Savings from cloud computing come with risks, lawyers say

By Jonah Comstock
Share
janet stiven Janet Stiven

Healthcare providers are turning to cloud-based data storage because of the promise of significant savings. But companies aren't saving as much as they expect, because of the additional costs associated with security, according to Joseph Pennell, an associate at Mayer Brown. Pennell and Janet Stiven, a Dykema Gossett PLLC Member, spoke about cloud security at the mHealth Summit in National Harbor, Maryland on Sunday.

The trade-off of cloud computing, Pennell explained, is loss of control. Cloud storage providers can offer low-cost data management because of an economy of scale, which works best if they can offer the same service to a large number of clients.

"Typically the cost savings you enjoy in the cloud are correlated with the loss of control," he said. "If they're doing a bespoke model, they probably can't offer you the same level of savings."

Losing control of patient information, which is protected under HIPAA, is a scary prospect for providers, who, under the year-old HIPAA omnibus final rule, share liability for breached data with any business associates, including cloud services.

A survey from the Ponemon Institute released last July said that 45 percent of IT and data security practitioners named the cloud as one of the biggest risks to the security of patient data.

Pennell and Stiven didn't say providers should avoid cloud services, just that it's important to do due diligence in choosing one, as there are a number of ways that relationship can go wrong. Most cloud services in healthcare advertise HIPAA compliance, but that's not necessarily enough, Stiven said.

"HIPAA compliance is not an official government certification. It just means you follow the rules," she said. "And just because something's HIPAA compliant doesn't mean it's secure."

One thing to look for is the possibility of human error in encryption. Even if data is encrypted, if the people who know the encryption keys aren't trained properly, they can compromise security by not keeping the keys safe. Providers should also check on whether cloud providers store multiple clients in the same server, a practice called multi-tenancy. Not all multi-tenant servers are unsecure, but in some of them, it's possible that a virus in another client's data can bleed over, according to Stiven. "It's becoming a weak link in the security chain," she said.

Another mistake providers make is to not make a plan for retrieving data in the event that their cloud service provider shuts down. Providers can prepare by negotiating what happens in the event of a cloud service shut down when they originally sign the contract, to ensure they have time and assistance extracting their data in a useful format.

It also helps, Stiven said, to choose a cloud services provider that's well established.

"Statistically, 80 percent of businesses that have been around for less than five years fail," she said. "If you're dealing with one of those companies, you better have a backup plan."