Healthcare organizations are moving to cloud computing at a faster pace than ever. The considerable number of advantages to healthcare providers are almost too numerous to list. For instance, patient data can easily be accessed across multiple platforms and from nearly anywhere.
Cloud services leverage nearly limitless computing resources allowing huge improvements in patient care and health outcomes.
Security concerns for the healthcare cloud are understandable. Of course, data security for the healthcare industry has been a major issue of concern well before cloud computing was even imagined, so the issues themselves are not new.
As cloud adoption continues its march towards ubiquity, security professionals are grappling with ways to ensure that healthcare data stored on public, private, and hybrid clouds is as safe as possible.
In this article, we’ll explain some of the unique challenges to the healthcare sector in ensuring that sensitive data is protected in the cloud and how those challenges can be met.
In addition, we’ll explore some of the methods for ensuring compliance with a variety of regulatory mandates concerning security practices.
Healthcare Cloud Models
Healthcare organizations and their IT teams will usually choose from one of three models when building their cloud computing platform. Each one has its own set of strengths and weaknesses that can make for a constructive match between cloud service providers and the organizations they serve. Let’s break down what these three models are.
Infrastructure as a Service (IaaS)
When healthcare organizations choose Infrastructure as a service for their cloud computing, they are hiring a provider and manager for the physical hardware they are using. This meets their needs for storage, servers, and networking.
The IaaS provider can handle real-world needs, which include the actual servers, power, maintenance, facility, and more.
It’s generally provided on a “pay-as-you-go” basis, so it can be scaled higher or lower depending on demand. It cuts down on the need to make large capital expenditures, and instead makes simple monthly payments for the services needed.
When it comes to the security aspects, those needs are provided by the healthcare organization itself, along with all the other software and applications.
Platform as a Service
This model combines the physical offerings of IaaS with a pre-constructed cloud environment. The environment contains development and collaboration tools for building and testing applications. It also contains the databases and software that are needed for smooth operation.
Platform as a Service doesn’t necessarily mean that all security needs are handled by the cloud services provider. Healthcare organizations must still code securely to ensure data security.
The benefits are the ability to develop applications at a lower cost and reduced amount of labor. This is because the environment has already been built, and it’s relatively easy to produce applications that will work securely within it.
Software as a Service
When there’s no customer-provided data center or servers, and the service is provided solely through the internet, this is called “Software as a Service” or SaaS. The provider develops customized versions of the software for each client. It’s becoming a preferred way to deliver services like telehealth and records archiving.
There’s very little in the way of installation time. It also lends itself to easy scalability with significant cost savings.
Cloud computing security couldn’t be easier with Software as a Service. The cloud provider itself is in charge of security. For the end user, it’s mostly an issue of ensuring no unauthorized users gain access to the system.
Major Security Challenges for the Healthcare Cloud
For those that believe that cloud computing represents a vastly increased security risk, the reality often comes as a surprise. Security professionals agree that the differential between on-premises servers and a public cloud in terms of security is, in reality, non-existent.
There are simply just as many risks to on-premises systems as there are in the cloud. In fact, the opposite may be true. The level of security resources available to an organization itself is highly limited.
While they’ll probably have some level of IT staff specializing in security, they don’t have even a small percentage of the security experts and analysts that are employed by the largest cloud providers like Google Cloud Platform, Amazon Web Services or Microsoft Azure.
Still, there are risks that are inherent to the cloud environment. Let’s explore some of those and how they can be addressed.
Mobile Access, Rather than Controlled Environments
Healthcare access is more mobile than ever. These days, patients can view lab results, message their doctors or even have a telehealth appointment from nearly any device. This includes:
- Mobile devices like iPhones, iPads, and comparable android devices
- Health monitoring technology on wearable devices like Apple Watches, Polar heart rate monitors, and more.
- Specific appliances like internet-enabled blood pressure cuffs, blood oxygen meters, glucose testing devices, and more
Where the internet and network connectivity in a healthcare facility can be controlled and hardened, the same can’t be said when people are in their homes, at work or any place with public internet.
The solution is to ensure that data is transmitted securely using regulated API environments, or the HTTPS protocol. Requiring robust passwords and offering highly secure two-factor authorization are other ways to ensure that data is protected outside of healthcare facilities.
