I'm Marianne Colbusak-McGee, executive editor at Information Security Media Group. Today I'm speaking with privacy attorney Adam Green of the law firm Davis Wright to remain about cloud security issues, including cloud computing shared security models. So Adam, when it comes to a cloud computing shared security model, what does that mean in the context of health care sector covered entities and business associates? So shared security is the idea that there are certain security responsibilities that for example under the HIPAA security rule may be required but could be delegated from one entity or the other.
So if you think about this more broadly, the HIPAA security rule treats every covered entity or business associate as if it's an island, as if it's all alone, and has to comply with all the various different types of controls. But you could have a health care provider for example, and a software as a service provider, and then an infrastructure as a service provider, and they may all work together and have a single set of protected health information, and it doesn't necessarily make sense for each one of them to separately encrypt the same information. And so that's where kind of shared security comes in. This idea that even though the security rule talks about requiring each entity to encrypt information, that could be delegated out to the most appropriate covered entity or business associate in a relationship.
So Adam, you mentioned that different responsibilities can be delegated to different people or different partners in the various cloud computing sorts of arrangements that companies have. When it comes to access controls and encryption of data, as you mentioned, and other important considerations, how should these responsibilities be shared between cloud service providers and health care sector clients, especially when there's more than one vendor involved? How do you ensure that somebody's not going to drop the bull taking what somebody else was supposed to do something? Communication, communication, communication is the key here.
There's not a one-size-fits-all. You may have, for example, one cloud provider who's a software as a service provider that might more or less take care of practically all of the security requirements, at least from technical and physical safeguards perspective, versus there might be a different situation where you have an infrastructure as a service provider that really provides the configurations that allow the customer, the covered entity, for example, to turn on certain technical controls, but leaves it entirely for the customer to do so. And the only way to really know who's got what responsibility is to have open-minds of communication and understanding between the parties so that no one is in fact dropping the ball. So there are going to be some responsibilities like physical safeguards that will primarily fall on the cloud provider who may be responsible for protecting the physical data center.
But then there are things like technical safeguards like encryption or audit logs or things like that that it's very important that the parties communicate and understand who's turning on what, who's got what responsibility. So Adam, when it comes to the health care sector, what are some of the top mistakes that you see entities making when it comes to cloud security that are getting them into trouble? I think sometimes it's thinking that this is sort of a plug-and-play situation where if the cloud provider has good security, then that gets just plugged into the covered entity, the health care provider, for example, their compliance and they don't have to do anything more. And it's important for them to understand that they will still have fair number of responsibilities on their side.
So for example, their risk analysis has to reflect some of the risks associated with the use of the cloud. What happens if there's a network outage and therefore the cloud services are unavailable? What happens if the cloud services user on the covered entity side sets a poor password, which means that even though the cloud service provider may provide more or less Fort Knox, doesn't do much good if the health care provider has left the team the door by having really weak passwords on its side. So it's important for the covered entities to understand where their responsibilities fall on the security side and also to some degree on the privacy side.
So for example, what is their responsibility in an accounting disclosure situation to know what information was in a cloud account that may have been disclosed in a responsible order, for example. So the biggest, I think, challenge area is the parties, especially on the customer side, not fully appreciating what responsibilities fall to them. So Adam, as you know, we're seeing a flurry of breaches and ransomware attacks on cloud services providers as well as other vendors. What are some of your top tips for health care sector entities when it comes to disruptive attacks on critical vendors, whether it be a cloud-based HR vendor or another vendor that handles PHI in various professional services that it provides a covered entity?
What are some of the key considerations? Really, it's looking at what is your disaster recovery? What are your contingency plans if for one reason or another, whether it's the fault of the cloud provider or if it might be the fault of internet service provider in between, if for some reason the cloud service has become unavailable? So if you are relying on the cloud service provider for a particular type of functionality, have you considered and tested what you will do if that suddenly becomes unavailable, including do you have backups of relevant protected health information?
Do you have offline means of trying to accomplish the same type of service? So an example might be if you're relying on a cloud service provider for dictation services and that becomes unavailable, how do you test it? Do you understand how you will proceed when that service might be unavailable? And Adam, what about cloud service providers that might be located outside the US?
Offshore companies, what are some of the critical security risk considerations for US-based health care sector entities that use these services? Not all countries are the same. And so, frankly, there are countries outside the US that have far more robust privacy and security requirements than found in the US. And so you have to be careful about drawing two broad conclusions and treating it as if outside the US is inherently bad.
There is guidance that the US Department of Health and Human Services put out on HIPAA and cloud service providers that talks about identifying whether they're maybe at higher risk because a cloud service provider is in a different country. So, for example, if a cloud service provider is in a country that has a much higher incidence of hacking, that's certainly something that the covered entity should take under consideration in its risk assessment and potentially identify whether there is a higher risk for that particular, for PHI, that is with that particular cloud service provider, whether it be a higher risk of confidentiality breach or a higher risk of loss of availability. So it's also important to understand that a covered entity is required to have a business assessment agreement with a cloud service provider, whatever country that cloud service provider may exist in. So, there will be a contractual right to the covered entity.
But meanwhile, HIPAA may not necessarily govern that cloud service provider. That cloud service provider may instead be subject to the laws of its country. And so, you should understand that HHS, for example, may not be able to penalize a cloud service provider overseas the same way they might be able to do so for a US-based cloud service provider. And doesn't mean that there's not some other foreign government that would potentially penalize a cloud service provider overseas for its failures, its compliance problems.
But understand that it's a whole different world in understanding what those laws are and whether you have any recourse with respect to a foreign government's regulation of its businesses. And finally, Adam, aside from some of the topics that we just discussed, is there one top cloud security challenge that you see healthcare sector entities struggling most with right now? I think one big challenge is making sure that only appropriate cloud services are used and they're properly configured. It is so easy for anyone within a workforce to open up a cloud account, which creates this big risk that PHI will go out to a cloud service provider with whom the covered entity does not have a business assistance agreement and does not manage as part of the compliance program.
Cloud services offer potentially greater information security than might be available in-house. This is something that they specialize in and many of them are very good at. But understanding how your workforce is using cloud service providers and making sure it's properly managed is a very significant challenge for the healthcare industry. Thanks, Adam.
I've been speaking to attorney Adam Green. I'm Mary Ann Kobzak-McGee of Information Security Media Group. Thanks for listening.