Legal

Clouds and compliance: Yes, you can.

Cloud computing has stirred many reactions from TechRepublic members. In this blog, IT pro Rick Vanover sits down with a compliance expert for the hard facts on going to the cloud.

I have been covering cloud here on the Network Administrator blog simply to inform those who may have questions about cloud technologies. Every time I talk about cloud computing, surely someone will come up with negative commentary about compliance. I had a chance to sit down and talk with Dorian Cougias of California-based Unified Compliance Framework, which specializes in associating IT controls across international regulations, standards, and best practices.

Mr. Cougias did a good job of simplifying compliance for mainstream IT by saying: “Compliance has a blind eye to cloud computing.” This is due to the fact that the compliance controls are high-level to the technology solution in question. To say it another way, an organization has the burden to build and deploy a solution that is compliant. Be that in the cloud or in a private datacenter. Whether or not it is built correctly is the burden of the architect and organization.

Because the organization is still responsible to build a good system, another issue that frequently arises is a back-up strategy. This can be addressed through cloud-centric solutions or architecturally addressing data protection through cloud federation. Again, the compliance controls are focused at a high level instead of detailed software and hardware configurations.

Another discussion point is availability of the IT footprint. Speaking frankly, I think Google Apps, Amazon Web Services, Nirvanix Storage Delivery Network, and Windows Azure can all be better at running datacenters than what most of us can do. I gave a primer for service level agreements (SLAs) in an earlier post, and that got me thinking: How easy is it to get a formal SLA in your own organization? Can you make one as clearly defined as a cloud provider?

UPDATE: As usual, TechRepublic members respond in large force. But this time something is special. IT compliance expert Dorian Cougias has a challenge to the naysayers:

“Therefore, my challenge is this. I will pay the sum of $100 for any person who can send me a citation from any authority document (statute, code of regulations, judicial bench review, or international contractual obligation like PCI) that forbids cloud computing.”

What an opportunity! Respond to the previous thread if you are up to the challenge. The challenge is not sponsored by TechRepublic. This is, however, an opportunity for us to independently hammer out cloud topics.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

62 comments
Deadly Ernest
Deadly Ernest

allow more room for responses if needed. I believe I see a bigger difference between the 'potential' to be complaint and the 'reality' of compliance than you do. An independent expert can say they believe, in their opinion, that a thing is compliant - but only a regulator with auditory experience can say it is or isn't. If all experts agreed on everything we would never have solicitors and lawyers giving different opinions on the same matter. This is stepping a bit aside but it does demonstrate the concerns I have. For over fifty years we had independent experts saying cigarette tobacco and asbestos were both health compliant and safe to work with. In the last few years we've had a number of legal cases proving them wrong and handing down big judgements against the companies who produced the products. Now the case with tobacco is a lot different to the case with fibre board, but both had the health experts saying OK for decades. Now they all say not OK. With tobacco we had a few experts with differing opinions since the early 1950s. With the fibre board material no one had a differing opinion until about ten years ago. Experts said safe, and some still do, the judges' opinion is not safe. This shows the true value of an expert against a judge - guess who wins at the end of the day. Thus, I'll wait until one of the appointed judges give a ruling - via the issuing of a compliance certificate.

Dorian Cougias
Dorian Cougias

Okay, I'll put up a challenge to the readers here who have posted "oh no you can't" type of responses. I'm the guy who Rick quoted in his article. What I noticed in all of the responses was a lack of authority document citation forbidding the use of cloud computing. And I know the reason. The reason is that no one can quote any authority document being against any specific form of technology because the authority documents are written to avoid such linguistics. I know. I re-scanned all 350+ world-wide authority documents tracked by the ucf (http://www.itucf.com) looking for any such technical terms, and those terms aren?t there. I also called a couple lawmakers who then said (off the record) ?regulatory structures are always, or should always, be written to be prescriptively ambiguous.? This means that they should NEVER mention any particular technology or methodology, as both can easily change and therefore either subvert the law or obfuscate the law. Each and every time we in the UCF mapping team see any particular technology mentioned in a law, it isn?t very long before the law comes out with a revision or judicial review which restates the item in question to be prescriptively ambiguous. Therefore, my challenge is this. I will pay the sum of $100 for any person who can send me a citation from any authority document (statute, code of regulations, judicial bench review, or international contractual obligation like PCI) that forbids cloud computing. I'll leave it up to Rick Vanover to handle how the threads and responses are published and posted, and we'll have an independent law firm review your authority document citations and determine whether you are right or wrong. By doing it this way, we'll either be able to get to the bottom of the "no you can't" line, or we'll know that the "no we can't" is simply because an organization has taken its own stance, without regulatory authority backing for that stance. Sound fair? Dorian J. Cougias Founder and Lead Analyst, Unified Compliance Framework

