A supercomputer center shows the security challenges of operating a healthcare hybrid cloud
The San Diego Supercomputer Center at UC San Diego was an early adopter of cloud computing for healthcare and is now an advanced user, deploying a secure hybrid cloud environment to support many critical applications for projects that include cancer research and decoding the human immune system.
The center is a heavy user of cloud computing and has addressed the ever-changing technological, regulatory and unique customer requirements while simultaneously ensuring data security and privacy.
A hybrid cloud is a mix of interconnected infrastructure that spans on-premises and public cloud using third-party vendors such as AWS or Azure. It is not more or less secure than a private or public cloud – it takes specific considerations and security is configurable in both scenarios.
The main difference is control of physical security – on-premises infrastructure is under the control of staff onsite, while third-party cloud services are under the control of third-party staff, said Sandeep Chandra, director of health cyberinfrastructure at the San Diego Supercomputer Center.
"We chose a hybrid cloud approach because we have a large on-premises footprint that is serving some specific use-cases for our customers, but we also recognized the need to leverage the scalability and automation public cloud platforms offer," Chandra said. "Depending on the specific needs of the customer, we can determine how best to support them."
But security with a hybrid cloud presents its own set of challenges. And it takes some savvy to overcome them.
End-to-end compliance and data security is one such hurdle. Securing data in the cloud whether it is hybrid, public or private requires thorough understanding of a number of key elements, said Winston Armstrong, chief information security officer at the San Diego Supercomputer Center.
"Most important, when you are dealing with protected data, you need to be aware of what the compliance requirements (HIPAA, GDPR, etc.) are, and what technical and administrative controls (NIST 800-53, etc.) need to be implemented to meet this requirement," Armstrong said.
"Most public clouds do not offer end-to-end security and compliance," he explained. "Their approach is more geared toward offering basic out-of-the-box compliance capability at the infrastructure level, and put the onus on the managed service provider to implement additional controls that helpfully meet the compliance requirement."
Oftentimes customers lack resources, budget and expertise to meet these requirements, he added.
The San Diego Supercomputer Center addresses these challenges by implementing an end-to-end managed services system that is built to provide comprehensive compliance and security capability. Building this capability required understanding how to architect and implement secure architectures on top of public cloud platforms.
"We leveraged our strong technical background in implementing, and meeting, NIST security requirements, leveraged the infrastructure capability AWS offered, and layered additional tools and services on top of it to put together a comprehensive solution," Armstrong said.
Armstrong and Chandra will be co-presenting on the subject at the HIMSS Healthcare Security Forum, June 11-12, in San Francisco.
Another hybrid cloud security challenge is meeting unique requirements and building custom systems. Every customer the San Diego Supercomputer Center supports in its cloud environment has come to it with a unique set of requirements, and it fully understands that a one-size-fits-all approach doesn't work.
"We engage and partner with our customers to understand and cater to their specific needs," Chandra said. "This presents some challenges, as we spend a lot of cycles early on in architecting and building capability that meets their needs, and ensuring that all of this is done in a secure framework. But this is exactly the kind of expertise we bring to the table."
The staff's goal is to build custom, end-to-end systems for its partners by managing all of their compliance, cybersecurity and technological needs while they focus on their business and scientific goals, Chandra added.
And another major security challenge with a hybrid cloud is risk management.
"We spend a lot of time and resources managing the risks to our cloud platform," Armstrong said. "This includes running an effective vulnerability management program, controlling user and administrative access to the environment, auditing and logging, and network protection with intrusion detection system and web application firewalls capability."
Implementing these tools and capabilities requires a lot of investment of resources, especially staff time, and can sometimes be a distraction from performing more innovative, value-added work on projects, Armstrong added.
Over the years, the San Diego Supercomputer Center has made significant progress in being more efficient in operating these services while minimizing business and user impact, he said. "We continue to fine-tune our operations effort to adapt to the realities of the business operations."
Healthcare Security Forum
The forum in San Francisco to focus on business-critical information healthcare security pros need June 11-12.