Critical security tips for provider CIOs using public clouds
Healthcare provider organizations are beyond the initial security fears when it comes to moving systems and data to a public cloud. There exists now a comfort level that simply wasn’t there even a few years ago.
But healthcare CIOs and CISOs still need to be quite prepared when it comes to using a public cloud. While public cloud operators have taken extraordinary steps when it comes to security, hospitals and health systems still have a job to do on their side when it comes to ensuring that their systems and data are protected.
Here, two healthcare provider CIOs and a deputy CISO offer their expert guidance for working with public clouds based on their experience with these increasingly helpful technological tools.
Five factors to button up
The cloud has evolved to the point where it has a certain “sexy” quality to it because it has proven attractive for reliability, scale, performance and – a big favorite – cost savings.
John Fowler, deputy information security officer at Henry Ford Health System in Detroit, advised that when considering deploying systems and/or data on a public cloud, CIOs should consider five factors.
“First is learning,” Fowler said. “While CIOs have reached the pinnacle of success in the IT career track, it’s time to go back to school. It’s not as simple as ‘on-premise versus off-premise’ or ‘in-house versus managed service.’ Existing in the cloud are business and technical complexities that require in-depth knowledge from the top down.”
"Existing in the cloud are business and technical complexities that require in-depth knowledge from the top down."
John Fowler, Henry Ford Health System
The decision to move to the cloud should not be made on a great hour-long presentation by a vendor, he added. CIOs should adopt a top-down approach to learning, he said.
“Ensuring themselves and their teams have a full comprehension of infrastructure, security, identity and access, support model, risks, and a multitude of other items,” he said. “Going back to school in partnership with the CISO will allow a tighter collaboration and understanding between operational delivery of a cloud solution and the necessary security controls that must be in place before, during and after launch.”
Beware the giant octopus
The second factor Fowler cited is what he called “tentacles.”
“Public cloud computing has significant reach into organization infrastructure, data, applications and often other organizations outside of the hosting environment,” he explained. “Technical architecture diagrams and data flows can identify high-risk environments that may require additional levels of control and monitoring. The CIO and CISO should partner and apply additional technical measures and monitoring to those areas identified as high-risk.”
Third is dotting the “i’s” and crossing the “t’s,” Fowler said. It is critical that CIOs have a full understanding as to the contractual obligations of the cloud hosting provider to provide security controls, he insisted.
“Often, organizations are under the misconception that the cloud hosting provider is responsible for ensuring security controls in place,” Fowler stated. “Amidst a breach is not the time or place to review security obligations. A full understanding of responsibilities is critical to ensure no gaps exist in cloud security controls.”
CIOs need to follow best practices
No. 4 on Fowler’s list is that best practices are indeed best.
“Following a cloud-related security framework will reduce the likelihood of a security misconfiguration that could lead to system breaches,” he advised. “The complexities of the cloud environment are intensified as new types of security controls are needed to bridge the gap between on-premise and off-premise delivery of infrastructure, platform and software services.”
Training, adherence to cloud security best practices and good change management processes will further acclimate administrators to borderless environments, he added.
And fifth and finally, healthcare CIOs need to understand that identity is everything, Fowler advised. Prior to the cloud, an on-premise perimeter was advantageous as network connectivity was usually required to authenticate access, he said.
“However, in a cloud environment, accessibility to systems and data can be done anytime and from anywhere in the world,” he explained. “Timely provisioning and deprovisioning user accounts and following the rule of least privilege are basic hygiene controls that go a long, long way.”
Bringing in third-party security vendors
Joe Fisne, associate CIO at Geisinger Health System in Danville, Pennsylvania, has experience working in a public cloud environment and he said there are many considerations for CIOs jumping into the cloud.
“There are several items that you should consider,” he advised. “We involved third-party vendors for compliance certifications for HIPAA and HITrust to assure that we’re meeting the full intent of security. We also leveraged third-party solutions for virtual private network and transport layer security that had enough experience with working on the public cloud to ensure a secure connection.”
Also from the security perspective, managing accounts in active directory in the cloud is essential for seamless integration, Fisne added.
“We had to harden our test environment and conduct validation checks on the test environment before completely moving to the cloud, which helped us warrant that we had a secure cloud to transfer all information,” he said. “For a best practice, we feel that you should create your environment and have it reviewed by your cloud vendor of choice.”
Keeping security costs top of mind
One of the initial concerns to be considered when securing a public cloud set-up is the cost of the security infrastructure – firewalls – that must be put in place in order to have data safely moving between environments, said Leonard T. “Skip” Rollins, CIO at Freeman Health System in Joplin, Missouri. These appliances can be very expensive and require a fair amount of technical expertise to deploy, he added.
“Make sure you understand how your data will be protected in any cloud environment,” Rollins continued. “You must understand what is going on with your data when it is at rest. Is it being encrypted, how is it compressed, are there proprietary tools being used in any way, can you easily retrieve your data.”
How is the data backed up, what tool does the cloud vendor use, he further asked. And does the vendor host the data or are they leasing from a third-party cloud vendor, he added.
“Make sure your staff understands what it means to have data in the could and how they should use the data,” Rollins said. “Make sure there is a governance process in place to insure any changes to the data are documented and approved by the governance organization.”
Another best practice Rollins said is that if a vendor will not respond to a security risk and business continuity questionnaire, do not do business with them.
“If you are storing data to be used by an application, you have to do testing to ensure the application users have a positive experience,” he concluded. “Do benchmark tests to determine how the user experience is or will be impacted. You are looking for an ‘Oh, I didn’t realize the data is in the cloud’ response.”
Focus on Securing Healthcare
In August, Healthcare IT News, along with our sister sites, MobiHealthNews and Healthcare Finance, will focus on the many ways the industry is succeeding – and the places it's falling short – when it comes to the all-important task of enterprise-wide security.