This article was originally published on The New Stack.
Healthcare organizations around the world carry out the challenging task of maintaining patient data and keeping private communications secure on a daily basis. Meanwhile, modernization, scalability and improving accessibility are key to expanding their services on a global scale. Security and data protection are top priorities as well, along with serving more people to expand their reach and improve the quality of service.
By adopting cloud computing services, healthcare organizations can leverage scalable and flexible computing resources to cater to patients’ needs. By doing that, though, they expose their systems to the possibility of cloud-related cyberattacks.
Let’s focus on the top five strategies for cloud security in healthcare. We’ll highlight the key considerations first, then discuss recommended practices for ensuring that cloud workloads are safe and as compliant as possible.
Important Security Considerations for Healthcare
The following are the top five key security considerations for healthcare entities migrating from on-prem systems to cloud technologies:
Healthcare organizations should be committed to protecting patient data and complying with industry regulations, whether it’s HIPAA, HITRUST or ISO 27001. Ideally, migrating workloads to the cloud should not break any existing compliance and readiness scores.
This is tricky to achieve in practice, though. For example, auditing and log collection processes should be compliant with the relevant regulatory frameworks and must not expose protected health information (PHI).
Cloud providers may support HIPAA compliance to a certain degree, and they will always be upfront about their level of responsibility. For instance, the disclaimer on GCloud services states that “Google Cloud supports HIPAA compliance (within the scope of a Business Associate Agreement) but ultimately customers are responsible for evaluating their own HIPAA compliance.”
You should adopt a centralized portal for any auditing and compliance monitoring that includes up-to-date visibility into any gaps and misconfigurations that affect the requirements. The compliance-related findings should be reviewed and triple-checked on a continuous basis since cloud providers do not always ensure 100% availability or incident-free service levels.
2. Data Security
The bane of most healthcare providers’ existence is having the dreaded ransomware attack appear on each screen that asks for Bitcoin to unlock your terminal. Or it could be something more silent (and deadly) like unsuspected data thefts.
Adopting data security in the cloud doesn’t mean merely uploading patient data to S3 and enabling encryption. There are many security controls that need to be in place before a single patient record is migrated. For instance, there is particular concern about data security on medical devices and wireless body area networks (devices that are embedded in a patient’s body). Obviously, it’s vital to secure such devices from exploits.
When running services on the cloud, you should review all relevant data privacy considerations and encryption controls, including data encryption, public-key encryption, identity-based encryption, identity-based broadcast encryption and attribute-based encryption. Then adopt a framework for achieving secure and controlled identity access using federation (like OpenID Connect, which is not the same as OpenID, or SAML).
Finally, you should ensure that monitoring and audit controls are in place to maintain confidentiality. You should also have an incident response plan in place to handle crisis scenarios in the event of an incident. This will minimize the risk of catastrophic data leaks as well as the loss of reputation.
3. Infrastructure Security
Healthcare organizations that want to adopt cloud technologies to run hybrid or multicloud workloads will have to choose one of the two main cloud computing models. Each model possesses unique capabilities and weaknesses, so it’s important to align those considerations with the strategic goals of your business.
In the infrastructure as a services (IaaS) model, a cloud provider offers computing resources (hardware and software) on demand. This is the fundamental essence of cloud computing: instead of buying your own hardware, you use the flexibility of the cloud. However, here also lies the pitfall. The available hardware or software might not fit the existing criteria of your current on-premises infrastructure exactly. So, in essence, you will have to learn how to configure, update and maintain these resources properly on a constant basis.
So, following this model, you should include a migration period when all of the stakeholder security requirements need to be satisfied (DDoS protection, auditing compliance, encryption, access controls and so on). The flexibility of choosing the components that will power your cloud strategy is also a major bottleneck from a security point of view since the number of available options makes it easier to misconfigure things.
The platform as a service (PaaS) model combines elements of development flexibility and fully-managed services. Instead of managing servers and the operating system, development teams push application code that is automatically deployed to the cloud. The benefits here are cost-effectiveness and more rapid deployment to production compared to IaaS, since you won’t manage most parts.
