The Connecticut Attorney General’s office has announced it is filing a lawsuit against Health Net of Connecticut for failure to protect personal health information (PHI) covered under HIPAA. The recent Health Information Technology for Economic and Clinical Health (HITECH) Act gives states attorneys general the authority to pursue legal action for HIPAA violations on behalf of the residents of their states.
This case is significant as it is the first action taken by an attorney general under these new guidelines. We should follow this case closely to see what the impact will be on other states. While each district court may rule differently, this nonetheless creates precedence and case law where none exists today.
Any organization with PHI in your possession, take note. This enforcement action has been taken less than 12 months into this new legislation. You can expect to see more of this in the news very soon. Please protect your data so you are not the next poster child for poor data protection practices.
Cloud computing is all the rage these days. The promises of seamless upgrades, long forgotten capital budgets for infrastructure or no talent acquisition and retention headaches are the sweet song of a lovely maiden to a weary seafarer. Moving services to the cloud is sexy to be sure.
There are so many positives to cloud computing that bringing up any negatives almost appears as if you’re simply playing devil’s advocate. Leveraging infrastructure across multiple organizations has huge benefits. Processing cycles are less like to sit idle, less electrical power is utilized, fewer support engineers are required. I could go on and on.
The two negatives I hear most frequently about cloud computing are customization and security or privacy. Naturally whenever a shared environment is utilized, the lowest common denominator is used. This limits the amount of customization one can do to that environment.
But what about this whole security and privacy uproar. Is it really that big of a deal? Let’s look at a few key points.
You can’t control what you don’t “own”. You don’t own the infrastructure. So what happens to a drive when it goes bad and is replaced? Is it destroyed in such a manner that your data is rendered unreadable? Unless you’re going to be on-site for the disposal of every piece of equipment you have to rely on your contract.
Shared infrastructure does not equal shared data. It also doesn’t exclude the possibility that your data is shared either. It’s important to do full due diligence on your cloud computer providers infrastructure AND application design to see if there are adequate administrative, technical and physical controls to protect your data.
Possession is nine-10ths of the law. Data ownership should be outlined in your contract. With that said, having a piece of paper saying you own something doesn’t always equate to full and exclusive ownership does it?
Do these issues mean I’m against cloud computing? Not in the least bit. I’m a huge proponent of moving services into the cloud. In fact, Pratum is even working on an application for access certification which could potentially be a cloud service for our customers.
Cloud computing does however bring up the importance of improved data governance policies and procedures. It also raises the stakes during procurement. The biggest issue we had to worry about in the past was how we got service on a piece of hardware or software we bought. With your entire business and its data at stake, the ante has been upped. With the proper precautions and understanding of the risk, the payout could be huge for cloud computing. Are you ready for a little high stakes gambling?