Cybersecurity poses big challenges, but new cloud approaches hold promise
As healthcare organizations gets more comfortable with the idea of cloud migration, many hospitals and health systems are finding that the security demands of this new paradigm are different than they may have expected.
As Dr. John Halamka, new president of Mayo Clinic Platform, noted at the Healthcare Security Forum in Boston earlier this month, “Perhaps 80% of what a traditional IT or cybersecurity person knows today is irrelevant when moving to the cloud. It’s effectively an entirely new job."
Mayo Clinic and Google recently inked a major new 10-year deal that will see the Minnesota health system hosting its data with Google Cloud – which in turn will help Mayo's clinicians and researchers develop an array of cloud and machine learning tools to help solve a variety of complex health challenges.
Amy Waldron, director of Google Cloud Healthcare & Life Sciences, also spoke at the Healthcare Security Forum. And she offered an update of what Google is doing to help make the cloud a safer choice for healthcare organization of all shapes and sizes.
Waldron noted "two areas we've really focused on the most for the past couple of years, with a group of engineers, physicians and product managers: One has been security, because that that's been a critical barrier for the cloud industry to overcome; second one is really to how do you actually tap the variety of data sources that exist within healthcare."
The cloud is offering big opportunities, "for secure collaboration, for scalability and more computation power," she added. "That's allowing the industry to solve problems that have never been solved before."
That said, the coming years represent a unique mix of risk and opportunity when it comes to cloud-hosted data. Waldron offered a handful of facts and predictions for 2020 and beyond:
- By 2020, medical data expected to double every 73 days, she said.
- Healthcare experiences twice as many cyber attacks as other industries, on average, with 25 million patient records compromised in 2019.
- Still cybersecurity budgets have decreased to just 3% of IT spend, on average.
"There's a tremendous amount of digital transformation taking place, enterprise wide, which is exciting but also daunting," she said.
"The amount of budget going for cybersecurity is decreasing," she said. "So it's down to about 3 percent now of IT budgets. So you're seeing almost this pressure point where people have no choice but to kind of think about how they do things differently."
Whereas cloud hosting was once seen as anathema by most healthcare security professionals, nowadays, many IT professionals are coming around to the idea that the cloud represents a "risk mitigation, not a risk," as John Halamka has explained.
“Having a professionally managed, geographically distributed storage and compute infrastructure provides better security and data integrity protection than any one healthcare organization can create on its own," he said.
Moreover, that approach is well-suited to help manage the demands of an increasingly complex healthcare data ecosystem, Waldron explained.
"You've got a lot of devices coming in: More and more people are starting to integrate and give permission for their wellness devices to sync. You've got mobile apps, you've got external data, you've got the collaboration, EHR systems, genomics data is becoming so relatively inexpensive to process and that data is also being integrated more and more. And then you have a lot of on-prem warehouses and analytics engines. Cloud solutions exist in all areas of the security landscape."
Whether helping from an infrastructure standpoint, enabling better security monitoring or even with some of the approaches to de-identification required to maintain HIPAA compliance, the cloud is well-positioned to help healthcare organizations adapt to this new world of opportunity.
From an infrastructure standpoint, Waldron said, "all cloud vendors when are not the same. It's important when you're looking at a cloud provider that you understand how much of your data is on a private network, and if and when it's ever exposed to the public internet.
"It's also important to understand what regions the data centers sit in, especially if you're dealing with an international organization," she added. "And you'll want to think through the physical security – everything from how they're sourcing their hardware to what kind of physical securities are placed around the data centers."
As for monitoring, "I would say the three biggest challenges people have, on prem and in the cloud, are lack of visibility and control, the inability to detect and respond to threats and then increased complexity."
The good news, said Waldron, is that a growing array of monitoring tools exists that can "help you bring this information together: A lot of these are being aggregated so they come up in one pane and they're also prioritized based on your needs. It could be by severity. It could by project. It could be by CIS benchmarks. Some tools are also very attuned to the reality that some healthcare organizations are going to maintain hybrid environments."
As security threats evolve, in other words, so do cloud technologies' capabilities to help mitigate and manage the risk.
"The industry is at a great spot," said Waldron. "It's still evolving and it definitely is an area where there's got to be joint responsibility between providers and vendors, because at the end of the day that data is yours: You can't outsource the responsibility or privacy and security. But you definitely can get different levels of comfort with regard to cloud providers and vendors if you ask the right questions."
Healthcare IT News is a publication of HIMSS Media.