Want to implement a cloud-based health IT system? You'll need to perform thorough technical and business due diligence to ensure patient privacy and the availability and security of your data, according to a talk at the recent Healthcare Information and Management Systems Society (HIMSS) meeting in Orlando, FL.
Privacy and security are important for a number of reasons, including patient rights and expectations, business goodwill and efficiency, regulatory and legal requirements, and information assurance spanning the entire data life cycle, according to a presentation by attorneys Steven Fox of Post and Schell and Lee Kim of HIMSS.
Institutions should be concerned about due diligence for a number of reasons, including varying privacy and security policies among vendors. In addition, institutions are ultimately responsible for the confidentiality, integrity, and availability of their patients' information, Fox said.
"Patients lives are at stake, and your business' goodwill is as well," he said.
Fewer security incidents mean less disruption in your day-to-day operations and greater efficiency in your work, according to Fox.
Business due diligence
Business due diligence is as important as technical due diligence. Also, you should perform the due diligence before you start contract negotiations, Fox said.
Business due diligence involves finding out how long the vendor has been in business, if the vendor is a publicly traded or a wholly owned subsidiary, and if it has the financial wherewithal to step up to the plate for data or privacy breaches, he said. Also, ask to see the vendor's disaster recovery plan, if it exists.
It's also crucial to check references -- and not just those supplied by the vendor, Fox said. This could include talking to people at conferences, attending user group meetings, looking at a vendor's reputation in the industry via third-party surveys or rankings, and finding out the turnover rate of the vendor's employees.
The safety of your data is also a key consideration. Institutions should find out where their data will be stored and if the vendor intends to use their data, even if it's deidentified.
Users should also find out if they will have the ability to access and download data as needed and if the data are stored in a proprietary format. They should also determine if the cloud vendor has demonstrated the ability to successfully create interfaces to their particular systems, and if they will be able to use the system if there's no Internet access.
"Think about all of these issues before you ever get to signing the contract," Fox said.
Technical considerations
Institutions mulling over a cloud IT vendor should consider a number of technical due diligence matters, including whether the vendor has any third-party certifications, the location of the vendor and its data center and disaster recovery sites, and its privacy and security procedures. They should also find out if they can audit the vendor's activities, how long it takes to restore information, and where they would be in the queue should there be a need to restore, according to Fox.
"You basically just want to ask as many questions as you can to find out everything about the vendor's business," he said. "And if the vendor is hesitant or reticent and says, well, 'that's none of your business' or 'that's proprietary' or 'that's a trade secret,' then I would say that's not a vendor you really want to do business with, because they've got to be transparent and make you feel comfortable that your data is safe with them."
Prospective customers should also ask about the last time the vendor conducted a risk assessment and if they can review the report. In addition, institutions should query the firm about any breaches and how it maintains confidentiality, integrity, and availability of data, Fox said.
Other important technical considerations include how the vendor uses encryption; if the vendor uses differential, incremental, or whole backups; and what, if any, third-party vendors are used by the cloud provider, according to Fox. It's also a good idea to ask if the vendor will have administrative access to the remotely hosted application, data, and/or virtual machine
Contractual matters
Keep in mind that the vendor's promises may not be included in the contract if it isn't reviewed and negotiated.
"The vendor's attorney is not your organization's attorney," Fox noted.
Your organization's expectations and requirements may not be reflected in the contract; therefore, the vendor may not be obligated to live up to them, he said. And if the vendor doesn't perform, there may not be a suitable remedy. You could then be stuck with the contract -- and hence the business relationship -- for the duration of the agreement.
"If there is a security incident, the outcome might not be what you want, in case this involves your 'mobile' data, whether in the cloud or accessible via a mobile app or device," Fox said.
As a result, it's important to perform a thorough vendor contract review. This involves requesting a copy of the standard vendor agreement for services or, as applicable, a copy of the software license agreement. Then review the agreement and determine if it reflects the agreed-upon business terms.
"Never accept the vendor's standard form contract as the final word," he said. "Remember that everything is negotiable."
It's crucial to have a full understanding of the vendor's pricing structure, such as the pricing metrics and what is included and excluded. It's a good idea to include milestone or ramp-up payments until the software/services are fully operational; you can also tie payments to goals to align the vendor with your success, Fox said. The consequence of a vendor's failure to comply with milestones should also be delineated.
Important contract areas
Review of the contract should focus on important areas such as definitions, scope of license, initial term of agreement and renewal terms, acceptance testing, warranties, support and maintenance, confidentiality and privacy, the limitations of the liability and indemnification clause, dispute resolution, and service-level agreements (SLAs).
"Especially with the cloud, SLAs are super important," he said. "With a cloud vendor you're relying on that service, so you've got to talk about what type of service levels you're going to have."
The business associate agreement should also be thoroughly reviewed.
Organizations also need to develop a written response plan to handle security incidents related to the use of the cloud services. Security assessment of applications and devices should also be performed, Lee said.
