tag:blogger.com,1999:blog-4384692836709903146.post1039988236186817386..comments2024-03-27T09:55:23.143-07:00Comments on Dispatch from the Digital Health Frontier: The Reality of SaaSJohn Halamkahttp://www.blogger.com/profile/04550236129132159307noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-4384692836709903146.post-88140010952216158342013-04-02T11:01:02.480-07:002013-04-02T11:01:02.480-07:00As it relates to Cloud computing, (Iaas, SaaS, etc...As it relates to Cloud computing, (Iaas, SaaS, etc) it really is a "devil is in the details" kind of situation. Covered Entities need to fully understand what they're becoming involved with and do a proper assessment. Don't just take the sales rep's word. As a Security professional in the Healthcare industry, I know how CEs struggle with the Risk Assessment process. If that's a challenge, assessing a cloud provider is even more challenging. Keep in mind, you need to not only evaluate the service, but where the data may be replicated for redundancy, who has potential access to your data, and a whole other mirade of issues. HIPAA enforcement outside of the US is legally problematic and many cloud service organizations utilize off-shore entities and locations. The Final Rule really should draw some attention to this. Not trying to say Cloud services can't be HIPAA compliant, but do a deep dive into the details of the service before you consider using the Cloud. The BAA is only fraction of what needs to be evaluated.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4384692836709903146.post-71837241051109032292013-03-29T09:00:26.974-07:002013-03-29T09:00:26.974-07:00I am responsible for the Dell Healthcare Cloud and...I am responsible for the Dell Healthcare Cloud and have great interest in this topic. The last mile, indemnification, BAA, security and privacy points that you make are all very real and require specific responses. We deliver ambulatory and provider ISV systems as a service to tens of thousands of end users as part of our service offering. We conduct audits around the HIPAA and FIPS requirements, as well as guidelines, and have implemented recommendations. I would welcome more dialog if you and/or the audience of readers were interested. Topics of conversation could be the BAA and contracting process with specific mention of indemnification and limits on liability, SecureWorks acquisition integration into Cloud offerings, Network architecture for providing Dell ISP services and architectures associated to privacy options. I am based in the Boston area and would love to discuss face to face formally, or informally. #IWork4DellAnonymoushttps://www.blogger.com/profile/06497236599261596143noreply@blogger.comtag:blogger.com,1999:blog-4384692836709903146.post-17473832124100244632013-03-27T12:42:24.121-07:002013-03-27T12:42:24.121-07:00Can I ask what your BAA review/approval process wa...Can I ask what your BAA review/approval process was like with the vendor? Or have you found ways to reduce the impact to the vendor of the compliance obligations? Chris Granthttp://www.labrat.comnoreply@blogger.com