Data Protection in a Multi-Tenant Environment
Cloud providers like AWS, Google Cloud Platform, or Microsoft Azure need to offer their services to large numbers of customers to make them financially viable. This is precisely what makes the cloud so attractive: the investment that the providers make in new technology can be monetized at scale.
This means that data on their servers is in a “multi-tenant environment.” Great care must be taken to ensure that the data of one customer is not accessed by another customer. This requires stringent isolation mechanisms that separate everything: memory, storage, routing, etc.
Additionally, data needs to be protected at all times: not just in transit, but at rest as well. This prevents not only cross-over between tenants, but in the instance of a security breach, any data accessed is completely useless.
Compliance with privacy laws here in the United States and the European Union, United Kingdom, and beyond was a complex matter before cloud computing was common practice. Thankfully, the agencies of these countries recognize the importance of the move to the cloud and have allowed it.
The first step, at least in the US, is to sign a contract with a cloud services provider that stores Protected Health Information. This designates them as business associates for the purposes of a HIPPA-compliant solution.
Identity Authentication for Cloud Computing Solutions
One of the most important first steps to achieving healthcare cloud security is ensuring that access is limited only to intended parties.
Unfortunately, malware-based attacks are providing new and severe challenges to user identity authentication. This malware can reside, undetected for days before it causes issues.
The use of hardware-based “one-time passcodes,” or two-factor authorization, can help ensure that systems are only accessed by authorized humans and not malware.
Healthcare Cloud Security Needs to be a Priority in Cloud Based Solutions
For large healthcare organizations that have access to large amounts of financial resources, their decision will probably come down to the largest cloud providers: Amazon Web Services, Google Cloud Platform, or Microsoft Azure.
While security is a major concern for these companies, they have the resources to stay on top of most threats.
The same can’t necessarily be said for small, independent cloud providers. This doesn’t mean they can’t be an option for smaller healthcare institutions and private practices.
However, it does mean that a significant amount of due diligence must be performed before selecting one as a provider.
Imagine one of the worst case scenarios: a ransomware attack. Cloud providers are often targets for these attacks as it becomes nearly impossible to avoid paying a ransom to unlock the data.
Taking a deep dive into the security practices of any potential vendor is vital to any organization that wants to avoid this outcome.
Governance is Key to Providing Top Level Healthcare Cloud Security
Many risks to security in the cloud result from poor user practices. Governance is a way of setting and enforcing policies that lead to high levels of data security.
Generally speaking, there are a few steps that need to be taken to ensure that any organization is on a path to keeping information secure.
First, there must be a clear delineation of roles and responsibilities. Most organizations adopt a “least privilege model.” This means that any given person has the minimum amount of access to sensitive data needed to get the job done, and no more.
This requires some time to decide as an organization what data is relevant to whom. There are competing interests between collaboration and security, but the right balance must be struck.
Second, a backup and recovery plan must be in place, and it must be tested. Most successful organizations are adopting a mindset of “security breach and failure is inevitable.” Starting from this point, they develop and test a backup and recovery plan that can be implemented in just seconds.
This is, in fact, a large part of complying with HIPAA regulations. Those mandate that comprehensive disaster and emergency plans are in place.
Third, creating a culture of security can help bolster all aspects of data protection. This means that staff at all levels must be trained to
- Avoid opening suspicious emails that may contain malware
- Avoid leaving data unsecured.
- Take advantage of two-factor authorization
Employing automation is essential for promoting these security policies. For example, patients will often notice that an RFID card is required by providers and administrative staff to access patient records. This means that a user must physically be in possession of a card, which adds additional layers of security to passwords.
Logging and Accountability: Ensuring Healthcare Cloud Security Policies are Followed
Automated event logging is one of the most important ways to ensure healthcare cloud security. This creates an easy-to-follow audit trail to know exactly who accessed what data, and when.
This, too, is an important part of HIPAA compliance. Logging data may become part of a criminal investigation if a security breach occurs. It’s also possible that personnel from the Office of Civil Rights of the US Department of Health and Human Services can request to see logs, so they must be current.
Security audits need to be carried out periodically. Having immutable logs of access and changes will ensure that these audits are helpful in ensuring cloud security.
