1 Cloud Computing Contracts Top Issues for Healthcare Providers North Carolina Bar Association Health Law Section Annual Meeting NC Bar Center Cary, North Carolina April 23, 2015 Presenters Kathryn Brucks, Director, Information Security, Lexington Medical Center, West Columbia, SC Stephen R. Hunting, Parker Poe Adams & Bernstein LLP, Charlotte, NC Parker Poe news is intended to provide information of general interest to the public and is not intended to offer legal advice about specific situations or problems. Parker Poe does not intend to create an attorney-client relationship by offering this information, and anyone s review of the information shall not be deemed to create such a relationship. You should consult a lawyer if you have a legal matter requiring attention.
2 Table of Contents Page 1. Summary Overview Cloud Use Security Privacy Functions Availability Performance Location Services Continuity Remedies... 8 Attached Example Service Level Agreement
3 1. Summary An increasing number of hospitals and other health care providers are outsourcing the hosting and maintenance of software applications, the storage of data and related support services. Outsourcing can provide cost savings, rapid deployment, system scalability, other efficiencies and appropriate data security. It also introduces additional issues into the provider s risk management analysis, largely based on the fact that a third party rather than the provider has possession and control of vital and sensitive assets and information. This paper identifies top issues for a provider to address in deciding whether to outsource a particular application and on what terms and conditions it will do so. 2. Overview No business decision or activity is risk free. As a result, this paper addresses risk management, not risk elimination. Risk management is a balancing process based on the particular facts and circumstances. For example, a provider may be less concerned about its inability to access and use productively for a day or two its web-based job application submission portal than its electronic health record application. Not all risks are the same, and a provider will likely devote more attention and resources to managing its greatest risks. Risk management is a team sport. Effective risk management requires the participation and interaction of representatives of the intended user group, financial analysts, compliance officers, information technology and data security experts, and legal counsel experienced in advising on and negotiating the particular type of contract. The final form of the contract will not be perfect. Almost always, the parties start the negotiation process with the vendor s standard contract. Almost always, it is a one-sided document designed to protect the vendor s interests vigorously. The key is to determine on what issues to focus in light of the particular facts and circumstances, including the reputation and financial strength of the vendor, the results of the provider s inquiries to other users of the software or service and other due diligence, the importance of the application and the impact of its unavailability or failure to perform properly or effectively, and the provider s ability to transition to another vendor or solution quickly if necessary. Start early. A provider will be in a much better position to manage its risks if it discusses key risk management and contract issues with the potential vendors for a project up front in the RFP stage. This lets each vendor know what is important to its potential customer and that its inability to meet its potential customer s needs may result in its loss of the business. Reviewing the vendor s form contract for the first time when you have completed the selection process and are under pressure to sign and start work on the project unnecessarily reduces the effectiveness of your risk management process and gives additional leverage to the vendor. Have a plan. Before you start your next outsourcing project, develop a checklist of items that are important to you, including due diligence items you will want to review and provisions you will want any contract to include. Customize your checklist for the particular project. Then include the checklist in your RFP or other early investigation document and ask each potential vendor to respond to it. You will have greater leverage in this early stage of the sales cycle.
4 3. Cloud All Clouds Are Not The Same The following National Institute of Standards and Technology ( NIST ) publication provides some definitions and an overview of cloud computing models: NIST Definition of Cloud Computing The most common model healthcare providers use, and the one on which this paper focuses, is the software as a service (SaaS) model. This involves the software the healthcare provider uses, and the provider s data being located on, computer servers owned and operated by one or more third parties. Other helpful resources include: NIST Guidelines on Security and Privacy in Public Cloud Computing ( ) ISACA, Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives, Computing-Business-Benefits-With-Security-Governance-and-Assurance-Perspective.aspx ISACA, Guiding Principles for Cloud Computing Adoption and Use, Principles-for-Cloud-Computing-Adoption-and-Use.aspx Private, Community or Public Cloud? A provider should know how its data will be stored by the cloud service provider. Will the data stored on a separate computer server (an isolated instance) or will it be intermingled with the data of others on the same server (multi-tenancy or resource pooling)? Many cloud databases are created under a single instance, meaning that each provider s data is comingled and is simply tagged with a subscriber identifier. A small error in this tagging could result in your data being exposed to unauthorized persons. 4. Use Many cloud service agreements will limit those who may access and use the software to employees of the healthcare provider which is a party to the contract. Those agreements typically allow those permitted users to access and use the software solely for the benefit of that contract party. The provider should consider expanding the latter group to include affiliates of the provider and expanding permitted users to include employees and independent contractors and consultants of the provider and its affiliates.
