HIPAA Puts Cloud Providers on the Hook for Data Breaches – FISMA Next?

May 17th, 2012 by

Federal Data in the CloudMedical data is in a class of its own. It’s one of the things that is absolutely crucial to keep secure because of the potential impact that a breach could have on people who had no control over the security of the data. If a company loses its own financial data, it suffers the consequences. However, if that company loses health data, innocent people suffer the consequences.

If someone gets my bank account number because my bank password is “password,” shame on me. But I have no ability to harden the laptops at my doctor’s office, or to patch the databases at my health insurance company. Yet if my data were to be leaked, you would find all sorts of embarrassing secrets – which can be used against me when considering employment or relationships. I mean, everyone knows I’m kind of crazy, but it’s not like I want them to know my exact diagnosis. I swear, half the things my shrink writes about me are exaggerated, anyway.

There are some upcoming changes in U.S. information security law to protect my health files, even those that are floating somewhere in the cloud. Many don’t know this, but cloud hosting services that have healthcare organizations as clients will be liable for data breaches under the Health Insurance Portability and Accountability Act (HIPAA).

Precognition is not one of my medical conditions, as far as I know, but I do see this: The Federal Information Security Amendments Act (FISMA) could be next to focus on service providers’ liability. Current law requires only periodic testing and evaluation, but a bill to update FISMA that has passed the House and is expected to become law will require federal agencies to implement automated and continuous monitoring to prevent data breaches and to mitigate the effects of breaches. Presumably, any service provider that supplies federal agencies – including cloud service providers – would be impacted by FISMA updates, which would require a federal agency to automatically notify appropriate security authorities to report security incidents in real time.

Rather disturbingly, fewer than half of federal IT pros say that their cloud service providers are fully compliant with the existing FISMA, according to the Center for Regulatory Effectiveness.

“Almost half of the IT workers surveyed believe that insider threats and vulnerabilities were more prominent in the cloud than in on-premises environments – more than believe that unauthorized public disclosure was more likely in the cloud. In all, 54% say it is either very likely or likely that their organizations will suffer a security breach over the next year due to an insecure cloud provider.”

To find out more about continuous monitoring, you can check out our whitepaper, The Need for IT Operations Management and Continuous Monitoring.

Related Posts

Tagged with: , ,

Add comment

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Trackback this post  |  Subscribe to the comments via RSS Feed

    Visit Us

    Subscribe

    Latest Tweets