bspreng
bspreng

The standards, the security, the legal support, the understanding of management, and definitely the risk management are most certainly not there! So please stop blowing smoke in my ear!

travis.duffy
travis.duffy

I work for a Financial services institution and when it comes to cloud computing the answer is no. We simply do not want our data outside of our organization. Regardless of what compliance and regulations these services meet, there will come a day when data is compromised and stolen. Regardless of who is to blame after the fact, you get to tell your customers that their information has been stolen. Credit card processors get their compromised way more than they should and we are going to count on google to keep our data secure. YEA RIGHT!!

Deadly Ernest
Deadly Ernest

compliance and other security matters - if they aren't covered the SLA is useless.

CG IT
CG IT

HIPAA is the regulation that most of my clientele must comply with so when the discussion of Cloud Computing comes up, I have to tell them that it's their responsibility to ensure compliance and also vendor compliance if the vendor also falls under HIPAA regulations. Access to data under HIPAA requires both technical safeguards as well as physical safeguards. It's those physical safeguards that I can't see how a Cloud Computing vendor can ensure that unauthorized users do not gain access to the physical equipment when that physical equipment is located at a vendor. One area that HIPAA auditors look at very closely is where the protected data is stored and how that data is protected including asset control. While a Cloud Computing vendor could conceivably create a protected area for HIPAA customers as well as specialists to manage the equipment, it would certainly cost a lot more than companies that don't have to comply. More so than companies having their own infrastructure and employees.

b4real
b4real

HIPAA, PCI, COBIT, SOX??? A quick vote for the single governance that you would like specific clarification would be appreciated.

b4real
b4real

So this works out nicely. My next interview and post on this blog will be with a compliance authority if possible.

Jaqui
Jaqui

F.I.P.P.A [ Freedom of Informaton and Privacy Protection Act of Canada ] EXPLICIT consent is reauired to share an individual's information with any other party. and the clause in the Patriot Act that required ANY company with an Office in the U.S.A. to hand over ALL information to the U.S. Government on request, that EXPLICITLY forbid letting anyone know, never mind getting their permission. shortly after the 9-11 incident and Patriot Act went into force, Medical Services of British Columbia put themselves into violation of the CANADIAN law by purchasing database services from a US company. I doubt there is 1 law that would make cloud computing prohibited, but it's a combination of laws between different countries that will be a source of conflict. ANY "cloud" service in the US will be under the remnants of the Patriot Act, and that act violates privacy laws in most countries.