5 5. Security Control Assurances Consider requiring the vendor to provide appropriate third party assessments of the design and implementation of the vendor s application and network security protocols. The principal third party assessments are Service Organization Control (SOC) reports pursuant to Statement on Standards for Attestation Engagements 16 published by the Auditing Standards Board of the American Institute of Certified Public Accountants (SSAE 16). See In general, a Type I report involves a review of the vendor s designs but not its actual systems, and a Type II report includes detailed testing of those systems. Many reputable cloud service providers maintain current independent assessments and will provide a copy on request. Among the items these assessments should include are confirmation that the vendor is complying with appropriate security requirements. Those include personnel screening for clearances and responsibilities, well documented policies and procedures that are being followed, regular security awareness training for personnel, appropriate physical and logical access controls for all facilities, and best practices for network configuration and software patch management that the vendor follows. If the initial assessment is satisfactory and you decide to enter into a contract with the vendor, consider having the contract require the vendor to provide a similar assessment annually (or more frequently) during the contract term. The contract should state that if the vendor fails to provide a satisfactory assessment, it will be in breach of the contract, and the provider will be entitled to terminate the contract or to exercise other remedies. Data Encryption Encryption is becoming a de facto control in any organization s security program. Organizations need to obtain contract assurances from the cloud services vendor that all data will be encrypted in transit and at rest, including data residing on backup media, and that the vendor will continue to adhere to industry best practices as they evolve. The vendor should also have in place a solid encryption key management program to prevent the compromise of those keys stores and the data the encryption protects. Once you determine with the vendor what the initial and ongoing requirements will be, include them in the contract. 6. Privacy Confidentiality The contract should provide that the vendor will keep all of the provider s data strictly confidential and that the vendor may only use that data as necessary to provide the contracted services to the provider.
6 Big Data The confidentiality limitations in the contract should expressly apply to de-identified and aggregated data, unless you agree to the contrary in the contract. This is the Big Data era, and every vendor seeks the right to use your data, now and in the future, for some economic gain. While HIPAA may allow the vendor to use certain de-identified and other data, the provider may not want to allow that use or may want to limit it. For more information on de-identification, see If the provider considers allowing the vendor to make independent use of de-identified or other data, possibly for reduced fees or other compensation, the provider should restrict that use in a number of ways. The contract should require (a) that the provider not be identified as one whose data is included in the aggregated database and (b) that the database include data from a minimum number of sources from geographically diverse locations. The provider should also consider the potential for the use by unauthorized persons of data re-identification techniques. For a description of the process of reidentification, see https://epic.org/privacy/reidentification/#process. Transition The contract should document the cloud service vendor s obligations upon contract termination, such as its obligations to return all data in a mutually agreeable format and to destroy all copies of the provider s data on its systems and those of its subcontractors. There are a number of data destruction standards that the contract could specify. For more information on data destruction standards, see The healthcare provider should also revoke all physical and electronic access rights it granted the vendor and discontinue all VPN tunnels that may be in place. Equipment Replacement The vendor s obligation to destroy data should also apply when the vendor replaces or reassigns equipment on which the provider s data is stored. 7. Functions Documentation and Specifications Deciding to access a software application through the internet rather than installing it on a server in your building does not change the need (a) to satisfy yourself that the software has sufficient functions to meet your needs and (b) to make sure the vendor s assurances about the functions the software has are stated in the contract. A typical provision in the cloud services agreement and the associated service level agreement states that the software will perform all of the
7 functions described in the vendor s user and technical manuals or other publications. It is important to follow through and review the referenced manuals and publications to ensure they contain full and clear descriptions of the functions the software will perform. In some cases, you may want expand that provision to include functions on an additional list you prepare. E-Discovery and Audit Compliance The provider should ensure the vendor s software and services support the provider s obligations to answer discovery requests in litigation and to comply with its access control and audit obligations under the HIPAA Security Rule. You should be satisfied you will be able to collect and to preserve the data you need. For more information on the HIPAA Security Rule, see 8. Availability A provider should ensure the contract contains a well written service level agreement ( SLA ) that addresses, among other things: uptime guarantees; support services and error escalation; and internet bandwidth. The SLA should establish up-time guarantees with financial consequences for the vendor s failure to comply. An uptime guaranty of % is industry standard for core and critical systems. The definitions and other fine print in the SLA matter. For example: An uptime of 99% equates to 87.6 hours of downtime in a year. Can your business sustain that many hours of outages, particularly if they occur during peak periods of use? What periods of time are excluded from the definition of available? If unscheduled maintenance time or unlimited amounts of scheduled maintenance are excluded from the downtime calculation, an uptime guaranty of % may not be as good as it looks. Over what period of time is the uptime percentage calculated? If it is calculated over a particularly long period of time like a calendar quarter or a six-month period, multiple days or weeks in which the vendor fails to meet the uptime guaranty may be averaged out, resulting in no remedy for the provider. What constitutes downtime? If nothing but complete system unavailability counts as downtime, the vendor will be entitled to count as uptime periods during which material portions of the system are unavailable or not operating within the specifications. Who is responsible for tracking and reporting uptime percentages? Many times the contract states this falls to the provider. Consider making this one of the services the vendor provides. Are the vendor s scheduled maintenance windows satisfactory for your peak hours of operation? Double check the time zone the vendor is using.
