Originally published January 23, 2019 by Matt Ferrari, Co-Founder & Former CTO, ClearDATA at Forbes.com
Today, as regulatory concerns are increasingly addressed for health care, CIOs can use the public cloud in several key ways to improve the care their patients receive — especially as facilities grow and scale. From backing up their system to saving confidential patient data, the cloud offers cost savings, convenience, storage and accessibility with just the click of a button. Yet, some concerns remain about the safety of patient data stored in the public cloud.
In years past, some health care CIOs shied away from cloud storage in favor of on-premise options because of the sensitive nature of health care data and protected health information (PHI). Today, most have discovered that on-premise limits the speed and quality of care that doctors can provide.
When it comes to cloud safety and keeping patient data secure, it’s about best practices for data security. And the cloud has numerous advantages in this regard:
Encryption is especially vital for health care organizations, specifically in doctors’ offices where data may be located on-premise in server rooms where physical security is a challenge.
HIPAA security and privacy rules require that all contractors working with health care organizations have a business associates agreement (BAA). Encryption is a basic requirement for maintaining HIPAA compliance, and public cloud providers are driving adherence by releasing services that already ensure encryption.
The public cloud continues to push the boundaries of encryption services, ranging from Advanced Encryption Standard (AES) algorithm encryption to in-transit encryption services. Data encryption has become so important that enterprises like Google (GCP), Microsoft Azure and Amazon (AWS) already native encrypt most of their health care related services.
In the event of a natural disaster, no health care organization can afford to lose their patient data. Public cloud providers offer redundancy through network transport that can go into facilities where data lives to replicate that data and move it to the cloud. Take AWS, for example. The cloud service provider boasts a redundant storage solution so robust that if a disaster were to take one of their data centers offline, the hospital’s data would still remain secure.
In modern public cloud architectures, rather than thinking about legacy disaster recovery options, health care organizations are implementing redundancy through spreading their application across multiple public cloud availability zones or data centers. The bottom line? Redundancy keeps data online and safe.
Human error during data transportation is often responsible for compromising data encryption, which can lead to damaging security incidents. To securely transport data and keep it safe as it moves from on-premise to another location or cloud service is vital.
Luckily, most major cloud providers offer physical or online transport support to ingest your data and move it safely into the public cloud, including physical, petabyte-scale data transport like AWS Snowball and online encrypted services like SSH File Transfer Protocol (FTP). All of these services can easily move workloads without modifying applications or managing FTP servers.
There are many testing tools used to keep your cloud provider in check. Penetration testing, vulnerability scanning, looking for network holes and intrusion prevention are all part of keeping data environments safe from threats. Major cloud providers also have a rich public cloud marketplace with virtual machines that are ready-made to scan virtual private cloud environments for vulnerabilities and malware.
In addition to these protections, organizations can schedule penetration testing by third parties inside the cloud environment for audits to ensure data safety. Practicing audits invariably can lead to stronger data management and compliance.
Hardening allows organizations to make updates using automation rather than on-premises installations that may result in security incidents. This becomes increasingly important in health care as regulations evolve, requiring changes to the various operating systems that CIOs may be using to serve patient applications.
Tools like CloudFormation and Terraform allow organizations to build out templates for operating systems that can create a hardened template so that when new assets are deployed in the cloud, they have the same controls, policies, permissions and installations that organizations can use to control standards and follow protocols.
6. General Security And Access Management
It comes as no surprise that Google, Microsoft and Amazon are aggressively investing in security and access management. Take the example of AWS Security Hub, which offers a comprehensive view into managing security alerts and automating compliance checks inside an organization’s cloud environment. This means controlling access and permissions to any person or application for tighter data security.
AWS also recently launched Control Tower, which manages security services based on established best practices in secure and compliant multi-account environments.
For large health care organizations, this means safeguarding access across channels and devices to keep patient data secure.
Logging is a hot topic in health care that requires users to log everything that happens within an environment. For example, pharmaceutical data needs to be securely logged during a clinical trial throughout the manufacturing of a drug. When logging data, organizations need alert and response capabilities. Primarily, users need to be able to respond quickly when something goes wrong in an environment and, secondly, users need to be able to remediate that alert.
While technologies like AWS Security Hub drive alerts, there is no need for organizations to get rid of what they already have. They can integrate using the rich API’s public cloud providers allowed into current security platforms. This is especially pertinent to the health care industry, as most organizations will need to be able to integrate new technologies into their existing systems.
It sounds strange, but the surest way to keep your data safe is to scale. The ability to increase and decrease resources on-demand without having to wait for physical on-premise updates is essential. More and more, health care organizations are adopting DevOps and serverless technologies to help avoid patch management and infrastructure maintenance. By moving from older to newer environments, they are decreasing costs and reaping the rewards of increased data security in the cloud.