Deadly Ernest
Deadly Ernest

that name is too damn new to be appearing in any regulations or legislation as yet. I don't know of anyone saying it absolutely won't happen due to legislation and compliance, but I have been saying it's extremely unlikely to happen because you JUST won't be able to get a reasonable cost saving and / or ensure proper compliance. Security requirements of personal information in Australian government departments is covered by privacy laws and most requires a security system equivalent to what's required for National Security Secret level. Now that means the physical area the data is in must be secured to a specific standard, all access must be strictly controlled, and no one allowed near it unless they've been given a suitable security clearance before hand and have a work requirement need to go there. All that is NOT cheap. Having such a clearance and dealing with such material from the Dept of Defence does NOT give me automatic approval to deal with such information belonging to the Dept of Immigration. What a lot of people don't realise is a lot of that same level security is applicable to many private enterprise organisations in relation to personal details under the same or similar laws. Let's now assume you have set up a suitable secure server farm. My data is stored there. under the same legislation I'm required to regularly check that the facility meets the requirements and the staff all operate as per the rules. So I have to have my auditors visit your site to do that. Each of the other companies have to do the same thing. Have you factored in the cost of having your people supervising all these auditors coming through? It's not just as simple as looking at a single reg that says a steel cage with a tough lock. By the time the whole issue and ALL related costs are taken into account, very few major organisations will realise any savings from going to cloud computing for their major data. And if you have to have an internal server farm, why not have it all in house. ............ Second issue - where is it stored? I don't know the law, but in another thread someone mentioned a law in the UK or Ireland that Health authorities are NOT allowed to have any personal data leave the country or be stored off shore. Are the people offering these services going to set up farms in each country? I know most big businesses won't like the idea of having their data stored in another country under laws they aren't familiar with either. .... Personal opinion. I see cloud computing taking off really big in a few areas: 1. Internal cloud thin client alternatives. 2. College students and private individuals for personal use. 3. Minor corporate use for form storage to be used by staff who travel a lot, but not client data storage.

Screen Gems
Screen Gems

but not realistic given existing regulations for medical records would be a more apt description. Other regulations governing, for instance, educational networks, banking networks, might also have requirements that preclude the use of Cloud Computing environment due to security of data requirements. That is not to imply that the regulations state "Cloud Computing" can not be used, rather to be redundant, that the controls required for compliance to regulations cant be met currently with the use of "Cloud Computing".

b4real
b4real

Dorian knows his stuff - that's why I cited him. I'll watch the posts here.

Derteufel
Derteufel

So many people are pushing it and I wonder if they work for a provider. Its not for everyone, and we are with you. It has its benefits for certain applications but its still, there are risks that need to be considered.

tracy.walters
tracy.walters

I am a CISSP who audits Health Care IT for a living. Health Care Providers and Payers must comply with a myriad of regulations, including HIPAA, HITECH, CMS, FTC, PCI while using techniques from NIST, ISO and COBiT to implement, monitor and manage security. In so many ways, Cloud Computing in it's current form cannot comply with those standards. HIPAA is very vague and left up to interpretation. And there is the rub...if you have a security breach, lose data, and get sued, you BETTER prove you have done EVERYTHING possible to defend that data, because the lawyers are coming. To me, Cloud Computing in Health Care is just a lawsuit waiting to happen.

paul.simmons
paul.simmons

There is no law for example stating SPECIFICALLY it is illegal for a 1990 Green Chevy Malibu Convertible to go 100 mph on Main street but that does not make it legal. The question is what happens if your patient/customer info is released in a cloud environment.

jmarkovic32
jmarkovic32

We're not talking about SOX or anything. Most reputable cloud providers have compliance in place more stringent than HIPAA.

b4real
b4real

Should you have an arrangement with a big cloud provider (the ones we are familiar with), you can be assured that access to the areas containing the equipment is controlled. Yet, because customer doesn't control it - does not make it non-compliant.

b4real
b4real

CGIT: Any commentary. Deadly Ernest, just because you are who you are, is there an Australian authority you would like such research on compliance for cloud technologies? If you don't pipe up - you can't comment on my follow-up post! (Joke)

Deadly Ernest
Deadly Ernest

relevant for you to get the US situation first and I don't currently have any clients even considering the cloud. But, from what i hear and see, I think HIPAA is going to be one of the hardest to get right.

b4real
b4real

Please, more of these. I find this as a springboard for future content better than water pitching contests. Cheers.

CG IT
CG IT

and whether a vendor's compliance also means a companies compliance. Because that is what, in essence, you are saying. That if the "Cloud" provider is compliant, then their customers would be compliant.

chris
chris

You or your cloud vendor can satisfy auditors to certify compliance with HIPAA, PCI, NERC, FISMA, SOX, etc., and still have a vulnerability issue arise somewhere at some time. So I think you can use cloud and be technically "compliant". However, the chance for data loss or unauthorized access can always be minimized but never completely eliminated, no matter if the data is stored locally on the most secure system, or in the most secure cloud. A plan to address any data loss or security breaches should always be a documented part of IT strategy, cloud or no cloud.

