In the last few years, cloud computing has moved from an option for healthcare providers to, increasingly, a business necessity. By outsourcing data management to a cloud services company, hospitals can free up their own technical staff to do more work closer to their core competencies.

“Microsoft coming along with a public cloud infrastructure, once upon a time, seemed like an unlikely proposition for healthcare, with sensitive data workloads,” Simon Kos, Microsoft chief medical officer, said in a recent interview. “The whole concept that healthcare organizations would put that information in the public cloud and trust it, seemed at odds with how sensitive that data was and the industry compliance.”

“Since 2016 we’ve moved a long way,” Koss continued. “Now we have widespread deployment of sensitive data in the public cloud in compliant ways, and as the big hyperscale cloud providers engage in competition in the market, we’re seeing the cost of storage and computing drive right down.”

Still, for hospitals contemplating a move to the cloud, security remains a concern. Keeping biometric data secure is high-stakes.

If customers’ credit card information or passwords get compromised, they can get new credit cards and make new passwords. But if health data gets compromised, it’s compromised forever: Patients can’t change their allergies, blood type or medical history.

Is the cloud more secure?

Most of the experts MobiHealthNews spoke to for this story agreed that these days, all other things equal, moving to the cloud is a step up for security.

“Cloud based solutions have matured to a point where they are more secure than local server solutions alone,” said Hector Rodriguez, Microsoft’s Worldwide Health chief information security officer. “The reality is that these solutions, when properly integrated, should and do strengthen an enterprise's overall cybersecurity posture by adding additional layers of security and monitoring.”

Of course, that doesn’t mean that all cloud solutions are more secure than all local solutions. Many other factors contribute, such as the quality of the team involved.

“There’s been about three or four public surveys that talk about the fact that, from informed and professional competent people today, the sentiment is that cloud providers out-of-the-box are more secure than having a solution on-premise,” Vincent Campitelli, an enterprise security specialist at the Cloud Security Alliance, said.

“If you had an on-premise data center run by a competent group of professionals, versus a cloud environment run by a comparable group of professionals natively, you’re going to have a better software security environment in the cloud than you will on-premise,” he added.

But because a cloud provider can be singularly focused on security, while an in-house team has many responsibilities, they have an advantage.

“Cloud solutions tend to be more secure because large infrastructures generally are updated with the latest patches and security measures, whereas ‘closet-IT’ or on-premise solutions might not have the same level of attention,” Atlantic.Net Founder and CEO Marty Puranik said.

“A lot of this depends on the team you have in place, and the resources they have that are spread to deal with all IT projects,” he continued. “In addition, clouds tend to be more proactive to newer security threats because they have the ability to get patches/updates before generally released to the public.”

Rodriguez echoed the same sentiment.

“Cloud computing organizations are security providers first-- it is a critical part of cloud solutions and it’s being proactively monitored 24-7 by highly-trained security professionals,” he said. “Most organizations don’t have the resources or training to do this on their own.”

Campitelli gave one more caveat about trusting large cloud vendors.

“The irony of doing that is that, from a general risk perspective, if I had 10,000 medical devices in 10 different data centers, then I’d have to look at the security in those data centers, but it’s very unlikely that anyone can get access to all 10 data centers,” Campitelli said.

“But if I decide to consolidate and put everything in one cloud, the fact that I put everything in one spot, that raises my risk from the standpoint of putting all my eggs in one basket,” he added. “Now that one cloud becomes a bigger target for someone who wants to target these medical devices.”

The best defense against this risk, he said, is for organizations to resist the urge to publicize a move to the cloud when it comes to sensitive data.

“People who have a need to know, they have to sign an NDA,” he said. “But why put it on your Facebook page? Why publicize it as a marketing ploy? Why tell everyone that? If you just moved all of your gold into one bank vault, would you tell all your friends?”

How to make sure your cloud is secure

Even though cloud platforms are generally considered secure, organizations concerned about data security shouldn’t be content just to call up a cloud provider and call it a day. There are many additional steps organizations — especially healthcare organizations — need to take to cover their bases and make their patients’ data as secure as possible.

