This story was originally published on Aug. 21, 2018, and is brought to you today as part of our Best of ECT News series.
The healthcare cloud has been growing incredibly, becoming an ever-more-important element of health information technology, or HIT. There are many reasons why the HIT cloud has been becoming more prominent, such as research and development and collaboration.
Since the cloud has been expanding so rapidly, this may be a good time to reconsider security — and that means understanding the threat, reviewing best practices, and heightening awareness of emergent approaches.
1. Understand the cloud is only getting bigger.
The healthcare cloud market will increase at a compound annual growth rate (CAGR) of 18 percent from 2018 to 2023, Orbis Research recently predicted.
There are many reasons the cloud has been becoming a more common IT strategy in the healthcare sector, among them the following:
- Healthcare R&D — Research and development is one of the key drivers of cloud growth, according to the Orion study.
- Scalability — Scalability, which is fundamental to the cloud, allows for consistent management while reducing inefficiencies and bottlenecks. It gives you the ability to expand seamlessly, as well as keeping you prepared to contract as needed in response to recessions or other market conditions outside your control.
- Less investment — Healthcare organizations have not been wanting to invest as much money in IT, the Mordor report notes. Cloud is an operating expense (OPEX), while a data center is a capital expense (CAPEX).
- Collaboration — There is more opportunity created as collaborative capability is enhanced, observed Karin Ratchinsky. Cloud is essentially collaborative, since it allows established companies to work with startups or independent development teams to facilitate whatever business needs they have within an affordable, flexible, and secure solution (especially when the cloud is hosted within SSAE-18 compliant data centers).
For all the above reasons, healthcare providers, plans, and other firms within the industry want to take full advantage of the cloud.
2. Accept that security is critically important.
While these strengths of the cloud certainly are compelling to organizations, security also must be a key concern. Especially since issues of compliance and liability surround this critical data, organizations within the industry should be concerned to see how common breaches are becoming: 5.6 million patients were impacted by 477 healthcare breaches in 2017, according to the end-of-year breach report from Protenus.
Also illustrating how common health sector breaches have become and how much they cost is last year’s NetDiligence Cyber Claims Study.
First, healthcare sustained 28 percent of the total cost of breaches, even though it represented only 18 percent of cyber insurance claims. The average healthcare breach cost was US$717,000, compared to the overall average of $394,000.
3. Follow healthcare security best practices.
Given the incredible numbers, there is a pressing need to prevent breaches. To secure your healthcare cloud (much of this applies to the security of electronic protected health information, or ePHI, in any setting), you will need to take technical steps such as encrypting data in transit and at rest; monitoring and logging all access and use; implementing controls on data use; limiting data and application access; securing mobile devices; and backing up to an offsite location. Also do the following:
- Use strong business associate agreements (BAAs) — The business associate agreement is absolutely essential to creating strong cloud security since you need to make sure that the cloud service provider (CSP) is responsible for the aspects of data handling that you are not able to properly control. It is clear that the business associate agreement is a central concern to compliance when you look at how much it is a point of focus in the HIPAA cloud parameters from the U.S. Department of Health and Human Services, or HSS.
- Focus on disaster recovery and upgrades — Be certain that all cloud providers have strong disaster recovery methods, notes the Cloud Standards Customer Council (CSCC) report on the impact of cloud computing on healthcare. Also be certain that they will conduct proper maintenance by updating and upgrading your system in order to keep it current with developing security and HIPAA compliance standards.
- Perform routine risk assessments — It is mandatory, as a part of HIPAA compliance, for both you and the cloud provider to perform a risk assessment related to any systems handling ePHI. A risk analysis is essential to being proactive in your protection. Through this process, you can determine what might be lacking in your business associates and how your training may be insufficient, along with identifying any other vulnerabilities.
- Prioritize training — When thinking in terms of compliance and security, it is easy to get technical and to focus on data systems. However, the truth is that the staff is a major threat: Human beings can jeopardize ePHI and other key data accidentally. People are a major threat across industry, but they represent an especially critical risk in healthcare. Training tops the list of tips for safeguarding healthcare data from data loss Software as a Service (SaaS) firm Digital Guardian.
Giving substantial security training to your personnel at first may seem to be an unnecessary hassle. However, this process “equips healthcare employees with the requisite knowledge necessary for making smart decisions and using appropriate caution when handling patient data,” noted Digital Guardian’s Nate Lord.
4. Reevaluate security.
Beyond meeting traditional parameters for data protection, how can you improve your security moving forward, given an increasingly challenging threat landscape? Here are several ways to approach security that many healthcare organizations either have been considering or already have implemented:
- Deploy blockchain — Healthcare organizations have been in a testing phase for blockchain recently. By 2020, one in five healthcare organizations will have this technology active for their patient identity and operations management efforts, according to Health Data Management.
- Automate — When you consider cloud servers, security should be integrated into the continuous deployment of the architecture. By integrating your DevOps practices with your security approach, you can introduce new software more quickly, make updates more rapidly, and generally bolster your reliability. “An adaptive security architecture should be integrated with the management tools, making security-settings changes part of the continuous deployment process,” noted David Balaban in The Data Center Journal.
- Leverage AI threat intelligence — Artificial intelligence and machine learning increasingly will be used to protect organizations from social engineering attacks. The real issue with social engineering and phishing is human error; these attacks have been growing along with ransomware, so this issue is huge in healthcare. However, artificial intelligence could come to the rescue, noted Joey Tanny in Security Boulevard.
These technologies can be used within threat intelligence tools to leverage evidence-based knowledge for insight into how threats are evolving. Through these systems, you can figure out how best to set up defenses that can keep your network safe today and as time passes.
While most companies apparently believe that threat intelligence is an important part of security, they have been unable to make the best use of it because they are not able to properly manage the amount of data that is generated and assimilated by these systems.
Thus, the breadth of threat data is itself a threat to organizations. While using threat intelligence platforms is difficult and complex, they are very important to protect a healthcare organization. One aspect of threat intelligence that is interesting is that it relies on information sharing and community support, noted Elizabeth O’Dowd in HIT Infrastructure.
- Monitor your infrastructure — More robust infrastructure monitoring is on the rise, Balaban noted. Virtual networks and firewalls must be reconfigured. Rather than simply preventing access, organizations also must focus on how to contain attacks if breaches were to occur. You should block unauthorized connection efforts and prevent unauthorized workload interactions.
- Address the IoT — For true compliance and data security throughout your cloud, you need to look at your hardware, ensuring that the scope of your efforts encompasses all your connected devices — including everything within the Internet of Things (IoT).
Examples range from security cameras to blood pressure monitors. The Federal Bureau of Investigation (FBI) actually just released a report on defending IoT systems. For connected device security, here are the bureau’s recommendations:
- Modify your login credentials from the defaults so that they are both complex and unique (i.e., not used elsewhere).
- Run antivirus routinely. Make sure it stays updated so it knows emergent threats.
- Make sure that the devices themselves are updated, with patches installed.
- Change your network firewall settings so that port forwarding is disabled and unauthorized IP traffic is blocked.
5. Stay up to date.
Change is not easy; however, it is a necessary component of a strong defense. By making sure that you are following current security best practices and are aware of new trends in the security landscape, you can be better prepared as threats continue to evolve.
Above all, continue to inform yourself and your staff for stronger protection. Nelson Mandela once said, “Education is the most powerful weapon which you can use to change the world.”
Perhaps, by the same token, it is the most powerful weapon you can use to improve your healthcare security.