Data Quality is A Major Factor in Healthcare Outcomes, and Security is an Essential Part of Data Quality
Patients have a right to expect the highest data quality in all electronic health systems. Their trust in the system and continued choice of care providers depend on this. There are many metrics that are part of data quality. For example:
- Availability: data can be accessed for clinical purposes when it's needed
- Accuracy: data is a reflection of factual truth
- Currency: data is up-to-date
- Usability: data can be understood by the end-user
- Security: Data is safe. Only those who need to view the data can, and all access is logged.
When you look at these metrics, it’s not hard to see how security can impact all of the other ones. For example: a ransomware attack occurs, locking up patient data until money is paid to an offshore account. This essentially blanks out every single one of these metrics.
Or, imagine a data breach has led to corruption or incomplete data. This means that data is no longer current or usable.
Where Can I Find the Latest Cloud Security Best Practices for Healthcare Organizations?
As more and more healthcare organizations procure cloud services, there is an emerging need for the latest and best methods for protecting electronic health records and other sensitive health information.
Compounding this challenge is the fact that the security environment surrounding cloud technology is dynamic and evolving. New threats emerge constantly. As those threats are met and neutralized, different forms of security issues crop up in their place.
Thankfully, there are a few different organizations that are monitoring the security environment and recommending best practices for data protection and regulatory compliance. Let’s take a look at a few.
Cloud Security Alliance (CSA)
This not-for-profit organization is dedicated to providing advice on the current best practices for cloud security. They offer a host of different resources that are geared towards organizations at different points in cloud security adoption, whether they are just beginning or are well established.
The Cloud Security Alliance’s Future Cloud program aims to future-proof security solutions. They are active in helping organizations adopt strategies and technologies that are on the cutting edge of meeting the biggest security threats.
The European Union Agency for Cybersecurity (ENISA)
Security risks to cloud infrastructure are a global issue. This is why enlisting the expertise of the European Union Agency for Cybersecurity is an excellent idea.
They recently released a study that explores the current landscape when it comes to Cybersecurity threats that are specific to the healthcare industry. It’s titled, “Cloud Security for Healthcare Services,” and is available for free download on their website.
They have a host of topical resources that would be of great help to all healthcare organization security professionals, such as:
- Standards and Certification
- Data Protection
- Cyber Crisis Management
- Critical Infrastructure and Services
- Many more.
US National Institute of Standards and Technology Health IT Program
NIST has information that not only focuses on hardening existing healthcare IT but also encourages interoperability with some of the most cutting-edge IT systems on the market.
With the growing use of telehealth and remote operations, they recently published a guide on this topic specifically. It’s titled: “Securing Telehealth Remote Patient Monitoring Ecosystem,” and it addresses some of the real challenges of maintaining security outside of the controlled environments found in healthcare facilities.
Why is Healthcare Cloud Security Important?
While it may seem obvious, there are a few reasons that make security especially important when it comes to cloud technology.
First, cloud migration isn’t really optional anymore. With the availability of highly advanced features like artificial intelligence and machine learning that can be game changers in patient outcomes, healthcare providers need platforms that can leverage these technologies.
Even the largest providers of patient care can’t keep up with the computing power that’s required to make these advanced technologies function.
The cloud allows organizations of all sizes to take advantage of these features and many more. However, patients will have difficulty placing their trust in institutions that have had security breaches occur.
Second, improving healthcare outcomes depends on a high level of patient motivation. This motivation will decrease when there is a perception that their sensitive healthcare data is not being protected. Having this data stolen leads to a feeling of violated trust. When that becomes the norm, patients avoid having routine care that can head off big problems down the road.
Financial stability is a third reason that cloud security is essential. There’s a concrete cost in terms of regulatory fines that can be imposed for non-compliant information management. Those can add up on a daily or per-incident basis and can be hugely expensive.
Additionally, when organizational goodwill is destroyed, financial stability soon falters, and can even lead to the death of a healthcare practice or institution.
Get Your Healthcare Cloud Secure Today
Want to learn more about healthcare cloud security? Watch the on-demand webinar, Managing and Mitigating Healthcare Data Breaches in the Cloud. Or schedule a free consultation to learn how Cloudticity can help you secure your healthcare cloud.