Like purchasing a car, there’s more at stake than picking a model and grabbing the keys. There are other considerations like safety features, mileage, capacity, tax, title, license, insurance, security and anti-theft, and ongoing maintenance. How you manage your data in the cloud is similarly not a singular decision.
When it comes to healthcare cloud security posture management (CSPM), how do you know if you’re ready for a DIY approach with a software-as-a-service (SaaS), or if combining it with managed services is the right choice for your organization? The DIY or DIWH (do it with help) decision can turn into a lengthy debate. In the end, there are two things it pays to focus on: time and talent. How much time do you have to get it done and do you have the talent in-house to maintain adequate security and compliance?
You’re going to need very specific skill sets that simply didn’t exist a few years ago. At ClearDATA, we partner with hundreds of healthcare organizations both large and small — from providers to payers, healthcare IT to life sciences and pharma. Many of them do not have the cloud-certified solution architects and product and software engineers that you’ll need to get the job done right. At ClearDATA, we’ve spent a lot of time and money hiring and training staff focused on cloud, security, and compliance for healthcare. That talent is in high demand as healthcare, like all other industries, moves to the cloud.
So, you may be wondering, or more realistically, your CEO or COO may be asking, “Is it more cost-effective to do this ourselves or to go with ClearDATA?” Let’s look at the three stages of building and deploying your app in the cloud to help you identify the cost of sourcing internally. Then, you can contact us and we’ll show you what it looks like to have us be your cloud partner, freeing you up to focus on your business objectives.
Phase I: Getting Started
Business Associate Agreement
First and foremost, you’ll need a Business Associate Agreement with your cloud provider. While ClearDATA will negotiate a purposeful BAA designed to meet your specific and unique legal and business needs, cloud providers seldom are in a position to negotiate the BAA with you. So, plan to allocate what can turn into several hours with your legal department trying to get these taken care of. In addition to a BAA signed with the public cloud, you would need to manage a BAA with other subcontractors or other third-party vendors.
It begs the obvious, but to get started one of the first things you’ll need is a team. This may mean recruitment and staffing in addition to training and alignment. You’ll also want a security risk assessment as a starting point and, if you haven’t already done one, a PHI Inventory. If you haven’t already made the decision on which public cloud you want to use – or more than one – you’ll have to vet your options. Pricing and services vary. ClearDATA has deep relationships with all three clouds: AWS, Google Cloud Platform, and Microsoft Azure, including premier consulting partner relationships where applicable. We understand what they offer and can help design your cloud architecture to leverage the most appropriate and effective services based on the needs of your application.
Now it’s time to build your cloud infrastructure. (Or, a vendor like ClearDATA can.) This will include:
- Integrating hardening standards into your infrastructure as code pipeline
- Developing infrastructure and service hardening standards
- Building infrastructure as code deployment pipeline
- Automating dependencies for chargeback into account and workload management
- Internal chargeback and budget management strategy
- Implementing account management automation
- Developing account segmentation strategy
- Implementing access control system
- Developing access control governance strategy
Phase II: Compliance and Security
This is where it gets a lot more complicated. We talk to many organizations that become our customers at this phase because although they were able to build and deploy within compliance frameworks, data is not static, and they drifted out of compliance the moment anything changed. They also realized the cost and risk associated with not having the deep expertise and the time and resources needed to commit to managing and monitoring security and compliance in the cloud. The reality is to be really good at the business of privacy, security, and compliance in healthcare, it needs to be your only business because it takes time and resources.
You’ll need to dedicate some serious time to reading and interpreting new regulations like the General Data Protection Regulation, or HIPAA. It’s important to remember and remind your team: just because a cloud provider offers HIPAA-eligible services doesn’t mean they’ve taken care of your compliance stature. It’s up to you to not only configure your HIPAA-eligible services in a manner that makes them HIPAA compliant but also ongoing compliance throughout the use of the service. For a lot of organizations, that’s a huge gotcha that leaves gaps that increase risk. And we know risk equals time and money with a layer of worry on top. For a full rundown, see our blog on the differences between HIPAA-eligible and HIPAA-compliant services.
Here’s what you’ll need to be ready to address for your compliance and security posture in the cloud:
- Compliance experts who regularly review and interpret complex healthcare regulation standards, both new and old
- Ability to map and align technical controls across regulatory frameworks and standards
- A strategy for monitoring your compliance and security posture and supporting ROE
- A method of enforcing compliance through adherence to documentation and/or code
- Based on geographies of where you’re working, identification of any data sovereignty requirements
- A data locality plan
- Determination of your auditable measurements for mapped technical controls
- Visibility into ongoing compliance stature via a dashboard, or some way to show your compliance in an auditable trail
- Audit strategy for delivering ROE detailing compliance
- Annual audit support
- A compliant container and microservices offering including Kubernetes
- Hardened images according to CIS benchmarks for numerous Operating Systems, patching every night, with releases every 30 days
- Intrusion detection for monitoring, along with a team of experts to detect and prevent any malicious attacks
- A Security Incident Management plan
- Vulnerability scanning and remediation
- A system for monitoring product assets
- Defined strategies to enforce key management, log retention, data protection, encryption, and more
Phase III: Maintaining Privacy, Security, and Compliance As You Scale Your Business
Phase III is the ongoing day-to-day concerns about security and compliance as you work to scale your business and find time to focus on your business objectives.
We speak with many organizations that are able to do some, but not all of the work in these three phases. For them, we offer a la carte services and products in a self-serve model so they only pay for what they need. For other organizations, we talk to leaders who need it all, start to finish, so they can get on with building their business efficiently.
We increasingly see many who want ClearDATA to step in for the actions outlined in this document because they want to focus on being in the business of innovating healthcare outcomes and growing their business. If you put a pencil to what it would cost you to do this as a DIY adventure, I think you’d see time and money saved by going with a company that does this as its business every single day and whose mission is focused on finding new, safe ways you can innovate in the public cloud.
Contact us today and let us visit with you about how to give you more time to focus on your business objectives.