DataBank provides secure data center, cloud, and interconnection services, offering customers 100% uptime availability of data, applications and infrastructure. Our technology solutions reduce risk, improve performance and ensure compliance. DataBank acquired Edge Hosting, LLC in September of 2017 providing additional expertise in the delivery of cloud solutions and managed services, especially for highly regulated industries. Mark Houpt, Chief Information Security Officer, DataBank
Many healthcare organizations are hearing about Hybrid IT. From a compliance and security perspective, is Hybrid IT a good option for healthcare organizations?
Absolutely, HybridIT is a good option for healthcare organizations. Hybrid IT is not a new concept and what healthcare organizations may be surprised to find out is that they are probably already doing Hybrid IT to some degree.
To be clear, Hybrid IT is the concept that IT systems are are located in house and at a provider. Sometimes it is one entire application in house and another at the cloud provider. Sometimes the single application will span back from a cloud provider into the organization’s data center. For example, the application may be at the provider, but the database is kept in house.
Regardless of the model you follow, security and compliance concerns are of paramount importance, especially within the healthcare industry. One of the key things to ensure in a hybrid set up is that the boundaries are clearly documented and responsibilities clearly defined. All too often, when I am working with healthcare organizations that are transitioning to a cloud provider, they think that the cloud provider assumes or takes over the responsibilities for security. This is not accurate and unfortunately, sometimes a healthcare organization has to look at the fine print to see what the provider is actually doing for them. When working with a provider, ask the same questions you would ask of your internal teams. Assess the provider in the same manner, or even with more scrutiny, than your internal teams. Find the provider that will work with you and disclose this information easily and frequently. Look to a provider that can provide KPIs and other reporting functions so that you know the provider side of the hybrid model is working for you.
How do federal government mandates such as FISMA or FedRAMP affect HIPAA HITECH?
FISMA and FedRAMP only impact HIPAA HITECH if you are using, storing, processing, or qualifying federal government-owned data. If you are a healthcare provider that has no interaction with the federal government data, then compliance with those mandates is off your radar screen. Of course, compliance with HIPAA and HIPAA HITECH is never off your radar.
If you are hosting data owned by a federal agency, then compliance with HIPAA is astonishingly easy. Don’t get me wrong, you can’t simply assume HIPAA compliance if you are doing FISMA or FedRAMP. But the fact is that compliance with FISMA or FedRAMP requirements is more stringent in many areas than HIPAA. For example, the FedRAMP requires for use of two-factor authentication and FedRAMP specifies the need for using encryption compliant with FIPS 140-2 where HIPAA does not specify down to the detail that FedRAMP does. Also, the continuous monitoring requirements of HIPAA are vague, simply stating that they are “required” to do so, whereas FedRAMP is specific about which controls and their frequency which can be daily, weekly, monthly, or quarterly. The one area a healthcare provider should certainly look to HIPAA over FISMA or FedRAMP is with breach notification. As all healthcare providers know, the DHHS is very prescriptive on this subject.
About the Author
Mark brings over 25 years of extensive information security and information technology experience in a wide range of industries and institutions. Mark holds an MS-ISA (Masters Information Security and Assurance), numerous security and technical certifications (CISSP, CEH, CHFI, Security +, Network+) and qualified for DoD IAT Level III, IAM Level III, IASAE Level II, CND Analyst, CND Infrastructure Support, CND Incident Responder, and CND Auditor positions and responsibilities. Mark is an expert in understanding and the interpretation of FedRAMP, HIPAA and PCI-DSS compliance requirements. Mark is an active member of ISC2, ASIS International, COMPTIA, IAPP, and ISACA, among other leading national and international security organizations.