According to Gartner, only 37% of organizations have an IG (Information Governance) framework capable of adapting to the ever-changing regulatory landscape in terms of data security and privacy. This is somewhat alarming when we take into account that over 60% of companies experience data breaches that could potentially lead to data losses and costly legal issues. The need for a proper IG strategy with strong cloud compliance rises even more if we consider the fact that 90% of organizations that suffer catastrophic data loss scenarios fail to recover within the following year.
The risk of not having a solid IG framework with a strong cloud compliance strategy is even bigger for the industries like FinTech, MedTech, and insurance. For example, 80% of MedTech companies suffered a cyber attack over the last five years, while almost a 3rd of attacks target banks or healthcare companies, according to Fintech News.
The need for a strong cloud compliance strategy within the aforementioned industries is rather obvious.
What is Cloud Compliance?
Cloud compliance is among the most critical aspects of using public cloud services, especially in terms of customer data privacy and protection. It makes sure that the cloud computing services you utilize meet the compliance requirements of your customers. It typically involves data transfer, storage, backup, retrieval, and access, as well as ensuring proper security and privacy levels on an infrastructure level.
The IT departments are usually those who tackle cloud compliance implementation, but it is recommended that other functions and/or formal departments get involved as well. Their involvement should include decision-making, monitoring, audits, governance, security, legal, data protection, risk management, etc.
The tricky part crops up when a business assumes that every public cloud company and service meets all the data privacy and cloud compliance requirements a certain company needs to cover. Compliance-related service offerings vary depending on the industry, as well as geolocation.
Shared Responsibility Model
The shared responsibility model is the standard of implementing Security and Compliance in the public cloud. This means that both the Public Cloud Provider and Customer share responsibility when implementing security and compliance requirements and controls. Public Cloud Provider assumes responsibility for protecting the infrastructure that runs the cloud, from the virtualisation software and host operating systems down to the physical layer, such as the hardware, the network and the data-centre facilities. The customer’s responsibility varies depending on which service they’re using – if the chosen service is categorized as IaaS then it’s the customer’s responsibility to protect and manage this service’s implementation; in the case of fully managed services, the customer’s responsibility is to protect data and to configure IAM.
This model also applies to security controls, where some controls are the sole responsibility of the Public Cloud Provider (for instance, physical and environmental controls), some controls are mutual responsibility, like patch and configuration management (each participant is responsible for patching and configuring elements under their full control), and some are the sole responsibility of the customer (configuring access controls or encryption, for instance).
Main Cloud Compliance Requirements to Have in Mind
The public cloud landscape involves several different kinds of laws and requirements pertaining to data protection, data localization, data sovereignty, and interception or access to information. Here are some of the most widely spread laws and acts to consider:
Health Insurance Portability and Accountability Act (HIPAA) – includes numerous healthcare laws, guidelines and security protocols for keeping and storing patient health data and confidential information. HIPAA regulations typically apply to healthcare providers, MedTech companies, as well as health insurance organizations.
Payment Card Industry Data Security Standard (PCI DSS) – accounts for industry standards that should ensure the safety of cardholder data, and provides the companies that process/store/transmit payment card information with all the requirements they need to meet in order to achieve compliance.
Gramm-Leach-Bliley Act (GLBA) – refers to organizations offering financial services and/or products (insurance, loans, financial or investment advice) and is designed to safeguard their customers’ confidential information. GLBA mandates financial institutions to explicitly let their consumers know about the ways their data is being managed, processed, and protected.
General Data Protection Regulation (GDPR) – is a privacy and security law drafted and passed by the European Union (EU). It imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The purpose of the GDPR is to centralize data security law across all EU members, and it imposes harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
California Consumer Privacy Act (CCPA) – applies to California-based for-profit entities that determine the means and purpose of processing consumer data. Insurers that operate in this region and meet certain applicability thresholds are subject to a number of obligations, including requirements related to disclosure and data rights.
Cloud Compliance Challenges & Tips: FinTech Industry
FinTech is among the trickiest industries when it comes to cloud compliance. Depending on the type of financial organization you have – a payment institution, specialized bank, electronic money institution, etc – you are likely obliged to comply with different security and data privacy, including GDPR, PSD2, PCI DSS, and so on.
The biggest challenge is having an all-encompassing regulatory compliance plan capable of meeting all compliance requirements because otherwise, your company can have major security flaws and face hefty fines.
Aside from various industry-specific regulations like FISMA, Sarbanes–Oxley Act, PCI DSS, and similar policies, it is strongly recommended that you adhere to other general categories and main tenets of FinTech security and compliance, including:
- Building and maintaining a strong internal network
- Protecting customer data
- Taking care of vulnerability management
- Having a strong disaster plan
- Access control implementation
- Having a robust IT security and IG policy in place
- Implementing Visibility and Traffic Analysis
- Upgrading Email Security
- Improve cloud compliance awareness among your clients and customers
As the FinTech industry is rather complex as it is, it is probably a good idea to keep your cloud compliance plan as parsimonious as possible. That is, make sure you adhere to all the necessary laws and regulations while implementing a minimal amount of complex products, solutions, and strategies. Try to implement a smaller number of security and compliance solutions with a narrower range of providers so the number of interdependencies your organization is facing is minimal.
