news  / 

No tradeoffs: Security for the healthcare cloud-of-choice

Heather Johnson | Oct 20, 2017 05:49 pm
Security for the healthcare cloud-of-choice

The business of healthcare is changing. The move to value-based payment programs and incentives is forcing health systems to reexamine risks, benefits and rewards, while striving to meet new benchmarks for improved quality and reduced costs. This transformation spans all clinical service lines and departments. And IT, with new technology and apps underlying emerging business initiatives, has taken over the wheel.

As a result, IT administrators are seeking ways to store and manage the increasing volumes of data generated while controlling datacenter costs. IT staff don’t just run datacenters in this new world. They also help bring new apps to users.

To keep costs and data under control, healthcare organizations have gotten creative. More of them choose non-traditional datacenter architectures such as private, hybrid and public clouds, and use them to implement SaaS and IaaS services. According to the 2016 HIMSS Analytics Cloud Survey, 84 percent of respondents used cloud services for either administrative, IT or analytics functions.1

Over time, healthcare organizations have warmed to cloud computing for its relative affordability and flexibility. Tools like virtualization allow IT to offer more services with less investment, while automation adds flexibility and agility. These capabilities allow healthcare organizations to rapidly implement data-driven population health, precision medicine and patient engagement initiatives. However, security, privacy and control remain key concerns.

More than half of the 2016 HIMSS survey respondents cited security as a reason to postpone cloud adoption. Other concerns include availability/latency, compliance, migration and cost.2 With these concerns in mind, as well as the functionality requirements for the workload in question, providers may choose different types of clouds to invest in. Among the many options, providers can consider private and hybrid clouds, SaaS, IaaS and managed service offerings that frequently offer more customization and control than mainstream public cloud.

Added security

Security and resiliency are paramount to any data platform, and are particularly important today. HIPAA requires healthcare providers to store electronic protected health information (ePHI) for a certain period of time – exactly how long depends on state law. HIPAA also requires both the healthcare organization and the cloud service provider to employ physical, technical and administrative safeguards to protect ePHI.

A flash-based data platform with always-on data encryption protects ePHI both in transit and at rest. “That’s critical,” said Lynne Dunbrack, research vice president for IDC Health Insights. “If a cybercriminal infiltrates the network, they can’t read the data if it’s encrypted. Always-on encryption is a key benefit from a security and regulatory perspective.”

Cloud service providers must also sign a business associate agreement (BAA) in order to comply with HIPAA requirements. The BAA determines how the cloud provider must interact with ePHI, Dunbrack said. Among other requirements, the BAA should also specify how a cloud provider will report and respond to a data breach, and the financial responsibilities for remediation. The U.S. Department of Health and Human Services offers detailed guidance for safeguarding ePHI on its website.

Reliable performance

In a healthcare setting, a data storage failure puts lives at risk, particularly if providers can't access vital information at the point of care. A platform that combines the benefits of all-flash arrays and the cloud offers nearly 100 percent availability during upgrades, downgrades and even during failures.3

A cloud-based predictive analytics platform continuously monitors any attached systems across the Internet, managing systems to these near-perfect standards for system availability. The low latency of software-defined storage means no bottlenecks or disruptions while running complex and demanding workloads.

Financial advantages

Healthcare organizations have come to appreciate the benefits of “pay as you grow” scale-out storage, whether on premise or in the cloud. Small to midsize health systems may not have the budget or the IT staff needed to grow their datacenters to keep up with data growth. Outsourcing the workload to a cloud service provider ultimately allows the healthcare organization to assign IT resources for other tasks. It also minimizes the need for scarce information security specialists because cloud service providers can offer that support.4

Moving to the cloud also presents an advantage when allocating expenses. “Not having to make significant upfront hardware and software investments gives healthcare organizations the ability to move from a CapEx [capital expenses] to an OpEx [operating expenditure] model,” said Dunbrack. “This shift makes cloud computing options attractive to HCOs.”

Stay in control

One key concern of migrating to the cloud, especially for healthcare organizations, is retaining control of sensitive data. In a public cloud environment, the cloud service provider runs the service on infrastructure shared by multiple customers. In this “multitenant” environment, healthcare organizations relinquish some control to the provider.

With private cloud deployment, healthcare organizations retain control of their data. If they run their own private cloud, they assume more responsibility for its security. Many healthcare organizations choose a hybrid cloud model, using public cloud for noncritical data and a private cloud for sensitive information.

“HCOs [healthcare organizations] tend to favor private or hybrid cloud,” said Dunbrack. “This ensures protected health information isn’t comingled with other organizations’ data.”

Dunbrack added that the BAA and service level agreements stipulate the cloud service provider’s accountability for protecting data, which gives healthcare organizations an added sense of security. It’s important to make sure to account for security during migrations and for ongoing use in the cloud. Agreements with cloud service providers should also include plans for either repatriation of data or migration to a new service provider for protection if plans change over the long haul.

As healthcare organizations store and manage more data to deliver population health and other data-driven initiatives, adoption of cloud-based data platforms will continue to evolve. As Dunbrack explained, software-defined storage promises a solution to lower costs and improve quality in a time of change and regulatory uncertainty.


1, 2. "2016 HIMSS Analytics Cloud Survey." October 2016.

3. "The Top 10 Reasons to Choose a Pure Storage All-Flash Solution for Oracle Database Analytics and Deployments." Pure Storage white paper, 2017.

4. "Impact of Cloud Computing on Healthcare Version 2.0." Cloud Standards Customer Council, February 2017.

Resource Center VIEW MORE