A risk averse industry, healthcare was not one to be first mouse to the cheese on migrating data to the public cloud, and among healthcare organizations, providers lagged furthest behind. But while they originally took to the cloud slowly, in the last two years there has been a sea of change as momentum builds for a healthcare wave to the cloud. Today, most healthcare providers have at least some workloads on one of the three major public clouds: AWS, Google Cloud Platform, or Microsoft Azure. In fact, approximately 90 percent of healthcare organizations are using some type of cloud service. Yet, security in the cloud remains a high priority and concern for healthcare leaders, and myths and misconceptions still exist.

The concern for security is legitimately placed. HIMSS Analytics Survey points out the number of records affected by data breaches more than doubled in 2018, from 6 million records in 2017 to more than 14 million records for 2018. The healthcare industry continues to be one of the largest industries for security breaches and while the number of breaches declined in 2018, the scope or number of records compromised soared. Should we blame the cloud as the cause for the breaches? No. In fact, AlertLogic tells us that on-premise environment users experience almost twice the attacks as those using cloud service providers.

For healthcare organizations to truly transform, they must be able to sort cloud myth from reality. What follows are seven myths about the cloud that we can need to dispel so we can move healthcare forward securely and within compliance standards, and get to the pressing work of using all of the data at our fingertips to improve the quantity and quality of life for those in need.

 

Myth #1: The Cloud isn’t Secure Enough for Healthcare

When healthcare began cloud migration several years ago, there was often the perception that cloud was not as secure as data centers. However, in reality, just because you can see your servers doesn’t mean they’re safe. While both enterprise systems and cloud systems have a chance of being attacked, data shows that cloud-based systems are actually more secure than their on-premise counterparts.

As pointed out in Becker’s Hospital Review, a modern cloud infrastructure is more secure than its legacy counterparts because cloud providers design their infrastructures with the latest technological advances including ‘a multi-layered approach geared to isolate patient records and simple, standardized operation framework that minimizes the chance for catastrophic human error.’

Additionally, the agility of the cloud responds better to frequent changes in the regulatory landscape. As the article goes on to note, “Compared to older, slower moving systems, cloud infrastructure and associated applications are more agile and well suited for quick reconfigurations, reducing the risks of compliance violations and concerns.” An expert managed services and solution platform provider will build upon a foundation of HITRUST and take automated, proactive measures to improve the security of your PHI vastly, including incident response plans and disaster recovery in ways far better than what is possible on premise. Ransomware and other cyberattacks are becoming increasingly more sophisticated, and the tools available on the cloud are better suited to stave off attacks or minimize loss if an attack succeeds.

 

Myth #2: All Cloud-based Infrastructures are Created Equal

The cloud infrastructure can generally be boiled down to three components: network, storage, and computing. Each component must be purpose-built for healthcare. The necessary security and compliance must be part of the design—from the beginning—and central to the environment in order to handle PHI safely. Because of restrictions and requirements in compliance frameworks, there are additional logging requirements, as just one example, that will exist for healthcare environments.  Your environment needs to be built with a Defense-in-Depth and Privacy-by-Design perspective that only an expert in both cloud and healthcare can deliver.

 

Myth #3: Data in the Cloud is More Vulnerable to Hackers

In reality, data in the cloud is far less susceptible when it is properly encrypted and secured. However, it really depends on the cloud provider. All of us in healthcare should take seriously the rise in incidents and protect against risk. The cloud platform provider must ensure administrative, technical, and physical safeguards are, and remain, in place. These safeguards, as outlined by the OCR, are complex. Because IT security on the cloud—where there is a constant flow of new features—is not the core competency of most healthcare organizations, turning to cloud providers with certified staff can pay off since they focus extensively on security. Even better, turn to a cloud provider that is healthcare exclusive and understands the complexities of compliance and security when dealing with PHI. The investment of resources and staffing by cloud-based providers is difficult to match with in-house employees. Additionally, HITRUST-certified vendors are particularly attractive given the rigorous certification process they endure that then provides you with an extra layer of protection.

 

Myth #4: Data in the Cloud is Accessible to Other Organizations Using the Same Cloud

This myth can be busted simply by doing your due diligence when you choose your cloud provider. Choose a provider with the experience and know-how to ensure your data is segregated from other organizations’ data at all stages of the lifecycle. They should be able to speak with you about the isolation tactics they are taking to protect your data, which may include virtual LANs and encryption, among other options.

 

Myth #5: Data that Resides in the Cloud Can’t be Controlled or Mined

Let’s debunk this one once and for all. You have control in the cloud, and in fact, you can extend the same internal controls you have on premise to your on-cloud environment if you wish. You can let your provider know you would like the same user management, access management, and authentication as you have now with on-premise solutions. They may offer ways to enhance it, but they aren’t going to lessen your control. You will have an auditable chain of custody – a must if you are ever audited by the OCR.

 

Myth #6: Identity and Access Management is a Headache with Cloud-based Systems

In truth, it’s not difficult to extend a provider’s existing identification and authentication framework to a cloud environment. There are specific technologies (such as LDAP, SAML, Cloud Access Security Brokers, etc.) in the marketplace that can enable central identity management in the cloud. Network traffic settings also can help enable these technologies.

 

Myth #7 I Can’t Trust the Cloud like I Can Trust My Own People

This is perhaps the most misguided myth of all, since oftentimes your employees may be the cause of your data breach. In fact, according the HIPAA Journal, healthcare needs to increase its employee training on email security as one example, since 33.42% of all healthcare breaches in 2018 involved email. Do your employees know what to NOT click on? And while much focus was being given to cloud security, 81 breaches of physical PHI (charts, documents, films) occurred in 2018. Paper/films were involved in 22.19% of 2018’s breaches.

The bottom line is, a poorly built environment, either on premise or on cloud, can leave you vulnerable to risk, and rest assured hackers are looking for holes. Your cloud environment can provide you with all of the privacy, security and compliance you have on premise, and much more, if done correctly. The reality is if you and your team are not healthcare-exclusive, cloud-certified experts, then you need to find a third party that is. It’s not a myth that some things are best left to the experts.