Jeb Molony

            It seems that every professional practice is now looking at cloud based solutions for their next IT expenditure, but many practice owners do not know where to begin when researching their choices.  Professional practices have more scrutiny than other businesses because third party regulators provide additional oversight of their actions.  For instance attorneys are scrutinized by the American Bar Association (ABA), accountants must comply with Sarbanes Oxley security standards, and doctors must remain compliant with HIPAA.  The additional regulation provided by these agencies can often carry severe consequences for non-compliance in the form of fines, reprimands, or suspension of licenses to practice.  Unfortunately, there is no such thing as an IT system that is 100% secure.  Clouds will be broken into, computers will be stolen and phones will be lost.  However, despite the risks the benefits far outweigh the threats which will cause in-house servers to become obsolete, so the question is how does a professional practice manage a move?

            First understand that continuing to manage IT in-house on private servers will become too expensive to maintain without falling behind competitors.  The problem with in-house infrastructure is the world moves much faster and is far more mobile than in-house equipment is prepared to handle. As a professional practice the goal is to provide employees with data and access to that data in a secure environment so the employees can be productive.  The issue is in order to provide employees access to the data on the local server from a mobile device, the server must be opened to the internet which makes it vulnerable to attacks, viruses, and all of the other security threats which the internet poses.  If a practice opens its servers to the internet they have effectively taken on all of the security risks of cloud computing, and actually internalized the costs which will include security hardware, software, and increased IT personnel to monitor the servers.  Eventually every practice will have a breakeven point at which it is cost effective to outsource the infrastructure, security and maintenance to a third party known as a host.

            A host is a third party who provides a secure server environment for the end user (in this case the professional practice) to store its applications and data.  The host will then maintain the security compliance, the hardware, and the software required to operate the servers.  The host will also handle data backup and redundancy which despite popular belief are two separate issues.  As a professional practice the most important document in the hosting relationship is the End User License Agreement (EULA).  This contract essentially formulates the relationship between the third party vendor and the professional practice.  Pay very close attention to the terms of these contracts including guaranteed uptime, disaster recovery policies, policy for handling data if the host goes out of business, and data storage and backup.  The most important issue for professional practices is to be able to show a regulatory agency they complied with best industry practices if a problem occurs.

            The reason complying with best industry practices are the appropriate standard is due to the fact industry standards are typically moving targets.  Regulatory agencies tend to be reactive so the rules and regulations are based upon past instances when problems occurred.  Because the regulations are reactive it is often difficult to set a corporate policy and leave it in place.  HIPAA is one of the toughest moving targets, and with the changes to electronic storage requirements it is currently even more difficult.  Any practice should research their industry guidelines for data storage and then look for hosting partners who have completed, and regularly maintain, audits for compliance with those regulatory guidelines.  A hosting partner will gladly provide audit certificates in order to prove their compliance.  The hosts provide the data storage component of the cloud environment, and are the first step to becoming compliant, but the majority of data interaction occurs outside of the hosting environment.

            Professional practices must remember that data storage is only the beginning of cloud computing.  The real compliance issues begin after the data leaves the data center and is accessed by an employee.  The majority of regulatory issues are not caused by third party attacks, but rather an employee’s actions.  Employees must have access to the company data in order to properly do their job.  The employer’s job is to provide employees with only the data they need and control the access points in order to best limit their exposure to employees’ actions.  For instance if a company has multiple parties in the bookkeeping process it is the employer’s job to grant them access to only the areas of the bookkeeping data that employee needs and nothing more.  Personal information of employees and others may be stored in the bookkeeping software, so an employer must be careful about who can access this data.  Creating a cloud environment where access is controlled and data is secure gives a professional the best argument for maintaining compliance, but there is also the issue of transferring data.

            Data is transferred through email, secure portals, thumb drives, CDs, and many other ways.  Every practice should have a corporate policy which dictates the guidelines to employees for interacting with, storing and transferring data.  Two of the most important aspects to consider are email and mobile devices.  Email is not necessarily compliant with regulatory guidelines, especially free email.  For instance Google’s policy of crawling and logging email data for marketing purposes presents a clear conflict issue for most professionals.  Another common issue is some email is compliant as long as it is inter office, but loses its security when it interacts with email not generated inside the practice.  The second major issue is mobile devices.  When phones and tablets are used to access data the data may be stored on the local device, so if the device is stolen or the device permits external storage cards which are removed the data storage policy may become non-compliant.  Professional practices should consider devices and systems which can be wiped remotely of all data if the device is stolen or lost.  In addition employees should be required to use and change passwords regularly.  The interaction with data outside of the hosting environment is the most difficult to control and is more of an issue for regulatory compliance than the actual data storage.

            Professional practices have a difficult road ahead for converting to a cloud environment because of regulations by third parties.  However, the future holds a time when every professional practice will convert to a cloud environment or face competition with less overhead.  The first step is to become educated about the individual industry and their data storage standards.  Then look at the applications the practice wishes to use and search for hosting partners for those applications.  Carefully select a hosting partner based upon their credentials and the EULA.  Select an email hosting partner which is also compliant with the industry standards.  Finally take the time to create a corporate policy for managing data interaction by employees, and integrate this policy into the employee manual.  Though this is time consuming it will ensure that if something goes wrong the practice has a plan for managing the fall out and addressing the issue with the regulatory agency in the best manner possible.

Leave a Reply

Your email address will not be published. Required fields are marked *