A risk-averse industry, healthcare was not one to be the first mouse to the cheese on migrating data to the public cloud, and among healthcare organizations, providers lagged furthest behind. But while they originally took to the cloud slowly, in the last two years there has been a sea of change as momentum builds for a healthcare wave to the cloud and the pandemic accelerated healthcare’s need to move to the cloud. It is estimated that healthcare’s digital transformation over the first two months of the pandemic alone was equivalent to the previous two years’. Today, most healthcare providers have at least some workloads on one of the three major public clouds: AWS, Google Cloud Platform, or Microsoft Azure. In fact, approximately 90 percent of healthcare organizations are using some type of cloud service. Yet, security in the cloud remains a high priority and concern for healthcare leaders, with many myths and misconceptions.
The concern for security is legitimately placed. There was a 55% increase of healthcare data breaches in 2020 and opening the digital front door even furthers the likelihood of data being exposed. Should we blame the cloud as the cause for the breaches? No, while data breaches are on the rise in healthcare, doesn’t mean that using the cloud is less secure. For healthcare organizations to truly transform, they must be able to sort cloud myth from reality. What follows are seven myths about the cloud that we can need to dispel so we can move healthcare forward securely and within compliance standards, and get to the pressing work of using all of the data at our fingertips to improve the quantity and quality of life for those in need.
Myth #1: The Cloud Isn’t Secure Enough for Healthcare
When healthcare began cloud migration several years ago, there was often the perception that cloud was not as secure as data centers. However, in reality, just because you can see your servers doesn’t mean they’re safe. While both enterprise systems and cloud systems have a chance of being attacked, data shows that cloud-based systems are actually more secure than their on-premise counterparts.
As pointed out in Becker’s Hospital Review,* a modern cloud infrastructure is more secure than its legacy counterparts because cloud providers design their infrastructures with the latest technological advances including, “a multi-layered approach geared to isolate patient records and simple, standardized operation framework that minimizes the chance for catastrophic human error.”
Additionally, the agility of the cloud responds better to frequent changes in the regulatory landscape. As the article goes on to note, “Compared to older, slower moving systems, cloud infrastructure and associated applications are more agile and well suited for quick reconfigurations, reducing the risks of compliance violations and concerns.” An expert managed services and solution platform provider will build upon a foundation of HITRUST and take automated, proactive measures to improve the security of your PHI vastly, including incident response plans and disaster recovery in ways far better than what is possible on premise. Ransomware and other cyberattacks are becoming increasingly more sophisticated, and the tools available on the cloud are better suited to stave off attacks or minimize loss if an attack succeeds.
Myth #2: All Cloud-based Infrastructures Are Created Equal
The cloud infrastructure can generally be boiled down to three components: network, storage, and computing. Each component must be purpose-built for healthcare. The necessary security and compliance must be part of the design — from the beginning — and central to the environment in order to handle PHI safely. Because of restrictions and requirements in compliance frameworks, there are additional logging requirements, as just one example, that will exist for healthcare environments. Your environment needs to be built with a Defense-in-Depth and Privacy-by-Design perspective that only an expert in both cloud and healthcare can deliver.
Myth #3: Data in the Cloud Is More Vulnerable to Hackers
In reality, data in the cloud is far less susceptible when it is properly encrypted and secured. However, it really depends on the cloud provider. All of us in healthcare should take seriously the rise in incidents and protect against risk. The cloud platform provider must ensure administrative, technical, and physical safeguards are, and remain, in place. These safeguards, as outlined by the OCR, are complex. Because IT security on the cloud — where there is a constant flow of new features — is not the core competency of most healthcare organizations, turning to cloud providers with certified staff can pay off since they focus extensively on security. Even better, turn to a cloud provider that is healthcare exclusive and understands the complexities of compliance and security when dealing with PHI. The investment of resources and staffing by cloud-based providers is difficult to match with in-house employees. Additionally, HITRUST-certified vendors are particularly attractive given the rigorous certification process they endure that then provides you with an extra layer of protection.
Myth #4: Data in the Cloud Is Accessible to Other Organizations Using the Same Cloud
This myth can be busted simply by doing your due diligence when you choose your cloud provider. Choose a provider with the experience and know-how to ensure your data is segregated from other organizations’ data at all stages of the lifecycle. They should be able to speak with you about the isolation tactics they are taking to protect your data, which may include virtual LANs and encryption, among other options.
Myth #5: Data That Resides in the Cloud Can’t Be Controlled or Mined
Let’s debunk this one once and for all. You have control in the cloud, and in fact, you can extend the same internal controls you have on-premise to your on-cloud environment if you wish. You can let your provider know you would like the same user management, access management, and authentication as you have now with on-premise solutions. They may offer ways to enhance it, but they aren’t going to lessen your control. You will have an auditable chain of custody – a must if you are ever audited by the OCR.
Myth #6: Identity and Access Management Is a Headache with Cloud-based Systems
In truth, it’s not difficult to extend a provider’s existing identification and authentication framework to a cloud environment. There are specific technologies (such as LDAP, SAML, Cloud Access Security Brokers, etc.) in the marketplace that can enable central identity management in the cloud. Network traffic settings also can help enable these technologies.
Myth #7 I Can’t Trust the Cloud Like I Can Trust My Own People
This is perhaps the most misguided myth of all, since oftentimes your employees may be the cause of your data breach. In fact, email continues to be a leading cause of breaches and in 2019, 72% of healthcare providers experienced a breach with the email being the root cause. Do your employees know what to NOT click on? And while much focus was being given to cloud security, nearly 600,000 records were the result of improper disposal of healthcare PHI and OCR issued more penalities for HIPAA violations than another year.
The bottom line is, a poorly built environment, either on premise or on cloud, can leave you vulnerable to risk, and rest assured hackers are looking for holes to enter your network. Your cloud environment can provide you with all the privacy, security and compliance you have on-premise, and much more, if done correctly. The reality is if you and your team are not healthcare-exclusive, cloud-certified experts, then you need to find a third party that is. It’s not a myth that some things are best left to the experts.