Migrating health data to the cloud: locking down security
Healthcare organizations need to look – and perhaps even study and scrutinize security issues – before leaping to the cloud, according to Shane Whitlatch, enterprise vice president at FairWarning.
“There are ample studies and reports that talk about the potential benefits of storing data in the cloud. These benefits range from the ability to manage the costs associated with storing data, the speed of accessing data, the ability to share that data and integrate it with other systems and ultimately to improve outcomes,” he said. “And perhaps most important, a healthcare organization can negotiate predictable expenses when working with cloud service providers.”
With all this potential, many healthcare organizations are rushing to the cloud. In fact, 84 percent of care providers now are using cloud services, according to the HIMSS Analytics 2016 Cloud Survey (Figure 1). Haste, however, doesn’t always end well. As a result, the challenge for healthcare organizations lies in determining how to best manage the move to the cloud and to ensure appropriate security is in place once they get there.
Of course, healthcare organizations need to achieve the same level of data protection in the cloud as they do with on premise systems. “HIPAA isn’t necessarily concerned if the data is on premise or in the cloud, the laws still apply either way,” Whitlatch said.
Before jumping to the cloud, then, organizational leaders should be aware of the security risks specifically associated with cloud data. “A simple plan to start is to be sure the same security controls for premise are in place for cloud,” he pointed out. Among the threats to PHI in the cloud are business associate breaches, unintentional disclosures and insider threats.
Perhaps most troubling, though, the simple fact that it is easy to initiate cloud projects could present a security pitfall down the line. “The ease of spinning up a cloud application can create, in and of itself, a risk. Because cloud projects are easy to start, it’s also easy to just leave them there and not monitor them. So, that is one of the big risks,” Whitlatch said. For instance, a physician or researcher might choose to store protected health information (PHI) in BOX, stop working on the project and then just abandon the data in the cloud-based storage platform, which sits outside of established controls. As such, it is important to ensure third-party vendors have the staffing that enables them to perform the testing and continuous monitoring to protect applications and data.
Looking before leaping
Developing the right mindset and realizing that cloud projects need to be monitored, much like on-site initiatives, is just the beginning, though. To ensure data security, healthcare leaders also need to:
Verify that cloud service providers are fully addressing security. Remember, just because a cloud service provider has an appealing website doesn’t mean that the vendor has adequate security. The reality is that some cloud vendors have a limited understanding of security and often place more emphasis and effort on functionality than on security.
Here’s the rub: Developing and implementing advanced security does not typically attract end-users in the same way that a sleek website or advanced functionality might. “As Mike Tyson once said, ‘Everyone has a plan until they get punched in the mouth.’ It’s the same thing for a cloud service provider that has a slick demonstration or advanced functionality. It’s all cool and feels good until someone steals the data,” Whitlatch pointed out.
As a result, healthcare leaders should insist on cloud service providers including security tools with their solutions. “And, don’t just let the cloud companies tell you about security. Make sure they put it in the contract. That’s another good practice,” he said. “It’s also good to require regular security reviews to ensure that security is being addressed on a continual basis.”
Demand security transparency. Healthcare leaders need to demand that vendors provide substantive information regarding security, not just facts related to the cloud company’s data center environment but also information about incident response and notification procedures, code level reviews, penetration testing, periodic patching policies and account management as well. In addition, the cloud service provider should demonstrate compliance with an information security framework such as Service Organization Controls (SOC) 2 Audits or the NIST Cybersecurity Framework (NIST-CSF).
“You really need to press for evidence of the cloud service provider having invested in security,” Whitlatch advised. “Ask if they have achieved the right certifications, and then really press for results. Show us how often you are testing, what type of testing you are doing, who’s doing the testing.”
Ensure that cloud providers consider the comprehensive security picture. Cloud service providers need to integrate into an organization’s existing security tools such as security information and event management, identity management and patient privacy intelligence.
“The cloud service vendor has to be aware of all the layers of security that are required at the customer business environment and be able to integrate with the appropriate layers to really be a part of an integrated threat detection and prevention network,” Whitlatch said.
Because healthcare is very contextual, it is especially important to address identity. In other industries, it’s very cut-and-dried when determining if someone accesses a record that’s inappropriate. In healthcare, however, a care provider might access a record or need certain data for a reason that may not be standard but is still valid. As a result, it’s important to integrate with other layers of security, especially at the identity level to make the right security decisions.
“You have to look at context. In healthcare, you could say a pediatric nurse should never look at the record of someone in the emergency room or someone in the operating room or someone who’s not a child. But there are many valid examples where a pediatric nurse may, in fact, need to look at an adult record,” Whitlatch said. “If you make decisions based solely on the person’s identity without considering context, then you might reprimand or fire them because they looked at a record or report it as a breach and that’s not accurate. You need to understand why was that person in there. What else were they doing that day? Was someone else logged in their ID? There are a lot of other things that provide context.”
In the final analysis, while the cloud holds many advantages, healthcare organizations need to tread carefully and take into account the full array of security concerns. Indeed, only when security is comprehensively addressed can healthcare organizations reap benefits such as improved collaboration, increased agility, reduced IT footprint and predictable operating expenses.