How to Overcome Security and Compliance Challenges When Moving to the Cloud
If you’re an IT leader in healthcare who’s thinking about moving to the cloud, there are a number of considerations to keep in mind from a security and compliance perspective. In this article, we’ll take a look at some of the most pressing ones.
This post is adapted from a recent webinar by Matt Ferrari entitled “How to Overcome Security and Compliance Challenges in Moving to the Cloud.”
Thanks to the passage of the HITECH Act a decade ago, the healthcare industry is well on its way through a major digital transformation. Yet, when it comes to embracing the cloud as a vital tool for enabling transformation, healthcare organizations have historically tended to move slowly and cautiously. Nevertheless, having seen the tremendous benefits that other industry verticals are reaping by migrating to the cloud, healthcare has finally gotten on board. These days, healthcare organizations are rapidly moving their clinical data and applications to the cloud.
Assess your team’s cloud security knowledge
Before you can move to the cloud, it’s important to figure out where your current security challenges lie. To do so, look at your talent from an outside–in perspective to understand whether they’ll be able to grow and evolve with the business as you continue to innovate and migrate to the cloud. Specifically, you’ll want to know if they’re up to date on security tooling and all of the latest advances in public and private cloud. If they’re not up to speed, investigate cloud security training programs from public cloud organizations and third parties. You’ll also want to ensure that you have the right security tooling in place for them to use and that they understand how that tooling maps against your policies and procedures, as well as the various regulatory requirements in every governmental jurisdiction in which you need to adhere.
Make sure you understand data flows and the need for PHI inventories
As a provider, you need to understand your PHI inventory, including where all of your data lives, how it flows through your applications, and the safeguards in place to protect it. Of course, given that doctors, nurses, and other healthcare providers are constantly moving medical images, notes, patient records, and other forms of PHI from one application to another, that can be a real challenge. Not only that, you also need to understand exactly how your data is secured as it relates to all of that PHI and how cloud-based telemetry and alerting works when potential issues arise.
Know the advantages of using automation, and the impact if you don’t automate
While most people talk about automation in terms of increasing their velocity, it’s also important to look at its advantages from a security and compliance standpoint. In healthcare, automation can bring three valuable benefits from this perspective: 1) the predictability that every time you deploy something it’s going to get the same results 2) the ability to move quickly in terms of security remediation and 3) a reduction in manual work and human error by enabling auto-remediation. Fail to take advantage of the automation that comes with moving to the cloud, and you could be exposing yourself to unnecessary risk.
Use augmented encryption for protecting PHI
Encryption is a critical factor for securing PHI, but it’s not as simple as that. For starters, you have to consider encryption from many different angles, including encryption at rest and encryption in transit. You also need the right security tooling to augment your encryption. Importantly, that tooling needs to leverage cloud-based key management technologies and be monitored and reviewed with a centralized system like a security information event management (SIEM) system that drives alerts, aggregates logs, and correlates events to help augment your vulnerability management and encryption strategy. Finally, you also need automated discovery of anomalous activity to generate alerts and drive action.
Mitigate negative impact from shadow IT on your organization
Shadow IT exists in most large organizations and is often unavoidable. The problem is that when you have systems that are undocumented, unmonitored, or unpatched, it can expose your organization to serious risks. Further complicating matters is the fact that with shadow IT, there’s no PHI inventory mapping, and certainly no safeguard integration. Finally, consistency is a major consideration. With shadow IT, there’s always the risk of inconsistent hardening and mapping of controls – if any –and regulatory adherence to regulations like HIPAA, GDPR, and any others you may be required to follow.
Utilize SRAs to find security gaps
Security Risk Assessments (SRAs) play an important role in detecting security gaps. During an SRA, it’s important to identify where PHI may be, the safeguards in place to protect it, and a plan for remediating any gaps in protecting that data. That plan should include a security risk register that shows the steps you’re taking to remediate and allows you to track your improvement.
If you take the approach that you need to work to improve your compliance every single day, and that it’s a journey rather than something you can achieve overnight, you’ll be in a much better position to succeed.
Make no mistake, however, in a reportable incident, one of the first requests from the OCR will be that SRA.
Know that not all cloud vendors are created equal
When selecting a cloud vendor, due diligence is critical to ensure that you’re making the right choice for your business. To do so, make sure you think about what problem it is that you’re trying to solve. Technologists tend to get caught up in a lot of details like price and functionality, without ensuring the vendor can actually solve the problem at hand. Other things to consider include mapping the public cloud vendors’ capabilities back to your use case and recognizing that not every cloud provider offers HIPAA eligibility for all of their associated services. (By the way, even though the cloud may offer HIPAA eligible services, it’s up to you to configure and deploy them in a way that’s HIPAA compliant every day going forward). Finally, understand where liability sits with each of your cloud and security and compliance vendors so you know what to expect.
Moving to the cloud
If you’re thinking about moving to the cloud, you know there’s a lot to think about. Security and compliance should always play an important role in shaping your decisions. By keeping the considerations outlined above in mind, you’ll be in a much better place to ensure that your migration to the cloud is smooth and successful. Better yet, partner with a vendor who has done it thousands of times and can navigate these issues for you.