8 The healthcare provider should understand the impact of intermediate services like those of an internet service provider ( ISP ). If the transmission of your data is dependent upon a specific ISP, you should determine if the ISP has sufficient infrastructure to support your bandwidth requirements. 9. Performance In addition to availability, you may want the SLA to address performance, the speed with which the system will perform tasks. Work with the vendor to identify toolsets to measure system performance and to specify mutually acceptable minimum performance standards. Identify all points of potential bottlenecks. For example, does all of the traffic run through a single Internet Service Provider? Or, as is preferable, are there multiple paths? 10. Location Regulations and other legal requirements vary between countries. If a provider s data is stored on a server in another country, the provider could be subject to additional or different legal requirements and to the jurisdiction of courts in that country. A provider should consider establishing in the contract limitations on where its data may be stored and processed. Also, a provider should determine whether the vendor will use a third party data center to store or process its data. If it will, the provider should seek to obtain similar assurances from the operator of that data center. 11. Services Help Desk and Error Response The vendor s SLA should include support services that complement the provider s work environment. The SLA should address the vendor s support processes, toolsets and help desk hours of operation. The vendor s processes should also specify a call escalation process and an error classification scheme. An SLA typically classifies errors into three categories (critical, causing problems but working around them, and it can wait until you get to it). Each category has a specified time within which the vendor must respond initially. That period of time is shorter for a critical, or level 1, error. Each category also has a standard for the vendor s efforts to fix the error. For example, a vendor might be required to work 24/7/365 to fix a critical error and only during normal business hours to fix an error in the lowest category. The vendor should not have the sole discretion to classify errors. The SLA should define the categories with sufficient details to make disagreements over classification less likely. Incident Reporting, Handling, and Response A Business Associate Agreement (BAA) normally addresses the vendor s obligation to report to the healthcare provider incidents involving data breaches and unauthorized access of the
9 provider s data. The BAA will also usually state that the healthcare provider will be the one to make any required reports under HIPAA or other laws. The provisions of the BAA should be coordinated with the cloud services contract, which may go further and require the vendor to report breaches of, and significant attacks on, its network, even if they do not actually result in the provider s data being compromised. These provisions should define clearly the relevant reporting events (data breach versus security alerts, date of discovery, etc.) and should address the vendor s responsibilities in each case, including the period of time after discovery within which the vendor must give the provider written notice. The cloud services vendor should have an incident response plan that limits resulting damage and reduces its response time and costs. The plan should outline key incident response activities for incident containment, preservation of system logs, remediation, and system restoration. The contract should describe a prearranged communication path between the vendor and the provider for reporting and responding to data breaches. Set Up If the contract involves the vendor s providing configuration or other set up assistance, the contract should describe those services in some detail. The contract should also include a schedule of when the vendor will provide those services and what related responsibilities the provider has. Consider tying some compensation to the completion of milestones. Training If the vendor is required to provide training, the specific training, the number of people from the provider who will be trained, and the location of the training should all be specified in the contract. Data Migration Consider whether you will want the proposed vendor to be responsible for migrating your data from a current system to the new one and for verifying that the transfer occurred successfully. 12. Continuity Data Backup and Disaster Recovery The cloud services contract should specify how, and how frequently, the vendor will back up the provider s data and test the backups. The backed up data should be stored in a separate but equally secure facility that is required to comply with the same requirements as the primary data center. The vendor s disaster recovery plan should describe how, and how quickly, the vendor will restore full service.
