Tumult in the Clouds
by
Brendon Nafziger, DOTmed News Associate Editor | April 29, 2010
And, like other leading cloud providers, all data are encrypted, both when transmitted and when they're hosted in the cloud, so even if they somehow got stolen they would yield little to most thieves.
And then there's auditing, tracking all access to data. Nirvanix's Zierick says they follow the SAS 70 security protocols, which gained popularity with financial firms eager to comply with Sarbanes-Oxley, a law that controls business auditing practices.
"Every transaction is logged, and customers can print out reports to say when files were uploaded and downloaded as well as internal reporting structures that show operations of our people in managing that data," says Zierick.
What to look for
So, for health centers looking to move to the cloud, how do they choose a provider?
First, buy from a trusted brand. As with the early days of e-commerce, Kermani suggests only doing business with the big names. "People have less of a problem going to a reputable e-commerce site, rather than going to Moe's discount site for whatever," he says. "I think at the end of the day, if it's not a top name brand there's a leap of faith."
And remember that cloud storage is a marriage, not a fling, and as with any long-term relationship it pays to know who your partner is.
"When you put your medical images [in cloud storage], you're not committing for two days, but for 5 or 10 years. You need assurances for longevity of the vendor. If they go [bankrupt] and you can't get your data back, they can be as secure as you possibly want," Kermani cautions.
Before signing up for a 10-year agreement, Kermani suggests asking if the company itself has been around for 10 years. "If it's a VC-funded, all-star team, all they're trying to do is sell their company, cash out and go sit on the beach. I think that's the way it is," he says.
And the vendor should have the right sort of data center security infrastructure certified and tested by third-party audits. The audits should cover physical security (such as biometric scan access to data centers), hardware security, firewalls and data encryption, says Howard.
The site should also provide you with audit trails cataloging obsessively every transaction, so you know whether someone has been in there and what they've seen - a feature essential especially for health centers in California, where a recent "no peep" law levies punishing fines on providers whose confidential patient records get seen by people who shouldn't see them.
What's most important of all? The fine print: a service level agreement that keeps your data in-country and that guarantees availability.