One of the more interesting panel discussions at the IDC Cloud Computing Forum on Feb 18th in San Francisco was about managing the complexities of security, privacy and compliance in the Cloud. The simple answer according to panelists Carolyn Lawson, CIO of California Public Utilities Commission, and Michael Mucha, CISO of Stanford Hospital and Clinics is "it ain't easy!""Both of us, in government and in health, are on the front-lines," Lawson proclaimed. "Article 1 of the California Constitution guarantees an individual's right to privacy and if I violate that I've violated a public trust. That's a level of responsibility that most computer security people don't have to face. If I violate that trust I can end up in jail or hauled before the legislature," she said. "Of course, these days with the turmoil in the legislature, she joked, "the former may be preferable to the later."
Stanford's Mucha said that his security infrastructure was built on a two-tiered approach using identity management and enterprise access control. Mucha said that the movement to computerize heath records nationwide was moving along in fits and starts, as shown by proposed systems like Microsoft's Health Vault and Google's Personal Health Record. "The key problem is who is going to pay for the computerized of health records. It's not as much of a problem at Stanford as it is at a lot of smaller hospitals, but it's still a huge problem."
Mucha said that from his perspective security service providers in the cloud and elsewhere are dealing with a shrinking security parameter or fence, which is progressing from filing cabinets, to devices, to files, and finally to the individual, who under the latest Health Insurance Portability and Accountability Act (HIPAA) privacy rules has certain rights, including rights to access and amend their health information and to obtain a record of when and why their Protected Health Information (PHI) record has been shared with others for certain purposes.
CPUC's Lawson said that at a minimum cloud service providers should adhere to what are commonly known as SAS 70 rules from the American Institute of Certified Public Accountants, which defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditor's report. Examples of service organizations that need to do this are insurance and medical claims processors, trust companies, managed security providers, credit processing organizations and clearinghouses, hosted data centers, application service providers (ASPs) and cloud service providers.
Lawson brought up a challenging example of how privacy mores, which are norms or customs, have changed over time. "Ten or fifteen years ago," she explained, "the fact that someone was pregnant was often a closely-guarded secret. Now, that kind of things is out in the open and discussed on TV and in magazines. Which makes for an interesting exercise, if you're trying to design a privacy profile for someone over many years." Mucha said one possible solution to this problem might be the notion of "security following the data" with individuals having the right to redact or revise their data, which could potentially create a huge problem for both government and health care workers.