The evaluation process covers everything from compatibility to cost and the quality of customer service, but it also includes a comprehensive risk assessment led by the health system’s CISO.
“Any vendor we’re potentially going to use must go through that assessment,” Meadows says. “We ask them about everything — their security infrastructure, their policy and procedure management, how they segment their networks — and then, based on their response, we can determine whether they’re a good fit or not.”
Cook Children’s also relies on a third-party system that allows it to check whether a particular vendor has experienced significant security issues in the past. “If it has an A rating, we know it’s in good shape, but if we start seeing C’s and D’s and F’s, then that’s probably not a risk we’re going to take,” Meadows says.
For the services that do meet their requirements, Meadows says, the organization bolsters its security posture further by reserving the right to conduct audits of the vendor’s environment and by planning for possible worst-case scenarios. If Cook Children’s will be relying on a cloud company for data backup and recovery, for example, it insists on a legal agreement detailing how that process will take place. The organization also ensures that if anything goes wrong (say the vendor is hacked and goes offline), it’s prepared to manage solo.
“Probably the biggest risk we have is that something happens with a cloud-based system, and we can’t run the business,” Meadows says. She points to the Kronos outage in late 2021, when a ransomware attack left some healthcare organizations without functional payroll systems. “We always have a good contingency plan, so we know what to do in a situation like that.”
The Importance of Knowing Your Cloud Service Provider
As organizations migrate to the cloud for everything from electronic health record (EHR) hosting to enterprise resource management, many have come to the same conclusion as Meadows and her team at Cook Children’s.
“They’re recognizing that they can look to cloud service providers to improve IT security in ways they simply can’t on their own,” says Lynne Dunbrack, group vice president with IDC. “At the same time, they’re also realizing that moving to the cloud doesn’t solve everything.”
Dunbrack says that over the past several years, IDC has surveyed organizations to get a sense of the benefits they’ve experienced on their cloud journeys and found that many IT leaders said better security topped the list.
“Healthcare organizations must understand exactly how that cloud service is being provided,” Dunbrack says. “Where will your data be stored? Is it complying with HIPAA? Does it offer a business associate agreement?”
It’s also critical to do due diligence on the cloud service provider’s subcontractors, Dunbrack says. “With a BAA, the vendor is on the hook if something happens, but it’s also your brand reputation that’s at stake, as well as your ability to continue caring for patients.”
That’s good advice, Meadows says, adding that she keeps in mind that the cloud can’t do everything. “It’s right for certain things, but you have to figure out what those areas are. It needs to be a business- and risk-driven decision.”