HDM-101017-Cloud.jpg
6 questions providers should ask cloud vendors
Certifications, security controls and audit reports should be studied to ensure data protection.
0. 1010 Cloud AdobeStock_77242885.jpeg
How providers can test the security acumen of cloud providers
When healthcare organizations are considering moving some or all of their data to a cloud, the decision needs to be made carefully to ensure the selected approach will meet requirements for data access, high reliability and disaster recovery for the cloud service vendor. However, an important but sometimes overlooked consideration for providers is the security acumen of the vendor—does the vendor understand the special requirements for protecting healthcare information, and can it explain its security approaches?

Here are six questions that prospective vendors should be able to answer, according to iland, a cloud hosting company.
1. 1010 Cloud AdobeStock_109387003.jpeg
1. Does the vendor have certifications in the areas required by the provider?
An organization should ensure that it validate a vendor is certified or holds attestations in the regulations it needs to maintain. A provider should ask to review the vendor’s control matrix and implementations.
2. 1010 Cloud AdobeStock_59135385.jpeg
2. Does the vendor allow security controls to be integrated?
Are specific audit controls that a provider requires able to be integrated into the vendor’s policies or processes? If not, the healthcare organization should request that internal controls around policies and processes be shared to evaluate the vendor’s effectiveness towards meeting its requirements.
3. 1010 Cloud AdobeStock_66250444.jpeg
3. Does the cloud provider share internal and external auditor reports?
A provider should ask to see the third-party auditor reports behind certifications. Often, certifications can be structured on a pass/fail basis, and if so, a vendor may not have a “strong” score in a particular area. A cloud vendor should be willing to show results of audits; providers also should ask to see internal auditor reports. Of particular interest are the following—ISO 27001 Certificate, SOC2 or SOC3 Report and penetration test results. In addition, a vendor should be asked for its risk strategy and execution.
4. 1010 Cloud AdobeStock_96008173.jpeg
4. How far into the vendor’s business and operations can a provider see?
A provider needs to have assurances that its data is secure in the cloud, so it should closely evaluate the security and access controls of the vendor. A provider should ensure that it holds the encryption keys for its environment and that all functions are logged and visible. It is difficult to retroactively put in controls after a contract for services is signed.
5. 1010 Cloud AdobeStock_70251825.jpeg
5. What technologies are needed to maintain required security levels?
Good security systems generate alerts and remediate issues in real time; and a provider also should require encrypted storage on the back end. Here are some of the technologies that will be needed: audit control alignment, antivirus, vulnerability scanning, file integrity monitoring, firewall event monitoring, web reputation monitoring, application control and intrusion protection.
6. 1010 Cloud AdobeStock_69111573 (1).jpeg
6. Are a vendor’s physical facilities open for inspection?
Nothing beats a walk-through and seeing the physical security environment firsthand. A provider should invite an auditor to check vendor claims for any onsite visit. The actual data center where an organization’s data will be held also should be visited.