The CSA birds of a feather session for the Healthcare Information Management (HIM) working group was well attended with approximately 30 people present. The session started with a short PowerPoint discussing some of the issues confronting healthcare organizations moving to the cloud.
The discussion within the group following the PowerPoint was primarily focused on regulatory compliance. Specifically, two issues were raised. The first was how to overcome the different requirements. The European Union has the General Data Protection Regulation that has clear cut requirements that must be met anywhere EU data subject's data is stored, processed, or transmitted. Some other countries do not have the same requirements mean EU companies cannot do business with cloud providers that store data in those countries. Additionally, we discussed the possibility of US regulation being enacted to allow EU companies to use US cloud services.
The second issue was how do we as cloud consumers ensure our data is secure in the cloud. Currently, we are limited primarily to third party and self-attestation as a means of checking the providers security posture. For attestation the SOC 2 Type 2 report, CSA STAR and FedRAMP were discussed. One interesting observation was the number of participants who were from countries outside of the US, illustrating the global concerns about Healthcare and its march to the cloud.
Attached is a copy pf the power point used to present some of the unique challenges faced by Healthcare Organizations moving to the cloud.