Skip to main content
Log in

IT governance and risk mitigation approach for private cloud adoption: case study of provincial healthcare provider

  • Published:
Annals of Telecommunications Aims and scope Submit manuscript

Abstract

Cloud computing (CC) has the potential to provide significant benefits to healthcare organizations; however, its susceptibility to security and privacy apprehensions needs to be addressed before its adoption. It is important to evaluate the risks that arise from CC prior to its adoption in healthcare projects. Failure to evaluate security and privacy concerns could result in regulatory penalties, reputation loss, financial issues, and public loss of confidence in the healthcare provider. This paper uses Alberta’s Privacy Impact Assessment (PIA) requirement and COBIT 5 for Risk as guidance to highlight CC risk assessment areas and presents an IT governance and risk mitigation approach useful for CC adoption in the healthcare industry. In compliance with Alberta’s Health Information Act (HIA), the risk assessment areas are analyzed based on the security triad with emphasis on the confidentiality principle where privacy is the main focus. The proposed approach presented in this paper can be utilized by healthcare providers to mitigate and continuously evaluate CC risks from an IT governance perspective. Although the case study uses Canadian regulations, similar considerations can be taken into account in other jurisdictions.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

References

  1. Ahuja et al (2012) A survey of the state of cloud computing in healthcare. Netw Commun Technol 12–19

  2. Alberta Health (2014) Alberta Health Annual Report 2013–14. Retrieved from Alberta Health: http://www.health.alberta.ca/documents/Annual-Report-14.pdf

  3. Alberta Health (2017) Alberta Health. Retrieved from Alberta Health: http://www.health.alberta.ca/about-us.html

  4. Association of Healthcare Internal Auditors (AHIA) & Grant Thornton LLP (2013) Third-party Relationships and Your Confidential Data. Retrieved from Association of Healthcare Internal Auditors (AHIA): http://www.ahia.org/news/white-papers/third-party-relationships-and-your-confidential-data-/

  5. Badger et al (2012) NIST Special Publication 800-146. Retrieved from NIST: http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf

  6. Becker JD, Bailey E (2014) A comparison of IT governance & control frameworks in cloud computing, Twentieth Americas Conference on Information Systems(AMCIS). Association for Information Systems (AIS), Savanah, pp 1825–1840

    Google Scholar 

  7. Canada Health Infoway (2012) Emerging Technology Series: Cloud Computing in Health White Paper. Retrieved from Canada Health Infoway: https://www.infoway-inforoute.ca/index.php/resources/technical-documents/emerging-technology/doc_download/659-cloud-computing-in-health-white-paper-full

  8. Canadian Healthcare Technology (2014) Alberta Privacy Commissioner Investigates Big Breach. Retrieved from Canadian Healthcare Technology: http://www.canhealth.com/2014/02/alberta-privacy-commissioner-investigates-big-breach/

  9. Chan et al. (2012) Enterprise Risk Management for Cloud Computing. Retrieved from Committee of Sponsoring Organizations of the Treadway Commission (COSO): http://www.coso.org/documents/Cloud%20Computing%20Thought%20Paper.pdf

  10. Chaput SR, Ringwood K (2010) Cloud compliance: a framework for using cloud computing in a regulated world. In Cloud Computing, pp. 241–255

  11. Cloud Security Alliance (2013) The Notorious Nine: Cloud Computing Top Threats in 2013. Retrieved from Cloud Security Alliance(CSA): https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf

  12. CSA (2011) Security Guidance for Critical Areas of Focus in Cloud Computing v3.0. Retrieved from Cloud Security Alliance (CSA): https://cloudsecurityalliance.org/download/security-guidance-for-critical-areas-of-focus-in-cloud-computing-v3/

  13. CSA (2013) "Cloud Computing Vulnerability Incidents” Document and Appendices. Retrieved from Cloud Security Alliance: https://cloudsecurityalliance.org/download/cloud-computing-vulnerability-incidents-a-statistical-overview/

  14. CSA and ISACA (2012) Cloud Computing Market Maturity: Study Results. Retrieved from ISACA: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/2012-Cloud-Computing-Market-Maturity-Study-Results.aspx

  15. CSCC (2012) Impact of Cloud Computing on Healthcare. Retrieved from Cloud Standards Customer Council(CSCC): http://www.cloud-council.org/cscchealthcare110512.pdf

  16. ENISA (2009) Cloud Computing Risk Assessment. Retrieved from ENISA European Union Agency for Network and Information Security: http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment

  17. Gatewood V (2013) Aspirations to reality: filling the cloud computing performance gap. ISACA 2:6–9

    Google Scholar 

  18. Government of Alberta: Health and Wellness (2012) Alberta Netcare. Retrieved from Alberta Health: http://www.albertanetcare.ca/documents/ABNetcarePortal_PIA.pdf

  19. Hines C (2015) What the Anthem Breach Means for Healthcare Security. Retrieved from Cloud Security Alliance: https://blog.cloudsecurityalliance.org/2015/02/06/anthem-breach-means-healthcare-security/

  20. Hitachi (2012) How to Improve Healthcare with Cloud Computing. Retrieved from Hitachi Data Systems: http://docs.media.bitpipe.com/io_10x/io_108673/item_650544/cloud%20computing%20wp.pdf