10 Cloud Services Provider Failure The healthcare provider should consider how it would respond to a failure of the cloud services vendor. Such an event might be more of a possibility with a startup or small vendor. There are a number of companies that offer business continuity services for subscribers. These arrangements, like the source code escrow arrangements that are sometimes used for licensed software, should be evaluated and consummated in connection with entering into the initial cloud services agreement. 13. Remedies Damage Limitations Every cloud services contract a vendor proposes will include broad limitations on the total amount of damages a subscriber can recover and an exclusion of consequential and other categories of damages. These clauses often state that these limitations apply regardless of the theory of recovery. A provider should consider at least the following carve outs from broad damage limitations. In each case, these damages would be unrelated to, and not fairly limited by, the fees the provider has paid the vendor over any period of time or any other blanket limitation. Damages the provider suffers as a result of the vendor s breach of its confidentiality obligations. Damages the provider suffers as a result of the fraud or criminal conduct of the vendor, its subcontractors or their respective employees. The provider s obligations under any intellectual property infringement indemnity in the contract. Indemnification A provider should seek an intellectual property infringement indemnity from the cloud services vendor. The vendor will certainly be a defendant in any suit brought against the healthcare provider. Additionally, the vendor will have an incentive to defend its services and to be able to continue to provide them in an uninterrupted fashion. SLA If the vendor does not comply with the availability or performance requirements in the SLA, the provider should ask the vendor to provide credits which the provider can use against future amounts due for the services. If the vendor fails to comply with the requirements too frequently, the subscriber sometimes has a right to terminate the service without penalty.
11 1. Software Maintenance Services Example Service Level Agreement a. Licensor shall maintain the Software and the Documentation in good working order and in compliance with this SLA. Licensor shall correct all errors, problems, interruptions, malfunctions and failures in the Software (collectively, Errors ) in compliance with the Agreement and this SLA. Capitalized terms used in this SLA shall have the meanings subscribed to them in the Agreement to which this SLA is an Exhibit. b. Licensor shall provide to Licensee and the Affiliates, at the same time it makes them available to other users of the Software, all improvements, enhancements or updates to, and all new releases and new versions of, the Software, including an electronic copy of the accompanying Documentation. c. Licensor shall perform all Software scheduled maintenance during the following maintenance windows ( Maintenance Windows ) and not during other times: Day of Start Time (Eastern Time End Time (Eastern Time Zone) Week Zone) Monday 12:01 am 5:00 am Tuesday 12:01 am 5:00 am Wednesday 12:01 am 5:00 am Thursday 12:01 am 5:00 am Friday 12:01 am 5:00 am Saturday 12:01 am 5:00 am Sunday 12:01 pm 8:00 am 2. Support Services a. Help Desk. Licensor shall provide support services in accordance with the Agreement and this SLA through a telephone help desk staffed by trained and qualified natural persons, supported by additional technical support personnel, and not recorded messages ( Help Desk ). Authorized Users shall be able (i) to report to the Help Desk problems with the Software and the Documentation and (ii) to receive from the Help Desk prompt assistance in the use of the Software and the Documentation and in the identification, evaluation and resolution of Errors. Licensor will provide Authorized Users access to a toll-free telephone number dedicated to Authorized Users only for all support calls. During the term of this Agreement, the Help Desk normal operating hours shall be at least M-F 8:00 am to 11:00 pm ET, Saturday 8:00 am to 9:00 pm ET, and Sunday noon to 9:00 pm ET. Licensor will use commercially reasonable efforts to have a trained and qualified person answer all calls to the Help Desk by Authorized Users during normal operating hours within 90 seconds. b. Errors. If Licensor is not able to resolve a Authorized User s question or problem within four hours after that Authorized User s first call to the Help Desk, then:
