A version of this article originally appeared in Health Data Management.
A tremendous amount of healthcare data in the U.S. will be moved to the Amazon Web Services (AWS) and Microsoft Azure clouds for either private or public use in 2017. It makes sense because hospital leadership is of the mindset that prefers to be in the business of treating patients, rather than managing data centers. The fact that cloud computing can be a less expensive option helps too. As the cloud computing trend takes off in healthcare, a carefully architected data security strategy can ensure your Protected Health Information (PHI) data stays safe.
There are four reasons why you need to prioritize cloud security this year:
Reason #1: Cyber adversaries are still after healthcare data
Although the number of breached healthcare records in the U.S. dropped from 113 million in 2015 to 16 million in 2016, trust me when I say that the bad guys are still targeting healthcare data. The three primary attack scenarios for cyber adversaries to target healthcare data still remain true today:
- Profit-motivated attackers use malware to steal healthcare data and then sell it to someone who will use it to commit identity theft and insurance fraud.
- Profit-motivated attackers use ransomware to encrypt healthcare data and unlock it only after a ransom is paid (usually data never leaves the data center).
- State-sponsored cyber adversaries steal healthcare data for the purposes of monitoring foreign citizens.
Cyber adversaries are well-aware that healthcare data is moving to the cloud, and these three scenarios can – and will – still play out in a cloud environment.
Reason #2: Security is better in the cloud – if you take the time to plan it out
In 2011, the HITECH Act began to offer financial incentives for healthcare organizations to digitize healthcare records, which resulted in a big migration to electronic medical records, and security was often placed on the back burner. In a similar manner, there is now a rush to move healthcare records to the cloud, and there’s often an assumption that security comes automatically. Security can be more straightforward to implement in the cloud, but it is still only as good as you make it.
AWS and Azure both make it easier to manage virtual servers and virtual network infrastructure at the platform level, but don’t make the mistake of developing a false sense of cloud security. Neither cloud provider will detect malware infections at the endpoint level; you need to deploy and manage advanced anti-malware to your endpoints on your own. At the network layer, security is configurable as well. In both cloud providers, you have options to select and deploy virtual next-generation firewalls to wrap network-level threat protection around your applications.
Reason #3: Unique opportunity to remedy lingering security issues
Healthcare organizations are notorious for using legacy applications. Some were built by vendors that aren’t even in business anymore. These types of systems can be some of the most vulnerable points in the organization. AWS and Azure both provide capabilities that can make it easier to manage the security of the underlying data within high-risk applications.
I’ve spoken to a number of healthcare organizations recently that are embracing the software-defined-networking capabilities in AWS and Azure. As they migrate their applications to the cloud, they can, at a moment’s notice, spin up the required virtual servers, and be protected behind a new instantiation of a virtual next-generation firewall.
Migrating applications to the cloud can often present a unique opportunity to evaluate and improve each application’s overall security. For example, you could:
- Take the opportunity to upgrade the application to the latest release.
- Deploy the application in a tightly controlled virtual network segment.
- Introduce network-level threat prevention.
- Enforce stronger controls on underlying databases.
- Eliminate all existing server-level vulnerabilities prior to cutover.
Reason #4: Take advantage of improved HIPAA regulatory compliance capabilities
Amazon and Microsoft, both HIPAA-covered entities, offer the option of signing Business Associate Agreements (BAAs), allowing them to store protected health information (PHI) and giving them the ability to architect applications in alignment with HIPAA and HITECH compliance requirements. A few of the security features that support HIPAA compliance include:
- Dedicated instances to ensure the underlying hardware is not shared across customers.
- Tools that make it easier to enforce strict encryption requirements for PHI data at rest and in transit.
- Improved access controls when deployed behind a virtual next-generation firewall, with user identification features enabled.
- Improved log retention, auditing, data backup procedures and disaster recovery mechanisms.
One of the most powerful features of the cloud is that it makes bleeding-edge security infrastructure available to healthcare organizations of all sizes. Even smaller clinical networks can stand up and deploy enterprise-class, HIPAA-compliant application environments with a small IT team. However, don’t fall into the trap of thinking that all you need to do is move an application to the cloud and security will come automatically. With careful planning, you can take advantage of the cost-savings and extensibility that the cloud offers, but you also need to ensure that the right security architecture is in place to keep your patient data safe.