Compliance programs can overwhelm the healthcare industry, given the complexities of regulations that address the use and disclosure of Protected Health Information (PHI). What's more, 100 percent compliance hardly means that these organizations are "in the clear" with respect to systems threats.
Fortunately, the cloud is coming to the rescue here.
Specifically, cloud-based solutions driven by software/security-as-a-service (SaaS) models can be leveraged with little to no investment in software or hardware. You can deploy them faster than typical internal projects—these models are increasingly robust and can be provisioned quickly. And, internal IT staffers are able to take advantage of the expertise of cloud providers to set up and administer these programs.
The upshot: best practices are built in, right from the beginning. There's also a reduced learning curve to climb. Cost of ownership is lower, with no added threat-intrusion risk.
Before leaping forward into the cloud, however, it's best to evaluate which provider to go with. Find out about the customers that a prospective vendor deals with. How many are there? Do they work for customers who are like you? What kind of references are available?
For a deeper analysis, examine the vendor's positioning on compliance. Does it take on a "commodity" approach—meaning regulatory mandates are "no big deal," just a matter of running down a "check list" of "to do" items? Or does the provider really understand the complex issues that organizations in your industry must address? Hopefully, your winning candidate stays focused on the highly valuable reason for implementing these programs—to protect patient privacy and identity information.
This means that a winning candidate should be ready to take on the most difficult aspects of compliance, including centralized log management, risk/vulnerability assessments and the deployment of a solution program that covers all of your requirements. Instead of simply trying to sell services, an experienced partner will ask questions about your existing security policies, risk management activity, and internal auditing capabilities. They'll come to the table with a strong history of industry partnerships and staffing certification. They'll already have protection programs and policies in place that are compliant with regulations such as HIPAA (the Health Insurance Portability and Accountability Act).
Other "must haves" include effective access controls/encryption for confidentiality; round-the-clock monitoring with redundant network operations/security centers; breach-notification support guidelines; and a breadth and depth of anti-threat solutions that are strengthened by the SaaS model.
After hiring the cloud/SaaS vendor, make sure your internal teams are properly auditing progress, to ensure comprehensive vulnerability mitigation best practices. You should also strongly consider hiring outside specialists to assess this—specialists who maintain no connection with your cloud/SaaS provider.
With this kind of multi-layered, in-depth methodology, the best feedback you can get is this: nothing. As in, no panicked calls from customers indicating that a patient's records have been breached. No "fire alarms" from your IT folks about a network intrusion. No unwanted scrutiny from regulators and/or media members because of a major incident.
And that's when "nothing" really delivers "something" for your healthcare organization—a great reputation for data protection, and peace of mind.