How to Manage Due Diligence for Cloud Service Provider Searches

One of the roles of hospital CFOs is to confirm how their IT departments plan to secure networks and data once they are available on the cloud.

When searching for cloud service providers and making sure that hospitals’ networks are secure and compliant, healthcare leaders encounter the challenges of guaranteeing service provider compliance and ensuring their commitment to HIPAA-mandated privacy requirements and other regulations (Mateaki, G., ” Ensuring Cloud Security: What You Might Not Know,” SecurityMetrics Blog).

One of the roles of hospital CFOs in the evaluation process is to review all due diligence of their IT departments’ research to ensure that the chosen service providers are good fits for their organizations. In addition, CFOs should confirm how their IT departments plan to secure networks and data once they are available on the cloud.

This is a sample article from HFMA’s Strategic Financial Planning newsletter. Learn more and subscribe.

For example, CFOs should ensure that service providers offer monitoring and auditing capabilities for the hospital-based IT staff, and they can play major roles in evaluating whether chosen cloud service providers meet or exceed HIPAA and Health Information Technology for Economic and Clinical Health Act (HITECH) technical security and audit requirements (Rajendran, J., “ What CFOs Should Know Before Venturing into the Cloud,” hfm magazine, Healthcare Financial Management Association, May 2013). Caution should be exercised when evaluating service providers for HIPAA and HITECH compliance needs as compliance does not necessarily mean security, just as there are differences in privacy and security. Privacy is concerned with the protection of personal information and ensures that it is properly destroyed, whereas security is concerned with the protection of all information and data and that the information’s confidentiality, integrity, and availability are properly maintained.

Starting the Search Process

When researching service providers, healthcare organizations should determine the following factors.

• Their level of involvement in ensuring that protected health information (PHI) is safeguarded
• Where their data will be stored
• The type of platform
• The type of service model
• Questions to ask service providers
• What reports to obtain from service providers prior to their interviews

Determining the first factor―the hospital’s level of involvement―can determine the chosen service model.

• Software as a service (SaaS)
• Platform as a service (PaaS)
• Infrastructure as a service (IaaS)

Level of involvement also helps determine the method of deployment.

• Private cloud
• Community cloud
• Public cloud
• Hybrid cloud

To ensure that hospital data is safe, it is best to use a PaaS service model because it allows facilities to control deployment of application-host environment settings applications and configurations with fewer risks, according to the Information Systems Audit and Control Association. However, with a PaaS model, facilities cannot control or manage underlying infrastructures such as network servers, operating systems, or storage, which is the same scenario for all service models mentioned above.

In choosing platforms, a private cloud can only be used by one organization and can be located on the premises for more control, reducing risks and security threats. The implementation costs of a private cloud can be a hindrance to hospitals, but the cost savings that result from reduced security breaches and audit failure fines can offset the implementation costs. Obtaining service level agreements (SLAs) from service providers for their hypervisor vulnerability management―steps taken to address weaknesses that can lead to an attack initiated through certain types of computer software or  weaknesses that can lead to an attack initiated through virtual machines and end there―will also help to ensure that data is secure. A hypervisor is a piece of software or hardware that creates and runs virtual machines. The SLAs must have detailed specifications about vulnerability classifications and actions taken according to the severity level of breaches.

Gantt bar charts can help organize research service providers and assist in interviewing processes. The chart should have a list of questions that will be asked of potential service providers and a list of reports that service provider candidates must submit prior to their interviews. The reports should include background on service providers’ abilities to ensure proper data security.

See web extra: Cloud Service Provider Gantt Chart

Once you become more serious on choosing a cloud service provider. They should also be able to provide you with examples of their reports, and types of education and training they provide. From their report you should also be able to determine if the cloud service provider understands what it is to be HIPAA Compliant and are truly compliant.

Once the interviews are completed, the Gantt chart provides a framework to rate each vendor.  The chart shows the strengths, weaknesses, opportunities, and threats of the various service providers, making it easier to pick one using sound data.

The checklist of questions should be comprised of pros and cons of cloud computing and storage and a list of due diligence tasks related to contracting with a cloud service vendor (Showalter, S., “ Checklist: Possible Pros and Cons of Cloud Computing and Storage,” Legal & Regulatory Forum, Healthcare Financial Management Association, September 2013).

Examples of items on the pro list are as follows.

• The return on investment
• Savings
• Opportunities

Examples of items on the con list are as follows:

• Loss of control (e.g., a service provider implements a software fix without the proper approval from the hospital IT staff)
• Security/privacy issues
• Possible outages and downtime

Lack of application compatibility

The contracting checklist should include the following (Showalter, S., “ Checklist: Due Diligence in Contracting with a Cloud Service Vendor, Legal & Regulatory Forum, Healthcare Financial Management Association, September 2013).

• HIPAA privacy and security standards

     o   Risk assessment plan

     o   Business continuity plan

     o   Business recovery plan

     o   Disaster recovery plan and testing

     o   Vulnerability scans

     o   Education and training

• Exit strategy plan in the event a service provider declares bankruptcy, including the hospital obtaining all software rights
• Copies of all audit results
• Compliance with Centers for Medicare and Medicaid Services guidelines
• History of downtime experiences and recovery methods
• Financial strengths
• Location of data

Healthcare leaders should request from their chosen service provider a list of the following reports.

• Firewall logs
• Vulnerability scans
• Random scans
• Penetration tests
• List of all service provider associates

In addition, the service provider should be required to notify the hospital IT director as soon as possible in the event of a breach or possible risk of a breach.

Ensuring Data Integrity on the Cloud

The cloud can be safe, provided healthcare organizations are diligent, organized, and proactive in their searches for a cloud service provider. Hospital CFOs can play a major role in the selection process by remaining vigilant on data security deliverables and HIPAA and HITECH compliance.

---

Louise Tokman, MBA, MS, LSSBB, CRCR, is senior managed care analyst, Sisters of Providence Health System, Springfield, Mass., and a member of HFMA’s Massachusetts-Rhode Island Chapter.