HDM-101017-Cloud.jpg
Business Team Investment Entrepreneur Trading Concept
6 questions providers should ask cloud vendors
Certifications, security controls and audit reports should be studied to ensure data protection.
0. 1010 Cloud AdobeStock_77242885.jpeg
Cloud testing
How providers can test the security acumen of cloud providers
When healthcare organizations are considering moving some or all of their data to a cloud, the decision needs to be made carefully to ensure the selected approach will meet requirements for data access, high reliability and disaster recovery for the cloud service vendor. However, an important but sometimes overlooked consideration for providers is the security acumen of the vendor—does the vendor understand the special requirements for protecting healthcare information, and can it explain its security approaches?

Here are six questions that prospective vendors should be able to answer, according to iland, a cloud hosting company.
1. 1010 Cloud AdobeStock_109387003.jpeg
1. Does the vendor have certifications in the areas required by the provider?
An organization should ensure that it validate a vendor is certified or holds attestations in the regulations it needs to maintain. A provider should ask to review the vendor’s control matrix and implementations.
2. 1010 Cloud AdobeStock_59135385.jpeg
Security 3d words to illustrate information technology concepts and concerns for people working in the i.t. field in maintaining or administrating business networks
2. Does the vendor allow security controls to be integrated?
Are specific audit controls that a provider requires able to be integrated into the vendor’s policies or processes? If not, the healthcare organization should request that internal controls around policies and processes be shared to evaluate the vendor’s effectiveness towards meeting its requirements.
3. 1010 Cloud AdobeStock_66250444.jpeg
Security audit in word tag cloud on black
3. Does the cloud provider share internal and external auditor reports?
A provider should ask to see the third-party auditor reports behind certifications. Often, certifications can be structured on a pass/fail basis, and if so, a vendor may not have a “strong” score in a particular area. A cloud vendor should be willing to show results of audits; providers also should ask to see internal auditor reports. Of particular interest are the following—ISO 27001 Certificate, SOC2 or SOC3 Report and penetration test results. In addition, a vendor should be asked for its risk strategy and execution.
4. 1010 Cloud AdobeStock_96008173.jpeg
4. How far into the vendor’s business and operations can a provider see?
A provider needs to have assurances that its data is secure in the cloud, so it should closely evaluate the security and access controls of the vendor. A provider should ensure that it holds the encryption keys for its environment and that all functions are logged and visible. It is difficult to retroactively put in controls after a contract for services is signed.
5. 1010 Cloud AdobeStock_70251825.jpeg
keyboard red button firewall security lock symbol
5. What technologies are needed to maintain required security levels?
Good security systems generate alerts and remediate issues in real time; and a provider also should require encrypted storage on the back end. Here are some of the technologies that will be needed: audit control alignment, antivirus, vulnerability scanning, file integrity monitoring, firewall event monitoring, web reputation monitoring, application control and intrusion protection.
6. 1010 Cloud AdobeStock_69111573 (1).jpeg
360001
6. Are a vendor’s physical facilities open for inspection?
Nothing beats a walk-through and seeing the physical security environment firsthand. A provider should invite an auditor to check vendor claims for any onsite visit. The actual data center where an organization’s data will be held also should be visited.