A version of this article originally appeared in Health Data Management.
A tremendous amount of healthcare data in the U.S. will be moved to the Amazon Web Services (AWS) and Microsoft Azure clouds for either private or public use in 2017. It makes sense because hospital leadership is of the mindset that prefers to be in the business of treating patients, rather than managing data centers. The fact that cloud computing can be a less expensive option helps too. As the cloud computing trend takes off in healthcare, a carefully matched cloud security strategy can ensure your Protected Health Information (PHI) data stays safe.
Although the number of breached healthcare records in the U.S. dropped from 113 million in 2015 to 16 million in 2016, trust me when I say that the bad guys are still targeting healthcare data. The three primary attack scenarios for cyber adversaries to target healthcare data still remain true today:
Cyber adversaries are well-aware that healthcare data is moving to the cloud, and these three scenarios can – and will – still play out in a cloud environment.
In 2011, the HITECH Act began to offer financial incentives for healthcare organizations to digitize healthcare records. This resulted in a big migration to electronic medical records, and security was often placed on the back burner. In a similar manner, there is now a rush to move healthcare records to the cloud, and there’s often an assumption that security comes automatically. Security can be more straightforward to implement in the cloud, but it is still only as good as you make it.
AWS and Azure both make it easier to manage virtual servers and virtual network infrastructure at the platform level, but don’t make the mistake of developing a false sense of cloud security. Neither cloud provider will detect malware infections at the endpoint level; you need to deploy and manage advanced anti-malware to your endpoints on your own. At the network layer, security is configurable as well. In both cloud providers, you have options to select and deploy virtual next-generation firewalls to wrap network-level threat protection around your applications.
Healthcare organizations are notorious for using legacy applications. Some were built by vendors that aren’t even in business anymore. These types of systems can be some of the most vulnerable points in the organization. AWS and Azure both provide capabilities that can make it easier to manage the security of the underlying data within high-risk applications.
I’ve spoken to a number of healthcare organizations recently that are embracing the software-defined-networking capabilities in AWS and Azure. As they migrate their applications to the cloud, they can, at a moment’s notice, spin up the required virtual servers, and be protected behind a new instantiation of a virtual next-generation firewall.
Migrating applications to the cloud can often present a unique opportunity to evaluate and improve each application’s overall security. For example, you could:
Amazon and Microsoft, both offer the option of signing Business Associate Agreements (BAAs), allowing them to store protected health information (PHI) and giving them the ability to architect applications in alignment with HIPAA and HITECH compliance requirements. A few of the security features that support HIPAA compliance include:
One of the most powerful features of the cloud is that it makes bleeding-edge security infrastructure available to healthcare organizations of all sizes. Even smaller clinical networks can stand up and deploy enterprise-class, HIPAA-compliant application environments with a small IT team. However, don’t fall into the trap of thinking that cloud security is automatic. With careful planning, you can take advantage of the cost-savings and extensibility that the cloud offers, but you also need to ensure that the right security architecture is in place to keep your patient data safe.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.