Lessons from the trenches of clinical development technology.
By Glenn Watt
January 20, 2010 | Guest Commentary | As the health care industry marches toward cloud computing, major questions still exist in the areas of security, data privacy, regulatory compliance and the reliability of the cloud computing model. Complex eClinical business applications, combining a veritable alphabet soup of systems like EDC, EHR, IVRS and eDiary at disparate locations can be quickly cobbled together using web services. Needed memory is requested, allocated, and used from a multitude of remote servers that are part of the public cloud federation.
Public Cloud Regulation
Public cloud regulation is in its infancy. The “Open Cloud Manifesto1” is one example of some work that has been done to address regulation however it only initiated dialogue on what such a guidance document should contain. Data privacy was discussed but issues of regulatory concern to health care industries were absent. There are multiple and complex privacy and confidentiality issues that affect the regulatory requirements of public cloud computing participants.
For example, the location of information in the cloud affects the privacy and confidentiality of information and the obligations of data processors and controllers. Information in the cloud may have more than one legal location at the same time, with differing legal consequences. A customer’s privacy and confidentiality risks vary significantly with the terms of service and privacy policy established by the cloud provider. The discovery process in a legal proceeding could be challenging. Derivative use of information by the cloud provider could violate data privacy laws or the original owner contracts. Operational Intelligence could be obtained by a cloud provider through the transactional information. Cloud information eventually ends up on one or more physical machines located in a specific country. That stored information could be subject to the laws of the country where the physical machine resides.
Recommendations
Since the regulations always trail technology, and the application of old regulations to new technology can be unpredictable, it is incumbent upon the cloud consumer to perform the necessary due diligence in selecting and operating within a public cloud environment.
1. Make sure you have a firm understanding of who can access personal health information data. If, for example, system administrators can access and change data they may be subject to data privacy regulations as a data processor or even a data controller. Determine the quality of the background checks performed on the people that administer these systems. The best situation is one where your software is abstracted from the cloud and the cloud provider cannot see anything.
2. Determine if the service provider complies with applicable regulation. Examine any certifications like a SAS 70 Type II, FISMA, and HIPAA. In addition, providers should be conversant in FDA regulations like CFR Part 11, European regulations like EU 95/46, and Asian regulations like PIPA and be able to demonstrate compliance.
3. Evaluate if they are flexible enough to adapt to new regulations. Regulations change frequently and a good cloud provider should have a process in place to stay current and implement changes as needed, in a planned and tested manner.
4. Conduct a pre-contract audit. Many cloud providers are unfamiliar with regulatory audits, so expect some resistance to this request. This is where patience and diligence pay off. In many cases it will require educating the cloud provider about the process and why it’s necessary.
5. Set your own security policy. Even though the cloud provider will have their own physical and logical security policy for their servers the customer should be able to supplement with your own security. A cloud provider should be able to allow you to enable your specific firewall rules.
6. Study the cloud provider’s terms of service. This seems obvious, but when it comes to using a cloud provider think about how far cloud computing technology is ahead of the regulations, especially in the area of data privacy.
7. Understand the data backup process. Even in a cloud data needs to be backed up. This may be performed non-traditionally and that’s acceptable as long as it’s performed in a systematic, repeatable and compliant manner.
8. Encrypt as much of the data as possible. Databases and the queries sent to them are usually un-encrypted, plain text, allowing anyone with access to the database to view the information in them. In a cloud computing environment, as much of the database as possible should be encrypted. A new homomorphic encryption scheme proposed by IBM may be a signpost to the future. The homomorphic approach would allow encrypted data to be searched, sorted and processed. Many of the confidentiality and privacy issues in cloud computing would disappear with this kind of capability.
Public cloud computing is a promising new technology, but one that must be managed and controlled. If you ask the right questions, and push the proper controls it can be a cost effective tool in your information technology arsenal, used to facilitate business operations involving health care data, disaster recovery, finance and research.
Glen Watt is a VP, information security and privacy at Medidata Solutions. He can be reached at gwatt@mdsol.com.
This article also appeared in the January-February 2010 issue of Bio-IT World Magazine.
Subscriptions are free for qualifying individuals. Apply today.