12 i. Licensor shall use commercially reasonable efforts to respond to Errors within the applicable time period based on the Severity Level as reasonably determined by the Authorized User. ii. For purposes of this SLA, the Severity Levels are as follows: Severity Level Level 1 Level 2 Level 3 Definition High Priority. Software (a) not operating at all, (b) having material functions or functionality not operating or operating improperly, or (c) operating in a manner that is corrupting, or is likely to corrupt, any data of Licensee or an Affiliate. Intermediate Priority. Software operating properly only with a work around. Low Priority. Software has problems with operations that do not reduce functions or performance in a material way. iii. Severity Level Response Times. (1) Level 1 = Response time is 1 hour or less (2) Level 2 = Response time is 8 hours or less (3) Level 3 = Response time is 5 business days or less iv. Continuous Efforts. Licensor shall use reasonable efforts, 24x7x365, to resolve all Level 1 Errors as quickly as possible. Licensor shall use reasonable efforts, during the normal operating hours of the Help Desk, to resolve all Level 2 Errors as quickly as possible. Licensor shall use reasonable efforts to resolve all Level 3 Errors within 10 days after License first reports the Error. 3. Availability of Software. Licensor will use reasonable efforts to ensure that the Software is available to all Authorized Users and operable 100% of the time 24x7x365, subject to scheduled maintenance during the Maintenance Windows. 4. Data Backup. Licensor will perform a daily backup of all of Licensee s Data during the Maintenance Windows, will ensure all backed up data is encrypted, and will store all backup media at a secure off-site storage facility that complies with the Security Requirements. Licensor will retain all daily backup media for at least 30 days. 5. Service Level Guarantee. At the end of each month during the Term, Licensor shall calculate and report to Licensee the Availability (defined below) of the Software during the preceding immediately `month. If Availability falls below 99.99% in any month during the Term, then Licensee shall automatically receive a credit against all fees and charges due the next or a subsequent month under the Agreement equal to the amount specified in the chart below; provided that in no event will the total credits in any month under this guarantee exceed 100%
13 of the total monthly fees and charges due in such month. Unused portions of credits may be carried forward to future months. a. Credits Chart Availability Percentage Associated Credit 99.99% to 99.5% 5% of all fees and charges for such month 99.49% to 99.0% 10% of all fees and charges for such month 98.99% to 98.5% 15% of all fees and charges for such month 98.49% to 98.0% 20% of all fees and charges for such month b. Definitions. The Software shall be considered Available unless (i) Licensee or any Affiliate is unable to access and to use the Software with all functionality and performance described in the Agreement (the "Non-Compliance"), and (ii) such Non- Compliance is caused by the Software, Licensor s servers, network, other equipment, or application programs or facilities or issues for which Licensor is responsible under the Agreement. Availability shall be expressed as a percentage and shall be calculated by dividing the total number of minutes the Software is Available each month (excluding such minutes occurring during the Maintenance Windows that month) by the total number of minutes in that month (excluding the number of minutes in the Maintenance Windows that month). c. Termination. If the Availability Percentage falls below 98.0% three months in a row or three months in any six-month period, then, in addition to its other rights and remedies under the Agreement and this SLA, Licensee shall have the right to terminate the Agreement without penalty by giving Licensor written notice of termination. 6. Reports. On or before the 5 th day of each month during the Term, Licensor shall deliver to Licensee a written report detailing, with respect to the prior month, the Availability of the Software during the prior month, a detailed calculation of any credits due to Licensee, and other information about the service level guarantees or the Availability of the Software that Licensee reasonably requests. Licensor shall give Licensee immediately a report of any outage with respect to the Software. 7. Help Desk Reports. On or before the 5 th day of each month, Licensor shall deliver to Licensee all call logs for the Help Desk with service event information as well as such summary reports as Licensee may reasonably request.
