Seeing an opportunity to make workflow more efficient, residents and physicians-in-training at Oregon Health & Science University started using cloud-computing service Google Drive to keep everyone up to date on patient information. After a faculty member discovered the staff was using the cloud service, the university launched an investigation, and it found that Drive documents held health data from 3,044 of its patients.
Although Google Drive is password protected and has security measures in place, the university did not have a contract agreement with the cloud provider to use or store OHSU patient health information. By disclosing patient information in the cloud, the university violated the Health Insurance Portability and Accountability Act, which requires doctors to keep patient information private and secure.
While OHSU’s chief information security officer did not believe the incident would result in identity theft or financial harm, Google Drive’s terms of service note that data can be used to promote or improve its services. OHSU could not confirm with Google if the health information had been used for those purposes. If it was, that use would compromise a patient’s right to privacy under HIPAA.
With stories like this in mind, companies considering working with cloud-computing services should do their due diligence on potential cloud providers and negotiate a contract that ensures the provider will offer them a reasonable level of security.
Security, protections and benchmarks should be top priorities when negotiating a contract with a cloud provider, say experts. If companies have to comply with HIPAA, they should impose the same obligations on the cloud-service provider in the contract. Don’t sign the contract if a provider can’t agree to those terms, warns Joe Rosenbaum, partner and global chair of the advertising, technology, and media law practice at Reed Smith LLP.
To protect data, companies might consider working with providers who offer data-backup services. Because cloud-service providers have a large amount of storage capability, it’s not uncommon for them to offer backup services for an additional cost. Before the backup service is included in the contract, however, a customer should ask the right questions. (Can the company retrieve the backup copy at any time? How often is the information backed up? Is it backed up in real time?)
If a company does not use the backup services of the provider, then the provider may an add a provision in the contract that states the company is responsible for backing up its own data.
Once both parties work out the details and sign the contract, who is liable if there is an information breach? Ultimately, the answer comes down to what is in the contract and what the law says, explains Rosenbaum.
As a matter of law, there are compliance and security standards that cloud providers and customers are required to follow. Specifically, if a cloud-service provider fails to comply with the law or regulatory requirements, one or more federal and state agencies have the the right to investigate and enforce laws, “even if technically the cloud provider didn’t breach the terms of its contract with the customer,” Rosenbaum says.
For example, if a cloud provider is marketing services to health-care providers, it knows compliance obligations require patients’ records to be kept confidential. If a data breach violates HIPAA, the company may not have the grounds to sue the provider if they did not include HIPAA regulations in the contract, But federal and state agencies would likely take up the case, Rosenbaum says.
Still, if companies don’t manage their cloud risks, they might end up paying more in damages than in monthly fees, Rosenbaum says. With this in mind, a company should never “blindly sign” a contract, he says.