jeffro in Berkshire
jeffro in Berkshire

is that per person or for the first person who can provide the instance?

b4real
b4real

There plenty of reasons for and against Cloud technologies. My point is that from a compliance perspective, external clouds do not inherently imply noncompliance.

fredscomprepair
fredscomprepair

I presume we are all intellegent? Why go back to dumb terminals? I thought the whole idea of a stand alone computer was to organize it the way an individual would like it not a cloud? It seems like we are all standing in the same line anymore and we better comply. I'm keeping my old win 98's just in case this thing gets out of hand. Remember when you are on a cloud someone is watching you.....Food for thought.....

b4real
b4real

The regulations further don't take stances on very specific technical points, as they change to frequently. Making enforcement obfuscated or easy to subvert.

CG IT
CG IT

I have consulted with health care providers on HIPAA compliance where the company that set it up said it met HIPAA and the auditors came in and shot them down. The end result was that the health care provider is responsible for protecting their data even if they hire a vendor to do it. That the vendor must comply with the regulations and that the health care provider needs assurances that the vendor does. While the auditors don't say the health care provider must audit vendors and document the results of the audit for compliance, that's what they were looking for. The biggest area that auditors look at is user access and inventory control. The auditor wanted to see how unauthorized access was denied and how it was detected and what happens when it is detected. Inventory control was almost the same. How does a health care provider prevent protected data stored on electronic media from being disclosed. Flash drives were another big area they looked at. The company that setup the HIPAA network didn't put safeguards in for flash drives. They felt that encryption was enough and the auditors didn't buy it. All in all this one health care provider had 25 areas that were not compliant with HIPAA regulations. The company that setup the network spent a lot more $$ than they bid to make it compliant.

Deadly Ernest
Deadly Ernest

sound like they may be, then proper compliance is going to be very awkward, to say the least. One place I worked we were the outside company that maintained the secure Internet gateway for a few government agencies, and the gateway was compliant to DoD Aus standards, which were a photocopy of the DoD US standards at the time - not sure if either have changed. Under those standards no one, and I mean no one, was allowed in the physical area of the gateway UNLESS they had a DoD Secret clearance or higher. This meant the gateway server room was an extra tight sealed area at the back of the main server room and the normal network staff weren't allowed access to the gateway server room. The contract allowed us to hang other clients off the back end of the gateway, but prospective clients were NOT allowed in the server room or the gateway administration area, unless they had a suitable clearance - heck some of the company senior staff weren't allowed in either. We had a couple of cleaners who were the only ones allowed in our area as they were the only ones with a suitable clearance. Third party compliance with such matters is NOT easy, and it is NOT cheap. If someone like Google etc is going this route for compliance with high security areas, they'd do best to set up a physically separate server farm and operate it separate to their main server operation with the whole floor or building locked down to the required compliance rules. Such a set up will cost a lot more.

CG IT
CG IT

164.310(d)(2)(iii) A= Accountability ? Implement procedures to maintain a record of the movements of hardware and electronic media and any person responsible therefore. 164.312(a)(1) R= Access Control- Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights as specified in Sec 164.308(a)(4) or how about this one: 164.312(b) R= Audit Controls ? Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. That Cloud Computing system would have to have provide those records. Since most Clouds will be using VMs the reporting isn't covering just the VM, but the information system that contains protected information. Not just the virtual machine. I can't see how doable it is without cutting corners to cut costs.

b4real
b4real

Cheers for now CG IT and Deadly Ernest.

CG IT
CG IT

Try schools and their requirement to have available all emails sent and received on their equipment. What if the school uses Cloud Computing? Does Cloud Computing negate the requirement? or will the Cloud Computing vendor have to manage that for their customers?

b4real
b4real

For a standard to do an interview.

