By Ameesh Divatia, co-founder and CEO, Baffle
The healthcare industry is becoming more digitized with organizations seeing the value of shifting operations to the cloud. From patients and providers to insurers and pharmacists, cloud computing can help streamline everything from information storage and patient services to insurance transactions. In a HIMSS Analytics survey of healthcare IT executives taken in January 2017, 65 percent of respondents said their healthcare organizations currently use the cloud or cloud services.
There are many benefits to partnering with a cloud service provider for extensible infrastructure, reduced costs, ease of access to data, and big data and analytics, for example. But this outsourced approach can also increase data security risk because the healthcare industry has been a prime target for attacks, given it offers a package of personal identifying information – financial and medical – which is among the most valuable commodities on the dark web. Although cloud Infrastructure-as-a-Service (IaaS) providers are accountable for the security of their data centers and the server hardware they use, the healthcare organization is responsible for securing the data and applications on which it runs. To help ensure a successful partnership, here are four important questions healthcare organizations should address when choosing to migrate services and data to a cloud provider.
What is the data type and how is it protected?
Understanding the data types being stored in the cloud and the classification of the data is critical to determining the data loss and business impact risk. This determination will often guide the types of controls and protection methods that need to be put in place.
For example, storing data in the cloud with encryption-at-rest enabled does not guarantee it is safe from being hacked, despite the fact that this may address some regulatory compliance standards. Data may be exposed If the data is stored with modified open access that allows for data retrieval from any source, including websites, mobile apps, and data from interconnected devices. Several occurrences of data exposure via the above misconfiguration scenario have been made public in recent months. For an example of what can go wrong if data access and security are not handled properly, consider last year’s Verizon hack. A cloud provider misconfigured a cloud storage repository, exposing customer data to external parties.
If the organization deems the data sensitive, it should encrypt the data before sending it to the cloud provider and manage the encryption keys itself rather than relying on basic cloud provider controls to secure its data. This executes the customer portion of the shared responsibility model.
How is the data being processed?
Data alone does not always deliver insights. Applications use data to create reports, provide insights or serve up patient history. A copy or cache of the data is often moved by the application, and then it is processed. This potentially exposes the data, as manipulating it often involves de-encrypting it or changing the access model.
Healthcare organizations currently using or moving to the cloud should know how their data is handled end to end throughout the data lifecycle. They should find out if data is being accessed while it is in a secure database or if it is extracted out of the database and then moved into the application to be processed and used. Ideally, a healthcare organization will want to store data in the database and allow the application to analyze it while it remains encrypted inside the database.
Which applications are allowed to access the data?
It is important to find out what applications are authorized to access the data and enforce conservative access controls. It is important to grant the minimum set of privileges needed. An organization should find out how the cloud provider grants users access to information and systems. Also, organizations should be sure applications are not allowed to issue commands that return all data rather than just the needed data. (The latter can be done by using a command written in typical database programming language as “Select * From Data.”) Without that safeguard, all of the data is at risk of getting dumped or extracted unilaterally from the database.
What do you do in the case of a data breach?
It is normal to associate encryption or data protection with access control when it comes to processing data in a cloud environment. The cloud provider needs the right monitoring systems in place so when policy violations happen or if someone is accessing data he or she wouldn’t usually, it is flagged.
Make sure the cloud service provider understands its breach notification requirements specific to the geography in which it is operating. As a “business associate,” a cloud service provider must comply with the HIPAA breach notification requirements that apply to that role. (A business associate is responsible for notifying the healthcare provider of breaches of unsecured personal health information. There are more requirements outlined on the HHS.gov website.) Also, be sure the cloud provider has a plan in place to mitigate the breach.
Cloud providers put the core responsibility for data with the data owner, in this case, the healthcare organization. Do not misunderstand: Cloud systems do not get a free pass. They share the responsibility and need to be the most secure, monitored and even regulated of entities. But the healthcare organization is ultimately responsible for the data it collects and shares, regardless of how it is stored or who stores it. The bottom line is, when working with a cloud service provider, be sure to understand and audit its practices, and demand the highest level of protection and ownership.