To get secure cloud storage in healthcare, gauge risks first
Conducting a risk assessment before moving to the cloud and establishing security controls when you get there are key steps toward achieving cloud security, experts say.
Before moving to a cloud architecture, healthcare organizations should first do a risk assessment -- which, if done properly, will help health IT professionals understand the potential perils of using cloud storage in healthcare and the security controls that can mitigate those risks.
While hospitals and health systems are hesitant to move patient data to the cloud, cybersecurity expert Vince Campitelli said cloud storage in healthcare can potentially deliver more effective data security, privacy and compliance. The threat of data breaches and the need to manage huge amounts of patient data are issues that have plagued the healthcare industry for years. Cloud storage could alleviate those problems.
"I think any organization that wants to think about the cloud [needs] to become much more conscious and aware of what's the difference between traditional technologies versus cloud, what are the implications of migrating to that tech and what's an appropriate process to achieve this migration," said Campitelli, an enterprise security specialist for the Cloud Security Alliance (CSA), which promotes best practices for secure cloud computing. Before any hospital or health system moves data for cloud storage in healthcare, he explained, it needs to conduct a risk assessment and develop a strong working relationship with the selected cloud provider to ensure data security.
Risk assessment
In general, risk assessments assign levels to threats and then compare them. Based on those comparisons, health organizations can choose what measures are needed to avoid risks. In the case of cloud migration, Campitelli said an assessment analyzes the risk of moving to cloud technology and ensures that the organization and cloud provider have the right controls in place to manage that risk.
Vince Campitelli
"If that risk is appropriate for the organization, they can go ahead and use that cloud technology," Campitelli said. "But in any risk assessment, as you identify the risk, you need to also identify controls that come with the solution, and then you have to make sure you understand the controls to help manage the risk associated with the cloud."
Another aspect to consider is whether hospitals and health systems can ensure that what's initially evaluated stays consistent. For that reason, another piece of a risk assessment is re-evaluating the threats periodically. "If it's operated and managed by that organization, they are responsible for all the controls," Campitelli added. "In a hybrid cloud and in a public cloud, there's a shared responsibility for the total portfolio of controls."
Choosing the right cloud model
Since private, public and hybrid cloud models function differently, so does the security associated with each model for cloud storage in healthcare. In the case of a private cloud model, said CSA research director John Yeoh, an organization has a set of security controls such as encryption that it's responsible for. By comparison, the cloud provider is responsible for security in a public cloud model, or it's a shared responsibility between the organization and cloud provider in a hybrid cloud model. Campitelli said the cloud market has evolved as cloud providers seek to increase their scope of potential customers by offering more security controls.
[I]n any risk assessment, as you identify the risk, you need to also identify controls that come with the solution.
Vince Campitellienterprise security specialist, Cloud Security Alliance
When considering the security of cloud services offered by companies like Amazon, Microsoft and Google, Campitelli said there haven't been major data breaches or "significant negative events" around cloud provider security; instead, problems arise from misconfigurations when a customer moves data into a provider's cloud environment. Having someone knowledgeable about both the data and cloud service on the organization side is a key component of cloud security, he noted.
"Oftentimes, the people who are doing the configuration are pretty low on the totem pole because it's viewed, inappropriately, as just an administrative task, so to speak," Campitelli said. "That's why there's been some defects in that space."
The type of data an organization wants to put into the cloud dictates the level of security controls that need to be implemented to protect the data, he explained. High-risk data, such as protected health information (PHI), requires security controls that are different from those for low-risk data.
Regulatory requirements
Regardless of the approach used for cloud storage in healthcare, Campitelli said if a healthcare organization wants to put PHI into the cloud, the healthcare organization and cloud provider have to comply with HIPAA and other regulatory security requirements. To be HIPAA-compliant, he said, 79 security controls have to be met. For example, when using encryption, there are different capabilities approved to meet HIPAA standards.
While cloud providers need to meet regulatory requirements to store PHI, Campitelli said the healthcare organization is responsible for making sure the cloud provider offers the appropriate security controls and that the measures conform to HIPAA. "The business needs to address what types of security controls they need," he advised. "Then, when they go to the cloud provider, which is a vendor, they need to ensure that the cloud provider has those capabilities."
Vince Campitelli
