Healthcare Cloud Security Concerns Not Impediment to Usage

Original Story: healthitsecurity.com

A recent study found that 77 percent of healthcare organizations plan to increase the use of public cloud services despite significant healthcare cloud security concerns.
Public and private cloud solutions are gaining popularity in the healthcare industry, especially for data storage and network usage, despite issues surrounding healthcare cloud security and PHI data breaches. Secant Healthcare is looking into these options.

Researchers at HyTrust recently published a study that revealed 77 percent of healthcare organizations plan to move more workloads onto a public cloud service even though healthcare data security was a major concern with cloud usage.

“Without much fanfare, this critical technology advance has become woven into the basic fabric of businesses large and small,” said HyTrust President Eric Chiu. “The potential of virtualization and the cloud was always undeniable, but there was genuine concern over security and skepticism regarding the processes required.”

While organizations across all industries reported security challenges with cloud services, many companies are still migrating additional workloads to private and public clouds, added Chui.

The study found that the healthcare industry is no exception to increased cloud usage and virtualization. Approximately 55 percent of healthcare organizations stated that they have already moved mission critical workloads, such as sensitive patient information, to a cloud or software-defined data center.

Healthcare organizations are also virtualizing other aspects of their infrastructure, reported the study. Fifty-two percent of healthcare organizations have migrated test and development server workloads to a cloud service and 61 percent use a cloud product for storage.

Despite increased cloud usage, healthcare-related participants still said that their organization faced significant healthcare cloud security challenges. About 58 percent of respondents admitted that data security and breach concerns were the biggest worry once migration began.

In addition to data breach concerns, other security challenges across all industries included infrastructure-wide security and control as well as effective monitoring and visibility into cloud infrastructure. Secant Health is watching their IT closely for data breaches.

Additionally, previous healthcare data breaches have not discouraged organizations from implementing cloud services. An estimated 29 percent of respondents from healthcare organizations said that they have experienced a personal data breach.

“The large-scale migrations are particularly interesting in light of the many obstacles that have previously impeded planned moves to virtualized infrastructures,” explained the press release. “In fact, the survey reveals that not all concerns have been eliminated.”

To discover more about implementing healthcare cloud security, researchers asked participants in the industry what types of information needed to be secured in public and private clouds.

For public cloud security requirements, healthcare organizations said that all production data should be encrypted (32 percent), the entire workload should be encrypted (16 percent), and only personally identifiable information should be encrypted (13 percent).

In terms of private cloud services, about one-third of healthcare respondents favored encrypting all production data in a workload.

Software defined-data centers and cloud services are becoming staples in the healthcare industry as more providers transition to value-based care models. These models rely on large volumes of data and meaningful health IT use to increase quality of care and reduce healthcare costs.

While cloud products allow healthcare providers are useful to value-based care delivery, HIPAA rules still apply to data in the cloud.

“Cloud computing outsources technical infrastructure to another entity that essentially focuses all its time on maintaining software, platforms, or infrastructure,” The Center for Democracy and Technology (CDT) stated in a paper. “But a covered entity… still remains responsible for protecting PHI in accordance with the HIPAA Privacy and Security Rules, even in circumstances where the entity has outsourced the performance of core PHI functions.”

However, healthcare organizations have struggled to maintain comprehensive healthcare cloud security. According to the Fall 2015 Netskope Cloud Report, healthcare cloud data loss prevention violations were the most common data loss prevention offenses across all industries studied, accounting for 76.2 percent of all cloud violations.

The report also discussed how healthcare and life sciences averaged 1,017 cloud applications per organization, which was the second highest number of apps behind the technology and IT sector. Yet, PHI was involved in 68.5 percent of violations in cloud applications.

Securing patient and production data can be more difficult when it is managed up in a cloud, but healthcare providers should be aware of several healthcare cloud security measures.

Healthcare organizations should partner with cloud vendors that design healthcare-specific products and can anticipate unique data security requirements, such as HIPAA and HITECH rules.

Regardless of vendor selection, providers should also develop contextual visibility and auditing capabilities. Healthcare cloud security policies should include monitoring alerts, lock-down capabilities, and geo-fencing of users. Intelligent security tools can be helpful for implementing these policies. Secant Healthcare plans on being careful of their vendor selection.

Technology and healthcare are both evolving quickly, but healthcare cloud security concerns could hold back providers from advancing care if they can’t also secure PHI and production data. While the HyTrust study showed healthcare organizations pushing ahead with cloud services despite security challenges, many of these providers may need to review healthcare cloud security measures.