Contributed by Jamie Lam, Data Security Compliance Manager, UCSF School of Medicine

Cloud technology offers many benefits to researchers, such as:

• ease of use,
• rapid deployment, and
• reduced costs.

At the same time, there are also some hidden implications to using a cloud service provider, including security obligations that may not be well understood.

While a well-designed cloud computing system can be safer than traditional client-server systems, when you are considering a cloud service, you must understand the benefits and risks, as well as your responsibilities in keeping sensitive data secure.

A couple of important points:

1) UC has standard contracts used with providers that protect our institutions’ security and assets. You should always work with procurement so they can ensure that the appropriate agreement is in place.

2) If disruption to services will negatively impact your research or operations, you should negotiate a Service Level Agreement (SLA) based on your needs.

However, don’t just rely on the signed contracts – you should always vet the vendors to confirm that they really are protecting our patients and our reputation.

UCSF has many resources to help you select the right vendor and ensure that your application and sensitive data are secure:

• Security Risk Assessment service: The security risk assessment helps you measure the security of your system and meet compliance requirements. The School of Medicine Data Security Compliance Program can help walk you through the assessment process.
• If you don’t have your vendor selected yet and need some help identifying a minimal viable product with a budget and plan? The School of Medicine Information Service Unit (SOM ISU) can help.

Interested in understanding more about Cloud Services and their benefits and risks? Take a look at this presentation by the School of Medicine Data Security Compliance Program: Securing Data in the Cloud