Information security experts say public cloud services offer many advantages for health care
Cloud services and storage are growing in use in the health care industry, according to a recent HIMSS Media/Center for Connected Medicine (CCM) survey. With more health data migrating to the cloud and increased cyber-threats in health care, cybersecurity in the cloud is becoming an important topic for health care leaders to grasp.
Hospitals and health systems are investing in cloud computing services as the organizations work to more easily share data, improve consumer-facing services, and deploy analytical solutions that can advance patient outcomes and reduce cost. The cloud is an appropriate solution meeting these health care goals because it provides a democratizing effect, explained Houman Modarres, Senior Director of IP Networks at Nokia.
“The cloud helps connect health care professionals to applications and information they need right away, giving experts access to have the ability for the quickest analysis,” Modarres said.
Two things are driving cloud migration in health care, according to Modarres: effectiveness and efficiency. “Health care professionals want better outcomes for everyone involved.”
Moving past fear
Despite this driver, Modarres described the largest barriers to cloud adoption as risk management and information security.
In the HIMSS/CCM survey, the most commonly cited cloud security concerns were based around regulatory compliance and theft of data. And half of the professionals surveyed noted that these security issues were “significantly” limiting their use of cloud services.
Taylor Lehmann, Chief Information Security Officer of Wellforce and Tufts Medical Center, believes that health care professionals need to learn facts about the cloud and move past the fear, uncertainty, and doubt that have chased its use for years. In his estimation, use of cloud technologies has many advantages. Fear of the unknown, mainly around the security of a cloud offering, has kept industry professionals hesitant from jumping in and taking full advantage of cloud services.
Lehmann encouraged health systems to fully assess the risk of a given cloud service provider, and to have a strong understanding of the data being shared, how it will be used, how it will be accessed by the provider and the organization itself, and the protections around it.
“Educate yourself on what cloud service you are buying and exactly how it works; get hands on,” Lehmann recommended. “Using a cloud service provider for a given technology carries with it many of the same considerations you’d have to address if you were using the same technology in your own data center. Try to approach implementation in the same way you do in your data center but spend extra time understanding what the service provider is actually doing for you, and what you need to do yourself. Understand the shared responsibilities between parties”
Reducing the risk of cloud
To health care security professionals, cloud services can be viewed as an extension of their local data centers. If handled correctly, Modarres argued that tools exist to securely move data into the cloud.
As health care data breaches become more frequent, Modarres explained that security needs to be handled on multiple levels. “If your infrastructure is not secure, moving your systems, data, and processes into the cloud will not fix that and it could expose your data,” he said. “But if your data is secure to start with, the cloud could enhance that security.”
Specific to reducing risk, Modarres said health systems cannot control what they don’t see. The security process is multifaceted but includes two main pieces: identifying access permissions granularly and surveying the applications and users with analytics. He said he believes “comfort with cloud is something that has to come with education, involvement, and not feeling alone.”
Lehmann said he thinks adopting cloud technologies can improve the security of data beyond what could be achieved if the organization kept the data in their own data center. Budgets, skillsets, security capabilities, and general services offered by cloud services often come with and are available to hospitals in volumes and quality not possible in their own organization. This is especially true for smaller hospitals and systems that simply don’t have large budgets for cybersecurity.
“The cloud is not necessarily riskier than deploying in your own data center or otherwise,” Lehmann said. “In addition to understanding what responsibilities an organization needs to take on, other topics like regulatory compliance needs tied to the data – like where the data can actually be stored geographically – provide another important, but ultimately manageable requirement to think through. I haven’t run into a situation where a given compliance requirement couldn’t be met.”
Private vs. public cloud
Respondents to the HIMSS/CCM survey were generally more comfortable putting health care data in a private cloud than in the public cloud.
Modarres said he understands this view, describing the private cloud as a set of resources created by an organization only for that organization. “You outfit it, you onboard applications, you run it for yourself and your users, so there are fewer unknowns,” he said. “People find this to be a safer alternative because it is more contained.”
Despite this perception, Modarres also explained that public cloud services are not “a scary place,” and can be more cost effective for health systems. “It is important to understand the resources you are using,” he said.
To understand the benefits of both types of cloud structures, Lehmann identified hands-on experience as the key to turning fear into knowledge. Lehmann recommends providing transparency, training, and the ability to walk through projects together. “Working through issues builds confidence,” he said.
Advantages of health care cloud
From a financial standpoint, Lehmann noted that it is cost effective for many organizations to run, compute, and store data in their own data centers, but this will not be the case forever. Costs, along with other factors such as accessibility and speed, are driving the industry to migrate to cloud services and change the way that work is performed.
As it relates to health care, Lehmann is mindful of the risk factors associated with cloud services but believes that, as an industry, health care should be having open conversations and cooperate with one another to abolish fears around adoption of the technology. This, in his mind, can create common standards for third parties to identify with in a more transparent way.
Overall, health care is being faced with a new reality in terms of cloud cybersecurity, and the technology is paving the way for work to be done in an effective and efficient new way.
Learn more about cybersecurity in the cloud:
- Webinar: How can health systems overcome cybersecurity concerns to reap cloud’s benefits
- Cybersecurity is the biggest priority and challenge for health systems
- Why health systems should work together to manage cloud cybersecurity risk
- Are health care’s cloud security concerns grounded in reality?
- Common web services could help raise the cybersecurity ‘poverty line’ in health care