Cloud computing: Recognizing and managing risk

Cloud computing is transforming IT and businesses models in every industry, and health care is no exception.

In an  HIMSS Analytics survey of medical practices, hospitals and health care systems, 80% of respondents reported that their organization uses cloud services.1 As usage continues to climb, internal audit (IA) will be increasingly relied on to understand technology and its impact on processes, and to take a key role in managing the business risks related to third-party relationships.
Organizations must maintain control whether the shared technology resource pool — information, applications, infrastructure and/or services — is internal, external or with a third-party vendor.
As your organization steps up its presence in the cloud, IA can significantly help reduce risks by supporting adequate control and monitoring practices through three essential activities:

1.  Understand the related risks
Adopting cloud computing brings benefits but also challenges and risks. From an IA perspective, risks can be divided into six categories:

  • Data security
    As they are required to do for any business associate handling electronic protected health information, providers must assess the adequacy of the cloud vendor’s control environment. IA should help determine if the vendor’s security posture is based on a standard (e.g., ISO 27001, the Cloud Security Alliance and the Payment Card Industry Data Security Standard [PCI DSS]) and if the vendor has performed a security assessment. It is also crucial for IA to work closely with the organization’s IT security function in order to improve its ability to identify weaknesses and recommend feasible solutions.
  • Data transmission
    Because data is often transmitted through public channels such as the Internet and wireless networks, IA should confirm that your organization can assess the vendor’s policies, procedures and technical measures to support data encryption for sensitive data in compliance with state regulations.
  • Multitenancy
    Cloud vendors may combine different clients’ data on shared hardware. IA should prompt an explanation of how data is segregated and assurance of appropriate protection from unauthorized access to data in storage and during transmission.
  • Location
    Your organization must be notified of where data will reside, including if storage will be outsourced, and receive notification of any moves. IA should validate that standard contract templates and existing agreements include the appropriate terms and vendors are complying with those requirements.
  • Reliability
    IA should confirm that proper service-level agreements are in place, and assess the existing monitoring tools and reporting mechanisms to evaluate the vendor’s ability to meet short-term surges of demand. IA should also review change management protocols and recent events for evidence that controls are operating as expected.
  • Sustainability
    IA should confirm the vendor has disaster recovery and business continuity plans and that your organization has downtime procedures for how operations will continue if a cloud solution is not available. Additionally, internal auditors should evaluate existing plans to move data if the vendor goes out of business or the agreement is terminated.

Trends shaping the future of cloud computing in health care
Hybrid cloud: In this environment, an organization owns and manages some technology resources either internally or hosted externally by a third party exclusively for the organization. Other resources are on a public third party's Internet site.
Data analytics and big data: Implementation of electronic health record (EHR) systems and health information exchanges (HIEs) have allowed the health care industry to be better at capturing and sharing data. However, still ahead is best use of that data to improve the quality and efficiency of patient care.
Collaboration: Cloud computing facilitates information research and sharing for patient care and administration, with use well underway in HIEs and EHRs. Given the reduction of cost and skill barriers to entry, collaboration solutions are likely to become standard.
2.  Validate the effectiveness of the vendor management program
The life cycle of the third-party vendor relationship — from vetting potential vendors to active monitoring to termination — must be managed by your organization. The overall process requires structure and formality in order to be effective. IA can act as a consultant in supporting the creation of the program, ensuring that proper controls are considered, as well as validating that established procedures are redesigned if necessary, new procedures are designed and all are operating effectively.

Given the complex governance structures in the health care industry, it is sometimes difficult to keep a complete inventory of an organization’s cloud solutions. IA should determine if your organization has adequate formal practices and tools to first identify cloud solutions and then perform individual risk assessments.

In addition, if your organization intends to move to COSO 2013 as part of its Sarbanes-Oxley (SOX) program, an adequate vendor management program will help in addressing common issues experienced when implementing the COSO 2013 risk assessment for third parties.

3.  Confirm HIPAA and other compliance
For health care organizations using the cloud, HIPAA compliance is a significant concern. Compliance entails not only your organization’s internal control environment, but also the control environments of business associates — such as cloud vendors — whose functions or activities involve the use or disclosure of protected health information. Ideally, the cloud vendor should provide a HIPAA compliance audit report. If the vendor is unable to provide the report, the next-best alternative would be Service Organizations Controls (SOC) reports SOC 2 or SOC 3. They provide assurance on internal controls at a service organization (in this case, the cloud vendor) relevant to security, processing integrity, confidentiality and privacy. Unlike the SSAE-16, SOC 2 and SOC 3 reports address a wide range of controls and cover two key elements of the HIPAA regulations — confidentiality and privacy — making these reports more suitable to evaluate HIPAA compliance.

Simply accepting the SSAE-16 or SOC reports from the cloud vendor is not enough. Because your organization is responsible and liable for regulatory compliance, it must assess how the vendor meets requirements. Personnel with knowledge of internal controls and their limitations must review the reports. In order to assess regulatory compliance, it is critical that they understand:

  • The particular services provided by the vendor
  • How the vendor’s services are used within your organization
  • The relevance and coverage of internal controls
  • How your organization’s controls complement or supplement the vendor’s controls
  • The impact of control deficiencies noted on both your organization and the vendor
  • The reporting period

Monitoring is also needed in other compliance areas such as the PCI DSS, SOX controls, and state privacy laws and regulations. IA can assist with the evaluation of vendor SOC reports, as well as with maintaining internal PCI and SOX programs.

IA’s role will continue to grow
It is clear that IA will be increasingly counted on to focus on cloud solution technology and processes. Performing assurance and consulting activities in support of your organization’s business strategies will require a combination of technological capabilities, business skills, and a collaborative mindset.

1 See 2014 HIMSS Analytics Cloud Survey, HIMSS Analytics, June 2014 for the report.