CG IT
CG IT

but it's not the only regulation businesses must comply with. But for HIPAA relevence to cloud computing, here's a site with some really good articles: http://www.hipaa.com/ Take a look at Transmission Security Encryption, Integrity, Authentication, and the last article on Accountability which is especially relevent to vendor storage of electronic exchange of personally identifiable health information. For "Cloud Computing" or to use another term, Network Operations Center, to be viable, the Cloud Computing (NOC) vendors really have to manage both ends. Equipment, it's configuration, maintenance, administration, users, users access at their customers.

b4real
b4real

Fair enough. Be sure to tell me which compliance authority you want me to get official statement from.

CG IT
CG IT

the regulations are like design specs. They outline the end result, but they do not tell you how to get there or how you are supposed to do it.

Deadly Ernest
Deadly Ernest

conduct the audits and have they issued a compliance certificate yet? I don't know if you've heard it but a definition of expert is: ex - used to be or was spurt - a drip under pressure expert - used to be a drip under pressure. I can't even think to count the number of times I've had independent experts tell me something was compliant with a regulation only to have the official auditor note a discrepancy and send it back for fixing. I recently had an expert in the local motor vehicle laws say I was at fault in an accident and was suing me for the other guy's damages. that is until I pointed out the section of the law he stated applied didn't apply to the case as another section applied first and required his client not to enter the street yet. After we presented the matter to the courts, we both agreed on the facts of the issue, the judge wanted to know why we were wasting his time. The solicitor's client should have stayed out of the street whilst my vehicle was in motion, end of story - pay Mr Bywater compensation for missing work today. yet he was a motor vehicle claim expert. Always wait for the judge's decision. And that's what I'll do. I'll wait until after a compliance certificate has been issued for one of these systems, not the opinion of a private expert. As I said, it's possible for any system to be made compliant, but it isn't actually complaint until the certificate is issued.

b4real
b4real

With all due respect, Mr. Bywater I have done the work in interviewing the compliance experts. This is the story. Not sure what more you need.

Deadly Ernest
Deadly Ernest

point to a law or regulation that says you can not use a technology that doesn't exist when the law was written. This is because most laws are written retrospectively in that they get made AFTER someone misuses or messes up using the new tech. Although I am waiting for the person who posted about the Irish Privacy laws to quote the section they once quoted before where it says you can NOT move any personal data off shore except under terms so tight it's not possible to do. I do know there is a combination of mixed commonwealth and state laws on health data here in NSW that makes it impossible for private medical practices to share data except as written information in a referral or the result of a test going back to the doctor who ordered them. The medical service I use has branches in Junee and Wagga, but they can not transfer my records from one branch to the other and cannot refer to them from the other due to the regulations under the health laws on security of data. I asked about it when I was having difficulty getting to one of the sites and wanted to use the other for a couple of months. Also, I'm just too lazy to go through about seven feet of printed regulations to find the exact clause; not for only a $100 bucks that would be a real bugger to collect from this distance.

b4real
b4real

Have either of you any interest in earning the reward? Figured if possible to prove it otherwise - one of you two would deliver.

CG IT
CG IT

I think that saying Cloud Computing meeting security regulations thus a company buying the service would also be compliant to regulations is taking creative privilege. Security isn't a one way avenue. An insecure client connecting to a secure service can make the secure service insecure.

