How to protect against the most pressing threat to healthcare clouds today
The most pressing threat against clouds in healthcare today is the insufficient protection of sensitive data both where physical and logical safeguards are implemented, especially when new cloud technology is introduced to existing systems.
That is the conclusion of Howard Young, director, solutions architecture, at Zadara Storage, a hybrid cloud storage vendor that delivers enterprise storage as a fully managed service.
Are protective controls overlooked?
“Often, protective controls are overlooked or missed in megalithic hyperscale clouds simply due to the sheer nature of the platform, whereas smaller, agile cloud providers may provide a better fit in the healthcare industry,” he contended. “Since the cloud is a third-party environment, routine security checks – such as PEN testing – are necessary to ensure environment configurations remain consistent and intact.”
Young points to three aspects of cloud computing with regard to this pressing threat that healthcare CIOs and CISOs need to be aware of: physical, logical and evolution.
"Since the cloud is a third-party environment, routine security checks – such as PEN testing – are necessary to ensure environment configurations remain consistent and intact."
Howard Young, Zadara Storage
“For physical, cloud servers and networking are physically protected within a data center, but what controls are in place when physical equipment is added or removed? What happens to your data on the failed drive that was removed?” he pointed out. “For logical, the healthcare deployment model within the cloud increases the likelihood of outside attacks and unauthorized access to patient data. For example, object storage has a public component, which has been a source of unintentional data breaches.”
And for evolution, technology continues to improve, but with new each iteration, evaluating safeguards may become complex in the future, he added.
What CIOs, CISOs can do
So how can healthcare CIOs and CISOs best defend against the threat of insufficient protection of sensitive data both where physical and logical safeguards are implemented? Young offers some advice.
“Cloud deployment strategies are very straightforward when addressing this threat,” he explained. “At the physical layer, a hybrid cloud where CISOs have more control and insight of the configuration, protection and destruction of data, will provide better mapping to HIPAA requirements. The hybrid cloud then becomes an extension of the hyperscale cloud, which performs the edge operations. Hybrid clouds simply are secure network connections between the public providers and a colo or on-premises data center.”
At the logical layer, deployment of workloads needs to be scrutinized against the security requirements for the given layer at which the workload operates, he advised. A simple way to do this is to categorize the framework into three security levels: red, yellow and green, where red has the highest security requirements and green is often a scrubbed-down presentation of the data to the end user at the edge, he explained.
“Mapping a web app to this framework may then have a red security boundary for the database, a yellow boundary for cached or transient database lookups, and green for an https web page shown to the patient,” he added.
The highest security level
“Some requirements may map all to a red layer for highest security levels,” he continued. “An example of this is remote healthcare worker access using encrypted thin-client access to a workspace running within the cloud.”
When new cloud functionality is integrated into the existing system, the primary concern is to maintain layers of separation – otherwise processing artifacts or transient data may become an area of unwanted disclosure, Young warned. Take extra care when enabling capabilities that may make data publicly available elsewhere, he advised.