UPMC security chief shares pitfalls and how to avoid them when negotiating cloud computing contracts
Healthcare executives negotiating a cloud computing agreement should aim to elicit the same metrics that would be expected from using in-house IT department, according to John Houston, UPMC vice president of security and privacy and associate counsel.
Houston shared three pitfalls and three must-haves for working with cloud vendors to ensure appropriate services levels, compliance and security.
Pitfall: Excessive downtime. Do not accept it. Many cloud services providers will tout 98 percent availability as being good. The fact is that in a 24x7 business, 98 percent downtime equates to 175 hours of downtime per year. How many businesses would allow for their internal IT organization to deliver such poor performance? Frankly, best-in-class internal IT organizations strive for 99.99 percent uptime. Likewise, cloud performance is more variable than what internal IT organizations are typically expected to provide.
Avoidance strategy: Demand that the cloud services adhere to availability commitments (both for scheduled and unscheduled downtime) and secure significant penalties when performance falls below a reasonable threshold. Often cloud services providers will offer some type of nominal penalty for downtime (for example 5 percent of the monthly charge). However, the penalty must be sufficiently significant to incent the vendor to perform. The cloud services provider must also stick to commitments around the performance of its infrastructure and ensure that it has adequate – and redundant – internet bandwidth to meet commitments to all customers.
Learn more at the Cloud Computing Forum HIMSS17. Register here.
⇒ University of Mississippi Medical Center finds big analytics gains in the cloud
⇒ Intermountain exec Todd Dunn explains how cloud services speed up innovation
Pitfall: Security becomes a "black box." Often cloud services providers will be unwilling to provide any substantive information regarding information security. Or if they do provide information, it will be limited to information related to its datacenter environment.
Avoidance strategy: The cloud services provider must provide information to verify the cloud app is itself secure. This should include such things as code level reviews, penetration testing, periodic patching policies, account management. Additionally, the cloud services provider should be able to demonstrate adoption and compliance with some type of relevant information security framework. Further, the vendor must be able to provide substantive information – and commitments – regarding how it is prepared to respond to security events. In many cases, it may also be appropriate for the vendor to integrate into the customer's security tools, such as Security Information and Event Management, SIEM; Identity Management, IDM; and Patient Privacy Monitoring (PPM).
Houston will discuss negotiating cloud contracts at the Cloud Computing Forum at HIMSS17 on Sunday, Feb. 19, 2017, at the Hyatt Regency in Orlando 9am to 5pm.
HIMSS17 runs from Feb. 19-23, 2017 at the Orange County Convention Center.
This article is part of our ongoing coverage of HIMSS17. Visit Destination HIMSS17 for previews, reporting live from the show floor and after the conference.