Deadly Ernest
Deadly Ernest

If you go back over the posts I've made you'll find some I made back when Google first put out their web based word processor app (was that a year or two back, I forget), I said , at the time, that I could see this being useful for students at high school and college, and for people on the move - ie a person travelling by plane and unable to take a computer with them due to the risks of damage when being checked at the various security check points; and also for internal corporate use from their own servers. In the first three having the app and the data accessible from anywhere would be an advantage. In the last it would be a variant of thin client and very useful. It's good to see that some people are working towards making that happen right. But it worries me when I see blanket headlines that are misleading. especially when we already have enough problems getting non tech senior managers to try and understand what we're trying to say about tech security. Take this thread title - a non tech senior manager would see that and immediately assume that all cloud computing services now meet all regulation compliance needs. I'm sure that isn't what you meant, but that's what some will read it as. I think you meant something along the lines of "Cloud Computing can now be made compliant." Every time I say, slow down, we haven't yet seen a case of where they have been given a full compliance certificate following an audit, I get hit with an answer that summarised as ' but they are already.' We need to tread carefully in this field, and not charge blithely ahead. this is new technology and we don't know all the ramifications yet. Never forget the Tachoma Narrows Bridge - new technology for lightweight suspension bridges. As a result of the collapse they learnt a lot they didn't know until then, but that didn't help anyone on the bridge at the time, or the people who paid for it. With cloud computing we need to be FULLY aware of all the risks and all the benefits, and all the things that need to be covered. Sadly, too many of the articles I've seen on this are all about perceived benefits only, with no mention of the downside items at all or possible problems. So I see a need to say 'Slow down, we can't see if there's a cliff ahead at this speed.' It's good you like the concept, but you do need to temper the enthusiasm a bit and show it in a lot more realistic manner with both all pros and cons. One con I rarely see mentioned by others is the added costs of the increased Internet activity - a few talk about needing a bigger pipe, but here in Australia (and some other countries) we also pay by the MB for download and upload (don't know if you do). So moving a few terrabytes of network activity off the internal network to the internet is going to be very costly, but it's not mentioned in the cloud computing articles. Neither is the cost of upgrading the Internet connection or enlarging the gateways and building in redundancy so a single machine fault won't close the gateway and stop all business for the day. I used to get paid to look for the pitfalls before we had planes falling out of the sky due the pitfalls hitting home unexpectedly - so I do worry about such things.

b4real
b4real

With these two simple points: A) cloud computing does not inherently make something non-compliant B) you put what makes sense in the cloud That's all I'm saying. You should know what is in the external cloud, I'm not authorized to say for the one large municipal organization with a lot of sensitive data. Anyways, I wrote the original post, I'm partially defending my piece yet moreso babysitting you and the other guy. Just keeping up with you two on this topic has put me way up there on Forum activity here. Which got me thinking, you must enjoy this based on your ranking on site activity!

Deadly Ernest
Deadly Ernest

Hell companies get audited while being defrauded or going bust all the time too. Please don't trouble us with companies using the cloud for unimportant data. We are talking about being compliant to handle classified and high security data. Tell us about companies that have to meet such high level compliance needs and are using the cloud for such data and have passed compliance audits for the safe storage of high security data. I know big companies that use the cloud to run wikis on various things, but they don't use the cloud for the storage of the payroll data or the minutes of the last board meetings or the plans of the next corporate take over. All along I said it can be useful for stuff that it doesn't matter if it gets out, good for private persons who want access from many points, even good for in house use. What we differ on is the suitability for putting critical or classified data out in the cloud and it being a cost effective option and way to do business. to my mind, if you have to have any internal data storage, then you do NOT get any cost savings by putting any of it out in the cloud. Big business has many high security needs, until the cloud shows the required compliance, via a passed audit, for those highs security needs then big business should not be using it. The cloud is NOT safe, it is NOT secure, anything in the cloud can be taken down or access denied by a simple denial of service attack on the service provider, then what do you have your hundreds of staff do while you wait for your cloud based word processor to come back on line? Cloud Computing is not the magic IT golden bullet to solve all ills.

Deadly Ernest
Deadly Ernest

exactly the same as IBM developers putting their own valuable data on the EC2 cloud is it? The article is about IBM allowing others to run their tech on EC2. And nothing about it being security compliant with any highs security needs.

b4real
b4real

You are not giving us anything other than blabbelrary. Compaines are audited all the time with external cloud technologies in use -> You know this, right? In my coming posts, there will be some case studies of current cloud users. These are big names, household names.

Deadly Ernest
Deadly Ernest

state things like - ' Protected level data security must meet the same standards as Department of Defence standards for Classified level of material. Highly Protected level data security must meet the same standards as Department of Defence for Secret level classified material.' ........... As to are the cloud computing organisations compliant - the clear answer is still 'Not Yet.' They won't be until they have undertaken every step required for compliance and been fully audited by the appropriate regulatory body checking the way they handle the actual data involved. So, until they get signed off as been audited an approved, they are still only potentially compliant. ............ next is the costing of ALL the cost involved in cloud computing, including the bandwidth costs and not just the data storage costs.

b4real
b4real

And there is no kinda compliant, Dorian pointed out. I can't speak for Australian compliance, though. So, right now it is either compliant or not compliant. Also, you talk DoD (I'm presuming Australian DoD) a lot. But TR isn't really targeting defence technology to your level if that is what you do. Cloud will win, bro.