SaaS Terms & Conditions These SaaS Terms and Conditions ( SaaS Terms ) are part of the Serraview Services Agreement ( Agreement ) which governs Client s (also referred to herein as you or your ) use of
NYSED DATA DASHBOARD SOLUTIONS RFP ATTACHMENT 6.4 MAINTENANCE AND SUPPORT SERVICES 1. Definitions. The definitions below shall apply to this Schedule. All capitalized terms not otherwise defined herein
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor
SaaS Service Level Agreement (SLA) The purpose of this document is to define the Service Level Agreement (SLA) for the maintenance and support of the Hosting Service ( Service ). Service Level Agreements
Managed Services Terms and Conditions These Managed Services Terms and Conditions ( Managed Services Terms ) set forth the terms and conditions pursuant to which PTC provides Managed Services to paid subscribers
Cloud Agreements: Do s, Don ts, and Cautions 4 th Annual Grand Rapids IT Symposium June 11, 2015 Nate Steed & Ken Coleman 2015 Warner Norcross & Judd LLP. All rights reserved. WNJ.com Disclaimer 2015 Warner
Appendix E to DIR Contract Number DIR-TSO-2736 CLOUD SERVICES CONTENT (ENTERPRISE CLOUD & PRIVATE CLOUD) Enterprise Cloud Resource Pool Services Features Sungard AS will provide the following in connection
TEN TIPS FOR NEGOTIATING SOFTWARE LICENSE AGREEMENTS November 18, 2015 Benjamin G. Lombard 414-298-8225 firstname.lastname@example.org Adam J. Spector 414-298-8200 email@example.com 1000 North Water Street,
Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL 60654 312.832.4500 Wednesday,
DATA SECURITY AGREEMENT Addendum # to Contract # This Data Security Agreement (Agreement) is incorporated in and attached to that certain Agreement titled/numbered and dated (Contract) by and between the
EXHIBIT FOR MANAGED SERVICES (2013V3) This Exhibit for Managed Services, in addition to the General Terms, the OnDemand Exhibit, and any applicable PDM, applies to any Managed Services offering licensed
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into by and between Professional Office Services, Inc., with principal place of business at PO Box 450, Waterloo,
Service Description Services is a subscription fee based managed shared service, which offers a highly reliable, scalable, secure, and cost-effective testing platform that state agencies and local government
HPE STATE MODEL CLOUD COMPUTING SERVICES SPECIAL PROVISIONS (Software as a Service) THESE SPECIAL PROVISIONS ARE ONLY TO BE USED FOR SOFTWARE AS A SERVICE (SaaS), AS DEFINED BELOW. THESE SPECIAL PROVISIONS
SERVICE SCHEDULE INFRASTRUCTURE AND PLATFORM SERVICES This Product Schedule Terms & Conditions is incorporated into a Services Agreement also comprising the General Terms and Conditions which the Customer
2014 HIMSS Analytics Cloud Survey June 2014 2 Introduction Cloud services have been touted as a viable approach to reduce operating expenses for healthcare organizations. Yet, engage in any conversation
BrandMaker Service Level Agreement BrandMaker Service Level Agreement v1.1, 18-02-2014, page 1 of 6 I. Support 1 Object of the agreement The object of these terms and conditions is the support of standard
Cloud Computing What is Cloud Computing? Cloud computing is where the organization outsources data processing to computers owned by the vendor. Primarily the vendor hosts the equipment while the audited
This article was originally published in the November 2010 issue of the Intellectual Property & Technology Law Journal. ARTICLE Insights into Cloud Computing The basic point of cloud computing is to avoid
Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate. Presented by: Sabrina M. Segal, USITC, Counselor to the Inspector General, Sabrina.firstname.lastname@example.org Reference
Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security
Can SaaS be your strategic advantage in building software? Presented by: Paul Gatty, Director of World Wide Operations Topics What is SaaS? How does SaaS differ from managed hosting? Advantages of SaaS
Evolving Issues for Healthcare IT Contracting By: Alan L. Friel This client advisory is based in part on an article appearing in FierceHealthIT. The emergence of mega-suite vendors, more use of the cloud,
Cloud models and compliance requirements which is right for you? Bill Franklin, Director, Coalfire Stephanie Tayengco, VP of Technical Operations, Logicworks March 17, 2015 Speaker Introduction Bill Franklin,
BUSINESS ASSOCIATE AGREEMENT Please complete the following and return signed via Fax: 919-785-1205 via Mail: Aesthetic & Reconstructive Plastic Surgery, PLLC 2304 Wesvill Court Suite 360 Raleigh, NC 27607