First and foremost, there are a lot of cloud providers to choose from. Campitelli explained, like any purchase, the tradeoff tends to be between cost and quality.

“In any population of anything there will be some outliers that are really good and some outliers that are really bad,” Campitelli said. “You want to make sure that when you’re choosing your vendor, you’re not choosing a vendor that’s in that bottom bracket of the population. … They don’t even have a business, but you’re signing up with them.”

“You think you’re getting a service with security compliance, etc, but they never have published third-party reports or reviews,” he continued. “You don’t have visibility into how well are they really doing. There’s no S&P, there’s no third party that says they’re meeting expectations, or that there’s a gold standard you can measure them against. Without that kind of visibility, you’re just hoping for the best when you sign that agreement.”

He gave the example of Code Spaces, a cloud company that ended up declaring bankruptcy after getting hacked. Customers never got their data back.

After finding a reputable vendor, healthcare customers should go in with their eyes open.

“When working with a cloud provider, customers should not treat the cloud solution as a black box,” Rodriguez said. “They need to understand how that solution provides security, privacy and compliance capabilities and how the customer can measure and monitor that by using security tools, audit logs or other automated mechanisms.”

They also need to be savvy about crafting an agreement that meets all of their particular security needs.

To Puranik, using a cloud provider has the advantage basic security being included, made possible as the cost is “amortized across thousands of servers instead of a few.”

“The disadvantage would be that your team needs to make sure that they go further to whatever compliance is required and not solely rely on the cloud providers security suites if they don't meet the criteria required,” Puranik said.

“As an example, a cloud provider might offer encrypted storage, but it’s important that the IT staff of the company using this product secure the servers that access the encrypted storage with best practices so that the data isn't exfiltrated by accounts with weak or no passwords,” he added.

And of course, the most important security need for a healthcare company is remaining compliant with HIPAA, or whatever the equivalent regulation is in one’s home country.

“Work with a cloud provider that implements the required controls to enable you to meet your regulatory requirements, such as HIPAA,” Rodriguez said. “Make sure that they will sign a HIPAA business associate agreement or other contractual artifact based on your local regulations (for non-US based hospitals).

“And make sure that your data (both protected health information and other data assets) are always your own -- that the cloud provider does not use your data for its own purposes such as sales, marketing, or research,” he added.

To Campitelli, the final step is one that organizations often forget.

“You need to have ongoing oversight capabilities to make sure that your vendors still providing the level of service and security that you’re paying for,” Campitelli said. “The most ‘aha’ moment for me is that organizations need to understand that once you make a decision, that’s the beginning of your relationship and your governance responsibilities, not the end.”

“So there’s a hidden cost there because you need to have someone with the right expertise to continue to monitor that relationship and make sure they continue to provide services at the level that you’re paying for,” he added.

Data security is an ongoing battle

One good reason to maintain an ongoing, active relationship with your cloud vendor is that the nature of security threats — and defenses — is constantly evolving.

“That’s just a constant battle,” said Rick Halton, VP of product and marketing for healthcare software company Lumeon. “We’re bringing in new encryption techniques into our database technology to secure patient identifiable information.”

“There are new techniques coming in like table-based encryption and things like that, the ability to separate patient-identifiable information from other clinical information. So we just constantly evolve that throughout our roadmap,” he added.

Puranik noted that new companies Veeam and Zerto have sprouted up just in the last few years to protect companies from ransomware. And Rodriguez noted that cloud vendors are also proactively developing new defenses in an effort to stay one step ahead of bad actors.

“The use of artificial intelligence and data-driven security monitoring with behavioral analytics has made cloud-based security more effective,” he said. “A good example is Microsoft’s integrated intelligent security graph that collects billions of data points on a daily basis and uses AI and machine learning to analyze and identify evolving cybersecurity attacks and other malicious cyber behaviors.”
 

Twitter: @JonahComstock
Email the writer: jonah.comstock@himssmedia.com