Deadly Ernest
Deadly Ernest

until they prove the storage area has the required physical security measures, access control measures, and all staff who may enter the area have been through the suitable security clearance process - they are NOT compliant. They may be able to become compliant, but are not until those things are proven as having been done. I sincerely doubt any of these organisations will pay the money to have staff go through the security clearance process until they have to do so. The down side of that is the process takes some months and the work cannot be contracted until after the staff involved are ALL cleared. Thus they'll have to pay for the clearances BEFORE they can offer the service that requires it. Either way, I can't see how they can offer a properly secured service at a reasonable savings to the potential client. Also, if the service being offered has the physical security to meet say three sets of commonwealth and state laws, and they intend to have data from clients from different organisations in that one physical facility, then ALL the staff that have access to the storage area, not just the servers, will have to be cleared through all three security screening processes. Not a cheap method of operation. I know of one training establishment that has a government contract, but because of the security of the material being taught, the facility has four armed guards on each of the three entrances twenty-four hours a day seven days a week. A cost they did NOT reckon on when they first bid for the contract, as they did not fully study the security manual information on the security requirements. They expect to make their first profit off the contract on the fourth year of the five year contract. Like the groups for cloud computing, up to the minute they HAVE to meet the requirements they 'have the potential to be compliant.' The real issue comes in being compliant at a lower cost than the people can be compliant in house, after all, the people doing the work in house already have to be compliant to enter the data and read the reports.

b4real
b4real

Unless you can prove otherwise.

CG IT
CG IT

because the drafters of regulations simply will not be that specific.

Deadly Ernest
Deadly Ernest

funny how the yeah sayers haven't responded to my post at: http://techrepublic.com.com/5208-12849-0.html?forumID=102&threadID=313242&messageID=3118795 concerning how they'll meet high security requirements and still offer a huge saving and if they intend to construct the high security restricted access areas and get the security clearances before they start offering the services. I strongly suspect that sometime in the near future we may say legislative and regulation changes to mention this new technology, but no regulation or law in the world names a technology that did not exist at the time it was written and enacted. All of which makes the challenge a bit of a waste of time.

b4real
b4real

Funny how the naysayers quiet down!

dcougias
dcougias

We'll do $100 per person until it costs us too much.

b4real
b4real

Be surprised if you come up with something.

b4real
b4real

Dorian probably has deep pockets. :) I'd call it a race. No one has provided any claim for the money yet.

paul.simmons
paul.simmons

Taking the advice of a vendor on your liability is a career risk. What about your own attorney?

CG IT
CG IT

so if the compliance people tell you otherwise, I suggest you read the regulations yourself.

b4real
b4real

In my interviews, I've had multiple compliance software companies and cloud providers inform me otherwise.

CG IT
CG IT

164.308(B)(1) R= Business Associate Contracts and Other Arrangements ? A covered entity, in accordance with Sec. 164.306, may permit a business associate to create, receive, maintain, or transmit ePHI on the covered entity?s behalf only if the covered entity obtains satisfactory assurance, in accordance with Sec. 164.314(a) that the business associate appropriately safeguards the information. - Implement policy to document rules for business associate (BA) identification and process to assure compliance with BA requirements (i) Business associate contracts. The contract between a covered entity and a business associate must provide that the business associate will-- 164.314(a)(2) A) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart; 164.314(a)(2) (B) Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it; 164.314(a)(2)(1) (C) Report to the covered entity any security incident of which it becomes aware; 164.314(a)(2)(1) (D) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract. 164.314(a)(2)(1) Other Arrangements 164.314(a)(2)(ii) (A) When a covered entity and its business associate are both governmental entities, the covered entity is in compliance with paragraph (a)(1) of this section, if-- 164.314(a)(2)(ii) But hey what do I know? I'm probably wrong so I'll shut up now.

b4real
b4real

To execute said requirements.

Editor's Picks