As a proponent of ISO 27000 series of standards I was delighted to see the International Organization for Standardization release ISO/IEC 27018:2014 to help set a standard specific to cloud data storage. I have always found the ISO 27000 series of standards the easiest way to build a security and compliance program, particularly given its recent trend towards aligning more closely with US standards including NIST 800-53.
With that in mind I was drawn to a great blog post written by Hemant Pathak who outlines his and Microsoft’s perspective on how ISO/IEC 27018 impacts cloud providers. Hemant is Microsoft's Assistant General Counsel and Secretary of the Health Care Cloud Coalition (HC³). In the post he covers the aspects of Consent, Data Control, Transparency on Data Location and Subcontractors, Accountability & Communications, Requests for Data Disclosure and the need for Cloud Providers to subject themselves Annual Independent Audit.
ISO 27018 continues with the International Organization for Standardization objective to better align its controls with US regulations such as HIPAA. But where significant gaps exist within HIPAA with regards to Cloud related controls, ISO 27018 provides a sound foundation for complying with current and potentially even future HIPAA regulations.
With organizations like Microsoft looking to proactively align with standards such as ISO 27018, as we look to modernize HIPAA regulations in the advent mobile and cloud, we should not have to look too far for a model to follow.
The Health Care Cloud Coalition (HC³) is a not-for-profit group of stakeholders representing cloud computing, telecommunication, digital health, and healthcare companies in the health care sector. HC³ is working to develop a common framework for how health care laws apply in an increasingly cloud based ecosystem.