However, the caveat is that you are locked into specific versions of your OS, platforms and infrastructure support. Some features may not be present on those platforms. If your organization has unique compliance requirements, you might not be able to cover certain scores. Look for a PaaS offering that supports the relevant compliance controls in advance before you migrate workloads to it.
Auditing requires special consideration since it is a key metric of success in healthcare. Running workloads in the cloud massively increases the surface level of potential audit findings. Therefore, you should revamp your auditing processes and procedures when adopting any change.
Look for dedicated healthcare auditing frameworks like GCloud Healthcare API that ensure a more adequate level of auditing performance compared to plain logging. Bear in mind that the data quite often needs to be sourced from multiple cloud services, which may not be as secure as dedicated endpoints. Thus, all relevant cloud services must be monitored to provide sufficient evidence of auditing performance, ensuring increased capacity support and ideally that you “close the audit loop” as efficiently as possible.
5. Training and Alertness
Adopting new technologies like cloud services produces learning and adoption gaps. Although major cloud providers offer comprehensive learning resources, docs, training sessions and so on, they completely miss the mark on specific use cases.
For example, healthcare-related cloud compliance and cybersecurity training for staff is left entirely to the organization. This is a key weakness since a lack of security awareness can lead to increased human errors and catastrophic leaks.
It is important to provide healthcare-specific and up-to-date training that covers relevant security issues (and is not conducted with disengaged tutorials). Look for interactive and group-based cybersecurity sessions where participants can share knowledge and review real-world incidents.
How to Elevate Cloud Security in Healthcare
Now that we’ve discussed the inherent strengths and weaknesses of cloud services, it’s probably clear that the path to critical safety and compliance is only the minimum requirement. Adopting a strategic path to compliance and secure operations in healthcare is paramount for the long-term survivability of the organization.
With the Orca Cloud Security Platform, you can tick all the boxes in terms of handling and managing the above cloud security strategies for healthcare. Let’s take a closer look at what we mean by that:
Orca supports all the must-have compliance certifications relevant to healthcare, including HIPAA, SOC2 and ISO/IEC 27001. In addition, it provides highly desirable support for multicloud compliance so that healthcare organizations can gain complete visibility into their coverage gaps. And it can do it all without installing a single agent, which greatly improves the adoption rate.
Healthcare organizations generate a wide range of data and information that should be kept private and secure. Having comprehensive coverage and visibility into how the data is gathered or transferred over the cloud mesh minimizes blind spots and increases alertness. It helps to review success stories that show how existing healthcare organizations built their defense strategies to ensure data privacy and compliance so that you can consider their methods in your own decision-making process.
Operating different cloud services on multiple clouds or hybrid architectures increases the chances of misconfiguration and complexity, not to mention having to ensure that there are no data leaks across them. The problem with the healthcare and public health sector is that operational and infrastructure costs can soar if they’re not controlled, and there are security concerns related to sharing information in real-time, such as during remote consultations and with telemedicine.
The available cloud service options (IaaS and PaaS) have unique characteristics that pose security challenges. Orca Security helps alleviate the risks by providing vulnerability management capabilities with a comprehensive view of security gaps and misconfigurations across the entire cloud estate.
Healthcare organizations use auditing as a way to verify that their security processes match the predicted outcomes on a continuous basis. A typical scan or a penetration testing session won’t be enough to uncover prior issues, plus evidence must be shown on demand to auditors when requested. Orca Security makes the auditing process less painful, as it provides a discoverable trail of events that can be surfaced when requested. It offers a beneficial line of defense and helps organizations ensure that they do their best to secure their environments.
Successfully protecting healthcare services in the cloud is a daunting task, especially when the stakes are high. When evaluating cloud technologies for adoption, it’s imperative that you weigh the risks and rewards, since if something goes amiss, the whole tower will collapse.
With the right cloud security partner, like Orca Security, healthcare organizations can establish a reliable and strategic path to adopting the cloud while staying secure and compliant.