As health systems reach comfort level with the cloud, the sky's the limit for innovation
It wasn’t too long ago that most IT and security professionals would balk at the very idea of keeping mission-critical data – especially protected health information – in the public cloud. For all the convenience, cost savings and agility remote hosting might offer, after all, the risks of entrusting such precious data to a third party were just too significant to breeze past.
“Ten years ago, cloud technology was still in its infancy,” said Anahi Santiago, CISO at Newark, Delaware-based Christiana Care Health System. “Most industries, including healthcare, were still trying to wrap their arms around what the cloud entailed and potential risks associated with moving toward the technology. Lack of visibility, standards and transparency were of primary concern, as were issues of privacy, security and overall compliance.”
Unfortunately, in those days, she said, there was also a challenging irony at work.
“In terms of hosting PHI in the cloud, one thing was certain: The major cloud providers with the most likelihood of meeting sound security requirements were not willing to sign Business Associate Agreements,” she said. “That alone for the healthcare industry was a deal breaker. Under HIPAA, covered entities are required to enter into BAAs with third parties that provide services involving access to PHI. As a core regulatory requirement, the decision to move PHI to the cloud was an easy one. Absent a BAA, we simply could not do it.”
Moreover, when it came to security capabilities, the public cloud, generally speaking, often “lacked maturity and sophistication,” said Santiago. “Many of the investments and controls associated with securing information systems and data were not available nor could they be replicated in cloud environments. The security vendors had not yet thought of introducing functionality that could integrate cloud security controls with on-premise tools.
“Any potential security considerations essentially meant having to manage two disparate set of controls. One in the cloud and one on premise. From a financial and supportability perspective, it didn’t make sense.”
‘A risk mitigation, not a risk’
In recent years, however, many of those major concerns have been allayed. CIOs, CISOs and other infosec leaders have come to feel much more comfortable about the cloud – and many have come to embrace it as a major, sometimes primary, means of data hosting.
Some have even made the bold claim that the cloud’s selling points are so strong that on-premise hospital data centers will be near extinct in a matter of years.
Not that smart security pros don’t still have their concerns, of course. From the necessary components of business associate agreements to SOC 2 audits to the details of the vendor contracts themselves, there are plenty of i’s and t’s that need dotting and crossing to ensure a cloud infrastructure is properly deployed for optimal security.
But it’s hard to argue with the fact that, at least compared to the skepticism of years past, there’s a sense of reassurance these days across healthcare, and a comfort level with the data protection capabilities of most major public cloud providers – even a sense that sensitive information may be more secure in the cloud than on an on-site server.
Part of that has to do with major public cloud companies upping their games in recent years – boosting their own technical infrastructure and jumping through the many regulatory hoops required to prove they have the wherewithal to handle PHI and other health data.
As more and more hospitals and health systems have taken note – and seen what their peers and competitors have been able to accomplish with the help of cloud hosting – they’re understanding that the redundancy of remote hosting can be a boon.
Nowadays, the cloud is a “risk mitigation, not a risk,” said Dr. John Halamka, executive director of Beth Israel Lahey Health Technology Exploration Center.
“Having a professionally managed, geographically distributed storage and compute infrastructure provides better security and data integrity protection than any one healthcare organization can create on its own,” said Halamka. “Over time, I found that healthcare leaders in countries throughout the world are increasingly embracing this idea.”
A deeper understanding
Indeed, as Michael Reagin, CIO at Norfolk, Virginia-based Sentara Healthcare, explains, a cloud migration can be a valuable opportunity to improve a health system’s security posture in general.
“When you take a look at public cloud security systems, you absolutely get a better security profile there,” he said. “But it has to do more with the move to cloud and how you design and architect your cloud. You get to install the right compliance framework, the right controls around your applications.”
He added that, “a lot in healthcare has been inherited: There’s been acquisition, there’s been a lot of rapid growth, so there hasn’t always been the opportunity to do that at a lower level. So this transition, this move to cloud, is a really important aspect of truly securing your system.”
At Sentara, said Reagin’s colleague Dan Bowden, the health system’s chief information security officer, the demands of the cloud have helped ensure a more cohesive thinking about enterprisewide security.
“You need to have another layer of understanding,” he said. “So we’re implementing good configuration standards, good framework standards – and then any exception that needs to be implemented is documented up-front. Whereas in the past, we built all these systems and had to make them work together.”
A ‘vastly different’ technology
Christiana Care’s Santiago, for her part, says her feelings about the cloud have changed dramatically over the past decade.
“My opinion of the cloud is vastly different,” she said. “The industry, technology and capabilities have advanced and matured at an exponential rate over the past ten years. The security controls available both native to the cloud provider’s environment as well as complimentary to those native toolsets are comprehensive.”
Santiago does note, however – echoing Reagin and Bowden’s comments – that in most cases, sound security is a shared responsibility: “The cloud service provider is responsible for security to a point and, from that point forward, the customer becomes responsible for security. Most of the breaches that I am aware of involving cloud service providers were the result of misconfiguration on the customer’s end, not necessarily a failure on the controls of the cloud provider. Organizations must understand that moving to the cloud does not absolve them of security responsibilities.”
Indeed, in some cases, she said, “due to how different the cloud works from traditional on-premise environments, it further complicates security requirements. The security skill sets required to secure cloud environments are also different than those required to secure on-premise environments. As organizations consider moving to the cloud, they should also consider transition time for upskilling talent or on-boarding cloud security-savvy talent.”
At any rate, the question of the cloud’s present and future role in healthcare is, in a significant way, largely already a settled issue, said Santiago.
“With or without the cloud, our end users – the devices that they use for work and the data that we seek to secure – have all become mobile,” she said. “The notion of keeping everything within the four walls of the organization is no longer realistic. Our end users and customers want access from anywhere and from any device and the cloud facilitates such access. As security professionals, we must shift our thinking and our overall security strategy to be more data centric and less about where that data resides.”
The good news is that security tools in healthcare “have evolved to the point where enabling a shift in this perspective is achievable,” said Santiago.
“In terms of competitive advantage, leveraging the cloud can be a differentiator for organizations,” she added. “As CISOs, we are business enablers and must partner with our business to ensure that we are meeting their needs while managing risks to acceptable levels.”