An increasing number of healthcare organizations are transitioning from data centers to cloud computing today. Healthcare CIOs are, like those in many other industries, turning to the cloud to realize benefits that include efficiency, flexibility, and cost savings. Some experts argue that this increased use of the cloud opens them up to more security challenges, but in fact the cloud isn’t necessarily any less secure than traditional computing — and in many cases, it is more secure. It’s a matter of using it intelligently and building a complete and appropriate security strategy.
Here is what you need to know about cloud security for healthcare organizations.
1. Healthcare Breaches are Like Death and Taxes
A shocking 91 percent of healthcare organizations reported that they experienced at least one breach in the past two years (as of September 2015). This tells us that security incidents are no longer a “possibility” for healthcare companies — they are practically a certainty. While the Anthem breach, for example, was painfully public, many more slip by without much fanfare. Just because you aren’t a behemoth health insurance company does not mean it can’t or won’t happen to you. Individual hospitals have been attacked with ransomware, and 112 million PHI records were breached in 2015. Whether you are a hospital, provider, insurance company, or a SaaS player in the healthcare market, the possibility of breach is high.
And, even beyond the PR disaster a breach causes, this costs companies real money. The average cost of a data breach is now $4 million according to a recent Ponemon Institute report — an increase of 29 percent from $3.79 million in 2015. Going a level deeper, the average cost per stolen record today is $158. The bottom line is that you can’t take the “If it happens, we’ll deal with it” stance. You need to be proactive and defensive.
2. Just Because You’re Compliant Doesn’t Mean You’re Secure (And Vice Versa)
One misconception we often see is the idea that, if you’re compliant with HIPAA, you must be secure. Unfortunately, this just isn’t true. For one thing, HIPAA is less rigorous than other security standards, like PCI DSS. For another, it is often not followed well (see that 91 percent breach statistic above). If you’re a healthcare company, it’s important to realize that being HIPAA compliant won’t necessarily guarantee that all PHI you handle is safe — in the cloud or not. Stricter security regulations governing cloud services are in order, but until those come along — and even when (if?) they do — it is best to employ a comprehensive cloud security platform that gives you a “single pane of glass” vantage point into your security posture.
3. Only Associate With Business Associates
When it comes to the security of PHI, it’s wise for healthcare companies to only do business with companies that are themselves HIPAA compliant. Before moving forward with any type of partnership, make sure that vendors sign a Business Associate Agreement (or BAA) attesting that they are fully compliant and willing to be audited by a third party. Again, remember that compliance does not equal security, but it is a good baseline to adhere to.
Many CIOs found, even just a few years ago, that it was tough to convince vendors to sign BAAs, but the HIPAA Omnibus has made it so that becoming a business associate can actually have major advantages for vendors, so the resistance is diminishing. Today, AWS, Microsoft, and Google have all agreed to sign BAAs when working with healthcare organizations, and smaller companies are following suit. This means cloud computing is increasingly “doable” for healthcare companies that are responsible for upholding HIPAA.
4. Dot and Cross Your IoTs
Connected devices are one of the most exciting things to happen to healthcare in the last decade. The kind of personal, accurate, and detailed information that the Internet of Things (IoT) puts at the hands of healthcare practitioners can, without exaggeration, save lives. But from a security standpoint, the IoT can be a Pandora’s box.
To safely reap the maximum possible benefits from connected medical devices, it’s vital that healthcare stakeholders understand exactly how, when, and where they are being used to handle PHI. Once you have a complete picture of how PHI travels and is stored across its entire lifecycle, make sure you strategize and implement a security plan that covers: identity and access management, encryption, analytics, workload visibility, and anomaly detection. A platform like Threat Stack can help ensure that you have complete visibility into the entire attack surface, even for the backend services that power cutting-edge IoT devices.
5. There are Silver Linings in the Cloud
There is no need to fear the cloud. As long as healthcare companies choose cloud providers that take security seriously, the benefits should greatly outweigh the risks. Most top-tier cloud providers have recognized that a strong infrastructure security position de-risks several markets from moving to the cloud. Additionally, they’ve established capabilities to allow customers to leverage next-generation cloud security platforms to provide a more complete cloud security strategy than has previously been available. That said, this is a “trust but verify” environment, and each healthcare company must do its own due diligence on cloud providers to ensure that the great responsibility of PHI security is being rigorously upheld.