The following is a guest article by Rodman Ramezanian, Global Cloud Threat Lead at Skyhigh Security
Healthcare, like other sectors, is undergoing a massive digital transformation to meet the changing needs of patients and workers. As part of this transformation, there are a growing number of roles that can be performed virtually – such as grant administrators, clinical trial coordinators, or telehealth care providers – although some workers, like emergency room physicians, must still be present onsite. Since remote and hybrid employees need to be able to collaborate anytime, anywhere, and from multiple devices, many healthcare organizations are adopting cloud infrastructure and rethinking their overall approach to data security.
Recent research from Skyhigh Security confirms that the healthcare industry is picking up its pace of cloud adoption, but that it remains slower to embrace the cloud than other industries. In fact, from 2019 to 2022, healthcare only saw a 25% uptick in its cloud services in use compared to the 50% increase seen across other sectors including financial services, retail, manufacturing, IT, and more. So what’s causing this hesitancy?
Building Trust in the Cloud
One of the main, and most obvious, reasons is the highly sensitive nature of data at play in healthcare facilities: protected health information (PHI), insurance claims, pharmaceutical intellectual property, and more. This data is highly prized by cybercriminals, evidenced by the fact that 76% of healthcare organizations have experienced the trifecta of a cyber breach, threat, and data theft. To prevent these attacks, sensitive data in this sector has historically been stored on premises since leaders have been under the perception that it’s safer and easier to access and control this data onsite. However, while neither on-premise nor cloud environments are completely impenetrable, cloud security these days is exceptional and, depending on circumstances like the level of oversight and investment into these systems, is often the more secure of the two. Yet the healthcare industry still demonstrates a certain level of distrust in cloud security and stores the least amount of sensitive data, particularly personal information like healthcare records or payment card details, in the cloud versus its peers. The hesitancy also stems from concerns about meeting the sector’s strict security and privacy regulations, like HIPAA, and a lack of understanding of how to integrate the cloud with existing, often outdated, systems.
But as the need for cloud collaboration continues to rise and cloud environments become more sophisticated, healthcare organizations are trending toward greater trust. By reflecting on the top challenges the industry has faced thus far and learning ways to mitigate these issues going forward, healthcare security leaders can be well-positioned to take advantage of cloud capabilities without putting their mission-critical data at risk.
Top Challenges to Expect
Many of the top challenges the healthcare sector faces are shared by other industries. All industries, including healthcare, have a lack of visibility into how much and what types of data are being stored in the cloud – knowledge that’s vital to be able to secure it properly. As an extension of this general lack of visibility, 74% of healthcare organizations in 2022 expressed concern about employees’ use of cloud applications and services that hadn’t been authorized by the IT department, or Shadow IT, and how this activity might negatively impact data security. This is a marked increase from just 49% that were worried about Shadow IT in 2019, demonstrating just how much the digital landscape has changed in a few short (but era-defining) years.
The healthcare sector is also up against workforce shortages across the board, exacerbated by the burnout, stress, and high demands of the pandemic. But the talent shortage extends beyond patient-facing workers to include cybersecurity leaders. Sixty-six percent of surveyed organizations claimed that a lack of cloud security talent has a large effect on their ability to secure cloud computing, compared to only 56% across other industries. Without knowledgeable security leaders at the helm, it makes sense that organizations are struggling with tasks like effectively assessing the security of various cloud providers. In addition to cybersecurity experts, IT leaders are also in high demand to support the transition to the cloud and reduce infrastructure complexities.
Technology to Simplify Cloud Security
Tackling these challenges is going to require a fresh approach to data security. First and foremost, healthcare needs to make security a topline priority. The report found that out of all industries, healthcare was the least committed to doubling down on cybersecurity after experiencing a data breach, threat, or theft of data, which may harken back to talent and budget constraints. Or this may be a result of cloud security responsibilities falling more on manager-level employees’ shoulders than the C-suite in healthcare – unlike other sectors that place the onus squarely on C-suite leaders.
The research makes it clear that healthcare organizations are slowly, but surely, shifting to the cloud to enable seamless collaboration and patient care anytime, anywhere. But it’s equally apparent that security leaders in this sector need to invest more in the people and technology that will help them overcome top challenges during this important transition. For example, a Cloud Access Security Broker (CASB) is a security layer, or checkpoint, between enterprise users and cloud providers that offer a wide range of security benefits, like helping organizations identify where sensitive data lives in the cloud and what applications and services are being used by employees. A CASB also allows organizations to consistently enforce custom security policies and even restrict the functionality of certain applications that pose higher risks.
In conjunction with workforce development programs and strategic recruiting and hiring practices for cybersecurity and IT, automated tools can also maximize healthcare teams’ time and resources amid pressing talent shortages. Since 89% of respondents in the industry are calling for simplified cloud security management, the sector needs to lean into unified technology that provides visibility, control, and protection of cloud data without overburdening teams that are already stretched thin. With the proper tools and clear program goals and ownership, healthcare organizations can continue adopting cloud services while fending off even the most sophisticated cyberattacks.
About Rodman Ramezanian
Rodman Ramezanian, Global Cloud Threat Lead at Skyhigh Security, has over 11 years of extensive cybersecurity experience. Rodman specializes in the areas of Adversarial Threat Intelligence, Cyber Crime, Data Protection, and Cloud Security. He is an Australian Signals Directorate (ASD)-endorsed IRAP Assessor – currently holding CISSP, CCSP, CISA, CDPSE, Microsoft Azure, and MITRE ATT&CK CTI certifications.