Schedule 15 This Hosting Agreement ( Agreement ) for the Customer Service Application is made as of, 2012 (the Effective Date ) by and between the Washington Metropolitan Area Transit Authority (the "Authority"
ORACLE LINUX AND ORACLE VM SERVICES AGREEMENT A. Agreement Definitions You and your refers to the individual or entity that has executed this agreement ( agreement ) and ordered services from Oracle Finland
Service Level Agreement for Database Hosting Services Objective Global Service Levels include the general areas of support that are applicable to every ITS service. The purpose of the Service Level Agreement
HANDBOOK VERISIGN DDoS PROTECTION SERVICES CUSTOMER HANDBOOK CONSIDERATIONS FOR SERVICE ADOPTION Version 1.0 July 2014 VerisignInc.com CONTENTS 1. WHAT IS A DDOS PROTECTION SERVICE? 3 2. HOW CAN VERISIGN
Infrastructure Technical Support Services Request for Proposal 15 May 2015 ISAAC reserves the right to reject any and all proposals, with or without cause, and accept proposals that it considers most favourable
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ), is made effective as of the sign up date on the login information page of the CarePICS.com website, by and between CarePICS,
RL Solutions Hosting Service Level Agreement April 2012 Table of Contents I. Context and Scope... 1 II. Defined Terms... 1 III. RL Solutions Responsibilities... 2 IV. Client Responsibilities... 4 V. The
Contracting With (or For) Application Service Providers Thomas C. Carey Bromberg & Sunstein LLP Boston Table of Contents I. Glossary... 1 II. The Industry... 1 A. The Value Proposition... 1 B. The Players
SHI THESE SPECIAL PROVISIONS ARE ONLY TO BE USED FOR SOFTWARE AS A SERVICE (SaaS), AS DEFINED BELOW. THESE SPECIAL PROVISIONS ARE TO BE ATTACHED TO THE GENERAL PROVISIONS INFORMATION TECHNOLOGY AND ACCOMPANIED
Cloud Services Hosting Agreement Markley PLEASE READ CAREFULLY - THIS IS A BINDING AGREEMENT. THIS MCS CLOUD PLAN HOSTING AGREEMENT ( AGREEMENT ) IS A BINDING AGREEMENT BETWEEN ONE SUMMER COLOCATION LLC,
Page 1 of 15 VISC Third Party Guideline REVISION CONTROL Document Title: Author: File Reference: VISC Third Party Guidelines Andru Luvisi CSU Information Security Managing Third Parties policy Revision
Technical Support Supplementary Terms We re The Hideout. www.thehideout.co.uk 1. Interpretation 1.1 The following definitions and rules of interpretation apply in these supplementary terms. Commercially
Schedule 14 This Hosting Agreement ( Agreement ) for the Central Data System is made as of, 2012 (the Effective Date ) by and between the Washington Metropolitan Area Transit Authority (the "Authority"
Support Services Apptio Customer Support is dedicated to providing customers with responsive, high-quality assistance to your inquiries regarding your use of the Apptio Subscription Services. Our support
1. INTRODUCTION Exhibit 3 to Appendix D to Contract (per Amendment 6) SaaS Module 1.1. This Module for Software as a Service ( SaaS Module ) between CA and Customer, effective December 15, 2015, specifies
Service Schedule for CLOUD SERVICES This Service Schedule is effective for Cloud Services provided on or after 1 September 2013. Terms and Conditions applicable to Cloud Services provided prior to this
The silver lining: Getting value and mitigating risk in cloud computing Frequently asked questions The cloud is here to stay. And given its decreased costs and increased business agility, organizations
HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ("Agreement") is made and is effective as of the date of electronic signature("effective Date") between Name of Organization ("Covered
A LEGAL GUIDE TO CLOUD COMPUTING INTRODUCTION Many companies are considering implementation of cloud computing services to decrease IT costs while providing the flexibility to scale usage on demand. The
Designtech Cloud-SaaS Hosting and Delivery Policy, Version 1.0, 2013 Page i Designtech Cloud-SaaS Hosting and Delivery Policy Designtech Cloud-SaaS Hosting and Delivery Policy, Version 1.0, 2013 Page ii
Service Agreement Hosted Dynamics GP This is a Contract between you ( Company ) and WebSan Solutions Inc. ( WebSan ) of 245 Fairview Mall Drive, Suite 508, Toronto, ON M2J 4T1, Canada. This contract applies
HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,
Software Maintenance & Support Agreement This agreement ( Support Agreement, Software Assurance, Agreement ) is for the purpose of defining the terms and conditions under which Technical Support, Maintenance
CounselorMax and ORS Managed Hosting RFP 15-NW-0016 Posting Date 4/22/2015 Proposal submission deadline 5/15/2015, 5:00 PM ET Purpose of the RFP NeighborWorks America has a requirement for managed hosting
