Four things healthcare organizations need to consider when moving to the cloud.
Photo/Thumb have been modified. Courtesy of Shutterstock / bluebay.
As the healthcare industry continues to digitize to meet patient demand and data-driven regulations, it has become a prime target for hackers, as personal health information (PHI) is among the most profitable commodities on the dark web.
There have been more than 2,500 healthcare data breaches over the past 10 years. Not securing patient data can cost healthcare organizations millions of dollars in lost business, remediation efforts, regulatory fines and reputational damage. In fact, the healthcare industry has the highest breach-related costs of any industry at $429 per record. With financial services breaches, the remedy offered is monetary. With a healthcare breach, how do you compensate a patient for compromising their health condition?
Concerns of a data breach are discouraging some healthcare organizations from using AI and machine learning, which can help advance medical research such as genome analysis or for outcome prediction with clinical trials. To apply these new technologies, they need to shift their operations to the cloud to realize the benefits of extensible infrastructure, reduced costs, ease of access to data and big data analytics. But they also need to ensure that partnering with a cloud service provider will not compromise patient privacy, safety and data security. Sharing of data leads to better analytics outcomes, but with the risk of breaches, such sharing poses more risks than rewards.
Although cloud providers are accountable for the security of their data centers and servers, healthcare organizations are responsible for securing the data. To help ensure a successful partnership, here are four things healthcare organizations need to consider when moving to the cloud:
Understanding the types of data being stored in the cloud and the classification of the data is critical to determining the data loss and business impact risk. This determination will often guide the types of controls and protection methods that need to be put in place. For example, storing data in the cloud with encryption-at-rest enabled does not guarantee it is safe from being hacked. Data also need to be protected in-memory and in-process. If the organization deems the data sensitive, it should encrypt the data before sending it to the cloud provider and manage the encryption keys itself rather than relying on basic cloud provider controls to secure its data. This executes the customer portion of the shared responsibility model.
Data alone do not always deliver insights. Applications use data to build reports, provide insights or serve up patient history. Healthcare organizations should know how their data are handled throughout the lifecycle. They should find out if data are being accessed while they are in a secure database or if the data are extracted out of the database and then moved into the application to be processed and used. Ideally, a healthcare organization will want to store data in the database and allow the application to analyze them while they remain encrypted inside the database. When multiple parties need to process the data, find ways of sharing data securely by protecting them as the data are extracted.
Healthcare organizations need to know which applications are authorized to access the data and enforce conservative access controls. They should also find out how the cloud provider grants users access to information and systems. In addition, they should be sure applications are not allowed to issue commands that return all data rather than just the needed data.
Healthcare organizations should make sure their cloud provider understands it must comply with the HIPAA breach notification requirements, as it is considered a “business associate.” A business associate is responsible for notifying the healthcare provider of breaches of unsecured PHI. There are more requirements outlined on the HHS.gov website. They should also be sure the cloud provider has a plan in place to mitigate any breach.
Healthcare organizations moving to the cloud have a false sense of security that once the data are in the cloud, the provider will protect them. Cloud providers aren’t responsible for securing a healthcare organization’s data because there is always the danger of misconfiguration. Healthcare organizations need to secure sensitive data before they move to the cloud and keep them protected while the data are there. But cloud providers don’t get a free pass. They share the responsibility and need to be the most secure, monitored and regulated entities. When working with a cloud provider, healthcare organizations should understand and audit their practices and demand the highest level of protection and ownership.
Ameesh Divatia is co-founder and CEO of Baffle, which provides a modern, data-centric encryption and advanced data protection solution designed for distributed and cloud-native environments, DevOps and microservices.
Get the best insights inside digital health directly to your inbox.