  21. IPC/Ontario (2004) A Guide to the Personal Health Information and Protection Act. Retrieved from Information and Privacy Commissioner/Ontario: https://www.ipc.on.ca/images/resources/hguide-e.pdf

  22. ISACA (2012) An ISACA Cloud Computing Vision Series: Guiding Principles for Cloud Adoption and Use. Retrieved from ISACA: http://www.isaca.org/Knowledge-Center/Research/Documents/Guiding-Principles-Cloud_whp_Eng_0212.pdf

  23. ISACA (2013a) Cloud Governance: Questions Boards of Directors Need to Ask; An ISACA Cloud Vision Series White Paper. Retrieved from ISACA: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Cloud-Governance-Questions-Boards-of-Directors-Need-to-Ask.aspx

  24. ISACA (2013b) COBIT 5 for Risk

  25. ISACA (2014) Controls and Assurance in the Cloud: Using COBIT 5. Retrieved from ISACA: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Controls-and-Assurance-in-the-Cloud-Using-COBIT-5.aspx

  26. Kuo AM-H (2011) Opportunities and challenges of cloud computing to improve health care services. J Med Internet Res:1–21

  27. Marks L (2013) Governance implementation—COBIT 5 and ISO. ISACA 1:17–23 Retrieved from http://www.isaca.org/Journal/archives/2013/Volume-1/Documents/13v1-Governance-Implementation.pdf

    Google Scholar 

  28. McCann E (2012) Forecast looks clear for cloud computing. Retrieved from Healthcare IT News: http://www.healthcareitnews.com/news/forecasts-look-clear-cloud-computing

  29. Meis R, Heisel M (2016) Supporting privacy impact assessments using problem-based privacy analysis. In Software Technologies, pp 79–98

  30. Mell P, Grance T (2011) SP 800-145, The NIST Definition of Cloud. Retrieved from National Institute of Standards and Technology (NIST): http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

  31. NIST (2012) NIST SPECIAL PUBLICATIONS. Retrieved from National Institute of Standards and Technology (NIST): http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf

  32. OIPC (2010) Privacy Impact Assesssment Requirement. Retrieved from Office of the Information and Privacy Commissioner(OIPC) of Alberta: http://www.oipc.ab.ca/Content_Files/Files/PIAs/PIA_Requirements_2010.pdf

  33. OPC (2011) Privacy Impact Assessment. Retrieved from Office of the Privacy Commissioner of Canada: https://www.priv.gc.ca/resource/fs-fi/02_05_d_33_e.asp

  34. Rodrigues JJ, de la Torre I, Fernández G, López-Coronado M (2013) Analysis of the security and privacy requirements of cloud-based electronic health records systems. J Med Internet Res, 15(8)

  35. Rossi B (2015) How Anthem was breached – and how you can prevent it happening to you - See more at: http://www.information-age.com/technology/security/123458996/how-anthem-was-breached-and-how-you-can-prevent-it-happening-you#sthash.jGqewgq2.dpuf . Retrieved from Information Age: http://www.information-age.com/technology/security/123458996/how-anthem-was-breached-and-how-you-can-prevent-it-happening-you

  36. Schrutt M (2013) IDC and TELUS Enterprise Cloud Study, 2013: Capitalizing on Cloud's Window od Opportunity for Business Value. Retrieved from TELUS: http://resources-business.telus.com/cms/files/files/000/000/583/original/IDC_TELUS_Cloud_Study_June_3_FINAL.pdf

  37. ServiceMesh (2013) Enterprice Cloud Governance: Requirements and Best Practices. Retrieved from CSC: https://assets1.csc.com/cloud/downloads/8217_21_Cloud_Governance_White_Paper_v7_Web.pdf

  38. Tancock D, Pearson S, & Charlesworth A (2013) A privacy impact assessment tool. In Privacy and Security for Cloud Computing. Springer.

  39. Theoharidou et al (2013) Privacy risks, security accountability in the cloud, 5th IEEE Conference on Cloud Computing Technology and Science. IEEE Press, United Kingdom, pp 177–184

    Google Scholar 

  40. Wan et al. (2010) Six questions every health industry executive should ask about cloud computing. Retrieved from Accenture: http://newsroom.accenture.com/images/20020/HealthcareCloud.pdf

  41. Zeng K, Cavoukian A (2010) Modelling cloud computing architecture without compromising privacy: a privacy by design approach. Retrieved from Privacy by Design: https://www.privacybydesign.ca/content/uploads/2010/07/pbd-NEC-cloud.pdf

  42. Zhang R, Lui L (2010) Security models and requirements for healthcare application clouds, IEEE 3rd International Conference on Cloud Computing. IEEE, Miami, Florida, pp 268–275

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Sergey Butakov.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Gbadeyan, A., Butakov, S. & Aghili, S. IT governance and risk mitigation approach for private cloud adoption: case study of provincial healthcare provider. Ann. Telecommun. 72, 347–357 (2017). https://doi.org/10.1007/s12243-017-0568-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12243-017-0568-5

Keywords

Navigation