CISO security tips for managing hybrid cloud deployments
Quite rapidly, healthcare providers have evolved from a deep skepticism, if not outright opposition to cloud deployment, to something approaching enthusiastic embrace. Indeed, with their security concerns having been allayed in recent years, more than a few security professionals are pushing toward cloud-first, if not cloud-exclusive hosting strategies.
As this increased comfort level has pushed greater exploration, many healthcare organizations are now grappling with dozens, even hundreds of different cloud vendors. Most have done yeoman’s work gaining the maturity and certifications required to prove their mettle for handling protected health information. But the challenges of managing multi-cloud deployments are hardly a walk in the park.
A lot of nuances remain
“There’s still a lot of nuances in a cloud environment. There’s a lot of specific security settings (that have to be) properly configured,” explained Winston Armstrong, chief information security officer at the San Diego Super Computer Center, in 2018.
“There’s definitely a place for the cloud,” he said. “There’s cost benefits, there’s a lot of great capabilities and automation. But there’s also a lot to do still, from whoever is managing these applications, whoever is managing the security. It’s not all just plug and play. It’s a great environment. You’ve just got to put in the work to get it done.”
Anahi Santiago, CISO at Wilmington, Delaware-based Christiana Care Health System, knows that from first-hand experience. In the past several years, the organization’s cloud infrastructure has kept expanding in size and complexity.
From a database to manage human resources data to cloud-based desktop apps, from a warehouse hosting PHI and a cloud-based EHR, “we continue to further grow our footprint,” Santiago said.
Niche cloud solutions
Moreover, she said, “we continue to partner with organizations that are cloud-based to provide us with niche solutions that serve our needs. So we have moved our patient billing to the cloud. We are now looking at using cloud services to engage with our patients from a communication perspective. And one of our huge projects is now looking at moving our second data center to the cloud. So that’s a lot.”
Christiana Care is still a hybrid environment, given that it hosts data onsite too, but “we definitely have a cloud-first strategy,” said Santiago. “I don’t know that we’ll ever be completely in the cloud. But we’ll be more in the cloud than on-premise, for sure.”
But even now, she has her work cut out for her, dealing with “hundreds” of different cloud vendors at any given time, she said.
So what’s the secret to juggling not only that large number, but also the huge variety of different applications and vendors?
“It all starts with risk assessments,” Santiago stated. “We don’t engage with any cloud-based party until my team has done a risk assessment of the cloud environment.
Not perfunctory assessments
And these are not perfunctory affairs, she said.
“What that entails is taking a look at the type of information that is going to be stored in the cloud, the criticality from a business perspective of having that cloud service be available at all times and the overall workflow that our caregivers are going to utilize in the cloud,” Santiago explained.
“And then my team reaches out. They do the typical questionnaire, they ask for a SOC2 Type II report – and what’s really important is that we require a report for the specific instance of the vendor’s cloud environment,” she said. “The cloud is a shared responsibility model. And so we need SOC2 Type II that’s specific for that vendor’s configuration and instance of the cloud, so that we know they have taken steps to protect their environment.”
While that’s a “huge” must-have from Christiana Care’s point of view, “a lot of times it surprises vendors asking for that,” Santiago said. “That can be a deal-breaker, depending on the criticality of that information.”
Next steps: Assessing security controls
Santiago also requires that other steps be taken, such as ensuring the vendor is going to “authenticate to our SML environments to our identity store, so that we’re not managing, you know, 100 different identity and access management stores. We want everything to go in through our authentication.”
In addition, “we require a very long list of hosting security terms that hold them accountable for making sure that they have a risk management program, a security and awareness program, that our data is going to remain in the United States and that we know it is going to be accessible offshore.”
Basically, it’s all meant to ensure that “we know, from a risk perspective, that we would have some decision point there in terms of what we will and will not allow,” she added.
“Everything from making sure that they are doing vulnerability scans, penetration testing, a right to audit – all the way down to criminal background checks. It’s an extensive list of security requirements. And then we also require them to provide us with some kind to report again on their own incidents on an annual basis – and, depending on the criticality, an attestation that they’ve done a vulnerability assessment and an attestation that they had done a failover or disaster recovery exercise.”
What’s in place?
It’s all about “making sure we understand what security controls they have in place and what their due diligence is, to give us a comfort level that they are meeting our security standards,” Santiago explained.
The good news is that more and more cloud vendors are up to the task, she said. “They’ve been getting a lot better. When I first started here four years ago, requiring a SOC 2 Type II report of their own instance surprised a lot of people. But now we’re getting a lot more. We’re also getting more folks that will go as far as to get HITRUST certification or ISO certification, which certainly gives us a far greater comfort level that they are prioritizing security.”
Even if the vendor does everything right, however, multi-cloud deployments won’t work optimally if the providers’ own staff aren’t up the new demands of operating in a mostly remote-hosted environment.
“The one really important lesson that we learned when we first started really looking at moving our infrastructure over to the cloud is how different the skill-sets are from a security perspective and even an infrastructure perspective when you’re doing things in the cloud, as opposed to when you’re doing them in the data center,” Santiago said.
Slowing down to better prepare
“We’ve slowed down some projects in the past – a project that was supposed to take maybe a few months has taken longer due to the fact that we’ve had to really take a step back, re-educate ourselves, upscale our staff, hiring different consultants that know the cloud so that we can move forward doing it well from a security perspective,” she said. “And I think that I think we were surprised at how different the skill-sets really are that are needed to function in the cloud.”
Managing a complex multi-cloud environment is a shared responsibility model, Santiago added, and healthcare organizations have to look closely at their processes to make sure they’re taking the right steps to manage the fast-evolving nature of cloud applications.
“One of the things that we’re seeing now is change management,” she concluded. “The cloud changes almost on a daily basis. And you can fall in love with all the brand new features and functionality. But that can also open up risk. And so I think it’s really important to make sure that you have a really strong change management program, along with a risk management program, that keeps an organization regimented about how to adapt all the different functionalities in the cloud – so you’re not introducing undue risk for the sake of a shiny new piece of functionality.”
Focus on Securing Healthcare
In August, Healthcare IT News, along with our sister sites, MobiHealthNews and Healthcare Finance, will focus on the many ways the industry is succeeding – and the places it's falling short – when it comes to the all-important task of enterprise-wide security.