Technology Help Desk 412 624-HELP  technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
YOU AGREE THAT BY PLACING AN ORDER THROUGH AN ORDERING DOCUMENT THAT INCORPORATES THESE GENERAL TERMS (THE ORDERING DOCUMENT ) YOU AGREE TO FOLLOW AND BE BOUND BY THE TERMS AND CONDITIONS OF THE ORDERING
Anatomy of a Cloud Computing Data Breach Sheryl Falk Mike Olive ACC Houston Chapter ITPEC Practice Group September 18, 2014 1 Agenda Ø Cloud 101 Welcome to Cloud Computing Ø Cloud Agreement Considerations
Data Privacy, Security, and Risk Management in the Cloud Diana S. Hare, Associate General Counsel and Chief Privacy Counsel, Drexel University David W. Opderbeck, Counsel, Gibbons P.C. Robin Rosenberg,
COOLEY LLP PRESENTS CLOUD COMPUTING IN HEALTHCARE: HIPAA AND STATE LAW CHALLENGES May 20, 2014 attorney advertisement 2014 Cooley LLP Five Palo Alto Square, 3000 El Camino Real, Palo Alto, CA 94306 The
Comment: This sample Addendum is one example of how a clinic might respond to a typical, one-sided, unfair, provendor Maintenance Agreement. Most vendors will not accept clinics form of agreements, but
Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive
HSHS BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement, ( Agreement ) is entered into on the date(s) set forth below by and between Hospital Sisters Health System on its own behalf and
Note: This form is not meant to encompass all the various ways in which any particular facility may use health information and should be specifically tailored to your organization. In addition, as with
IBM Software as a Service (SaaS) Support Handbook for IBM Cognos Sales Performance Management Contents Overview... 1 1.0 MONITORING... 2 2.0 SCHEDULED MAINTENANCE... 2 2.1 Notification... 2 2.2 Regular
The Institute of Professional Practice, Inc. Business Associate Agreement This Business Associate Agreement ( Agreement ) effective on (the Effective Date ) is entered into by and between The Institute
Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies
SaaS Hosting Agreement V1.2, August 18th, 2014 Between: Project Open Business Solutions, S.L. VAT ID: ESB65837809 Calle Aprestadora 19, 12 o -2 a E-08907 Hospitalet de Llobregat (Barcelona) (]project-open[,
TERMS & CONDITIONS of SERVICE for MSKnote Definitions: "Us or Our or We or Company" You or Your or Client Refers to MSKnote Limited Refers to you or your organisation Information about us: We are MSKnote
IIA Chicago Chapter 53 rd Annual Seminar April 15, 2013, Donald E. Stephens Convention Center @IIAChicago #IIACHI Cloud Computing: Risks Auditing Phil Lageschulte/Partner/KPMG Sailesh Gadia/Director/KPMG
Service Definition Business Continuity Plan Overview of Service Sapphire provides a bespoke service, working with your organisation to develop a comprehensive Business Continuity Plan (BCP) designed to
ASIAN PACIFIC TELECOMMUNICATIONS PTY LTD STANDARD FORM OF AGREEMENT Schedule 3 Support Services December 2013 Table of Contents 1. SERVICE SCHEDULE 3 SUPPORT SERVICES... 3 1.1 OVERVIEW... 3 1.2 STANDARD
Presenting a live 90-minute webinar with interactive Q&A Cloud Computing in Healthcare: HIPAA and State Law Challenges Navigating Privacy and Security Risks WEDNESDAY, JUNE 12, 2013 1pm Eastern 12pm Central
ATTACHMENT G: HOSTING AGREEMENT 1. Overview of Schedule 1.1 General. This Schedule provides the terms and conditions on which Vendor will provide the hosting services, support functions and other responsibilities
1 ForestSafe SaaS Service details 1.1 Service Description ForestSafe is a privileged identity management system used today to manage the Administrator passwords of 65,000 computers by the UK largest bank.
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement and is made between BEST Life and Health Insurance Company ( BEST Life ) and ( Business Associate ). RECITALS WHEREAS, the U.S.
Preferred Professional Insurance Company Subcontractor Business Associate Agreement THIS SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT ( Agreement ) amends and is made a part of all Services Agreements (as
This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate
15 questions to ask before signing an electronic medical record or electronic health record agreement Many definitions exist for electronic medical record (EMR) and electronic health record (EHR). Although
Limited www.webdrive.co.nz PO Box 302829 North Harbour North Shore City 0751 Telephone: 0800 SPECIFIC SERVICE TERMS These specific service terms must be read in conjunction with 's General Terms and Conditions