Here you can find more information on how to tackle cloud compliance for FinTech.
Cloud Compliance Challenges & Tips: MedTech & Healthcare Industry
Those operating within the MedTech industry know that not all cloud vendors, services and solutions are created equal. Nor are they designed with MedTech-focused cloud compliance components in mind. One of the biggest concerns that medical industry organizations need to pay attention to is carefully managing both the physical and logistical security of their infrastructure. It is also crucial to implement all the necessary data protection and security protocols that properly tackle the full lifecycle of protected health information (PHI).
The good thing about cloud-based solutions is that most A-list cloud vendors are HIPAA compliant and are also willing to address and discuss the ways their solutions comply with HIPAA regulations. The concern, however, is that not all cloud vendors that claim to be HIPAA compliant cover all cloud compliance aspects and solutions that your healthcare organization may require.
Bear in mind that cloud solutions often come with third-party features and tools developed by other vendors that have nothing to do with your primary cloud vendor’s HIPAA compliance. This requires more in-depth research on your part since software applications are not necessary HIPAA compliant (nor are they required to be), as only organizations can be HIPAA compliant.
Here’s a list of quick data protection best practices for healthcare organizations:
- Properly educate your healthcare staff
- Manage access restrictions for data and applications
- Implement data usage controls
- Log and monitor the use of data and applications
- Have a strong data encryption plan
- Take care of mobile device security
- Mitigate the risks related to connected devices
- Conduct regular risk assessments
- Utilize off-site data backup
- Carefully evaluate the compliance of business associates
- Carefully evaluate the compliance of third-party cloud solutions
It is also important to note that HIPAA and GDPR often interlace with one another in terms of cloud compliance, while they also both cover different aspects of regulatory compliance. Here’s an informative article that tackles key differences between HIPAA and GDPR relevant to MedTech companies.
Cloud Compliance Challenges & Tips: Insurance Industry
Much like is the case with healthcare and FinTech industries, insurance businesses must make sure their data security and privacy strategies are clear and tight. They should take all the necessary steps to convince both regulatory authorities and their clients that proper protocols are in place.
The problem, again, occurs when an organization leaves all cloud compliance tasks to be tackled by the cloud provider. As we mentioned before, not all cloud vendors cover each and every aspect of regulatory compliance, especially not across all industries and niches. As insurance organizations deal with personally identifiable information (PII), it is vital for them to comply with all relevant compliance guidelines, from HIPAA, CCPA and PCI DSS to SOC 2.
Another concern is determining how and where data rights obligations overlap across these cloud compliance guidelines and laws. For example, a California-based insurance company should review which CCPA guidelines it must follow, and even though they may be exempt from fulfilling certain requests for CCPA, the company is still obligated to comply with certain data rights ensured by HIPAA, CalFIPA, GLBA, CCMIA, etc. Additionally, these insurers are likely to face obligations to fulfil access/correction/deletion rights under state laws that go beyond the state of California. This is why it is critical for them to implement an all-encompassing method to track, respond and comply with all the necessary laws and requests across the entire ecosystem of state law requirements (not just CCPA).
Here’s a list of quick cloud compliance tips for insurance companies:
- Get to know all your data by identifying and classifying types of data (personal data, sensitive data, etc)
- Automate data management (discovery, identification, mapping) of all your PI and SPI, and have a firm grasp of where your data resides (on-prem, in the cloud, within a hybrid infrastructure, etc)
- Tag and label data according to various regulations that apply to insurance companies
- Define and highlight the data that is vulnerable, overexposed, and high-risk
- Have an effective breach response and notifications plan in place by determining which users have been impacted, and simplify incident response
- Take care of data retention in an optimal yet compliant manner by automating workflows, uncovering duplicates, recognizing derivatives, etc (for improved data privacy, governance, and effective reporting)
- Automate manual fulfillment of individual data access and deletion requests
- Have a detection system in place for spotting out-of-policy, cross-border data transfers by monitoring company-wide data usage, access, and/or transfer violations (for immediate action)
Here’s an informative guide to help insurance companies better understand and tackle cloud compliance issues.
As a closing statement, we would like to point out that the companies that operate within the aforementioned industries should involve legal, risk management, compliance teams and regulators when tackling cloud compliance issues and strategies. It is critical to have an experienced and avid team of compliance and risk management experts who have a strong understanding of the industry-specific legal landscape and who are capable of predicting potential roadblocks and challenges in terms of data security, privacy and overall cloud compliance.