Security and compliance: What to look for in a cloud services partner
February 27, 2025 | Kyle Erickson
Cybersecurity is a critical component of modern cloud-based solutions, especially for organizations handling sensitive data like hospitals and health systems. As cyber threats become more sophisticated, maintaining robust security controls is essential to safeguarding information, ensuring compliance and mitigating risks.
Understanding security certifications and standards
Security certifications play a crucial role in validating the integrity of cloud service providers. Here’s what some of the major standards mean:
- National Institute of Standards and Technology (NIST)opens in a new tab: A set of security guidelines and frameworks that serve as the foundation for many cybersecurity programs. NIST standards establish best practices for risk management, data protection and security controls.
- Health Information Trust Alliance Common Security Framework (HITRUST CSF)opens in a new tab: A certifiable framework that integrates multiple security, privacy and risk management standards, including Health Insurance Portability and Accountability Act (HIPAA), NIST and International Organization for Standardization (ISO), to ensure comprehensive data protection in the healthcare industry.
- Service Organization Control 2 (SOC 2): A voluntary compliance standard that evaluates a service provider's ability to protect data based on security, availability, processing integrity, confidentiality and privacy principles.
- Federal Risk and Authorization Management Program (FedRAMP®)opens in a new tab: A U.S. government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud services used by federal agencies. It has different authorization levels, including low, moderate and high, depending on the sensitivity of the data being handled.
- State Risk and Authorization Management Program (StateRAMP™)opens in a new tab: An extension of FedRAMP, tailored to state and local government needs, ensuring that cloud service providers meet similar security and compliance requirements.
Understanding standards for U.S. government agencies
FedRAMP is a federal program that standardizes security requirements for cloud services, ensuring they meet stringent controls based on NIST guidelines. Achieving FedRAMP authorization signifies that a cloud service provider has undergone a comprehensive evaluation and adheres to federal security standards.
StateRAMP, modeled after FedRAMP, extends similar security frameworks to state and local governments. It provides a standardized approach for evaluating cloud service providers, ensuring they meet the necessary security requirements for handling government data.
At Solventum, we recognize the importance of protecting our customers’ data and are pursuing compliance with FedRAMP and StateRAMP. These initiatives will reinforce our commitment to upholding the highest security standards. While these certifications are required for our U.S. government customers, commercial customers also benefit from robust data protection measures.
Importance of continuous monitoring
When partnering with a cloud services vendor, be sure to prioritize continuous monitoring. Ongoing assessments of cloud services help validate that security controls are functioning effectively and that any emerging vulnerabilities are promptly identified and addressed. This process includes:
- Regular security assessments: Conducting routine evaluations of systems to verify the effectiveness of implemented security controls
- Vulnerability scanning: Performing frequent scans to detect potential weaknesses in infrastructure
- Incident response: Establishing protocols to respond swiftly to security incidents, minimizing potential impacts
These activities are designed to provide operational visibility, manage change control and ensure prompt attention to incident response duties.
Committed to data protection
Cybersecurity is an ongoing priority within the healthcare industry. With stringent security frameworks, continuous monitoring and adherence to industry leading certifications, we take a proactive approach to mitigating risks and strengthening data protection for our customers.
With HIMSS coming up, we’re excited to share how we’re working to solve some of the biggest challenges in healthcare. Find out for yourself about Solventum’s commitment to security by scheduling time with us at HIMSS in booth 4632. If you’re not attending HIMSS but want to learn more, contact us here.
Kyle Erickson is vice president, product chief information security officer at Solventum.
