week my Microsoft colleagues and I attended and participated in the U.S. News
and World Report Hospital of Tomorrow conference in Washington, D.C. As part of
the event, I served on a market insights
which explored the ways hospitals and other healthcare organizations are
leveraging technology to engage consumers through meaningful patient and
provider interactions, privacy protections, and patient centered care.
gave me the opportunity to talk about something I’m very passionate about - data
privacy and security.
health organizations of all sizes and types possess enormous amounts of
personal and sensitive information. This
includes not only HIPAA protected health information (PHI), but also sensitive
financial, tax, HR, R&D information and much, much more.
organizations and their vendors have an unequivocal shared responsibility to protect
the privacy and security of this data. As more organizations contemplate a move
to the cloud, a formidable question for the CIO becomes, “How do I ensure that
our organizations’ and our patients’ data is protected in a cloud environment?”
At 3 a.m. you should know who has that data, where it is, and what they are
doing with it.
how can a health organization have confidence that the vendors it works with and
who store their information in a cloud environment will act as a trusted data
steward when protecting that data? Here
are some top line items a C-Level healthcare organization executives should
think about when selecting a cloud vendor:
Business Model – What is the
business model of a cloud vendor? A vendor interested in data should have a
business model where the revenue comes from the provision of the cloud services
to a customer base, and revenue is not derived from your or your patient’s data
for any secondary commercial purpose such as advertising. HIPAA has very prescriptive requirements around
PHI for any secondary uses. Cloud vendors must expressly spell out how they are
using data as a business associate under HIPAA.
Proceed with caution if they are reluctant to do so. However, HIPAA should be viewed as simply an
entry point for considering a cloud vendor in the healthcare environment. Given the broad range of sensitive
information that a healthcare organization handles in addition to PHI, your
cloud vendors should be adopting the same strict privacy and security standards
across all of your data.
Design – Is the vendor
cloud separately engineered to provide enterprise-class protections? Or is it a
consumer-based service where data can be shared between enterprise and consumer
services? Be wary of co-mingling as data in the cloud could potentially “rain”
all over if enterprise and consumer cloud services are not logically separated
by the vendor.
– Does the cloud vendor explicitly comply with applicable privacy laws and
regulations? What is that vendor’s track record? One best practice we have
employed at Microsoft is engaging a cross section of the industry to evaluate
our privacy and compliance posture. For example, we collaborated with Payers,
Providers, and academic medical centers like Emory and Duke University, handed
them a pen and asked them to help us draft a BAA that aligned our service
offerings and capabilities to regulatory requirements and market expectations. This
way our customers can be confident that our BAA was created with deep industry
collaboration and academic medical center review. This process has since led to
our BAA being signed and validated by many leading government, academic and
commercial customers. Our BAA is currently helping hundreds of customers
address HIPAA compliance requirements, while enabling them to enjoy all the
security, cost savings, efficiencies and cross boundary collaboration benefits
that Microsoft cloud solutions deliver.
– Do you understand what you are reading in the contact? With all contracts, transparency is critical. Commitments around privacy should be simple, clearly
stated and easy for your lawyers and procurement personnel to find. They should
not be obtuse, or require “a chase down a rabbit hole” of many links and
documents. Vendors should agree to specific contractual protections, including:
(1) use of customer data only to provide and manage the service for you; (2) no
capturing, scanning, indexing, mining or use of your data for advertising or
any other unauthorized secondary purpose; and (3) no mixing of consumer and
enterprise cloud data.
cloud is a new frontier for many health organizations and in an industry where
efficiency is paramount, the cloud can offer a lot of rewards. Just make sure your cloud partner
understands, and transparently shares the responsibility of being a trusted
data steward for your and your patient’s data.
For further information regarding Microsoft’s
commitments to cloud security, privacy and compliance transparency see: http://trustoffice365.com/ and http://www.windowsazure.com/en-us/support/trust-center/