managing the risks from both these types of third parties – Business Associates, who receive data, and External Users, who get system access – is essential to securing your own information.