Healthcare in the CloudsCloud based systems in healthcare and their issues
The healthcare nowadays is in the clouds, and not just the prices. With
the fast pace in which technology advances and the many different
solutions that are offered to all types of users, enterprises across all
sectors are either in the cloud, transitioning to the cloud, or thinking
about making the idea of cloud a reality. Hospitals and healthcare
providers are no exception. The cloud provides near real time, accurate
exchange of information to support a variety of health care
scenarios—which is the objective of the Health Information Technology
for Economic and Clinical Health Act (
HITECH Act), (Filkins, 2011).
Figure 1. Healthcare in the cloud
The first steps hospitals took into migrating to the cloud was
(Software as a Service). "`SaaS` is a way of delivering applications
over the Internet as a service. Instead of installing and maintaining
software, you simply access it via the Internet, freeing yourself from
complex software and hardware management" (Salesforce, 2016). Now we are
one step further, the cloud.
Hospitals handle sensitive patient information and therefore have to abide by a series of laws that were put in place in order to assure privacy, secure access to that information and reduce fraud. Migrating to the cloud raises some concerns regarding those exact issues. Since all healthcare organizations are obligated to comply with these laws, the compliance itself not only brings the biggest risks but also poses the biggest challenge, whether it be in a server room down the hall or in the cloud.
Different countries have different laws in place that all hope to achieve the same objective but may differ in some aspects. In this article we will be talking about the security risk implied in the transition of hospitals and other healthcare organizations to the cloud but focused only on the United States law and healthcare providers.
Health Information Technology for Economic and Clinical Health Act (HITECH)
HITECH act was created in 2009 to stimulate the adoption of
electronic health records (
EHR) and supporting technology in the
United States. This act stipulates that beginning in 2011, healthcare
providers would be offered financial incentives for demonstrating
"meaningful use" of
EHRs until 2015, after which time penalties may be
applied for failing to demonstrate such use (Rouse, 2015).
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA act provides data privacy and security provisions for
safeguarding medical information. This is intended to guarantee the
privacy of medical information. This act is not directly related to
HITECH but they both reinforce each other in some aspects (Rouse,
Compliance in the Cloud
Chris Bowen, founder of
ClearDATA, says there are three main focus
HITECH regulations related to technology: 1.
Administrative controls: Policies must be in place to determine who has
access to what data. 2. Technical controls: Rules must be in place to
secure data. 3. Physical controls: Standards for physical access to data
and infrastructure resources must be abided by (Butler, 2016).
With the right precautions all of these regulations can be met in a
cloud environment. The majority of public clouds now offer a monitoring
and log functionality. Within the functionality, depending on the cloud,
you can also set up alarms to flag and report any unusual activity. That
covers the administrative controls. If the cloud you choose doesn’t
offer encryption then you aren’t looking at the right options. Clouds
also offer the possibility to deploy virtual security controls such as
WAF or even a
DLP. With all data encrypted in the cloud
and some security controls deployed, depending on your needs, you can
cover the technical controls. Finally, most cloud providers offer
assurances to customers regarding physical access to the data centers
hosting their clouds. In this case you are transferring the risk to a
third party but based on the
SLA they are obligated to meet and
therefore satisfying the physical controls.
Fraud and Cloud. Friends or foes?
Now that we can check off compliance we are left with fraud, the other big risk. With the migration to the cloud, it is not only your application but also your data that leaves your sight, which means it is no longer protected by whatever perimeter protection you had previously set up. This combined with the fact that cloud enables users to access information from various devices and various locations makes identity and access management more challenging and leaves room for fraud.
Medical identity fraud, which has affected an estimated
Americans, and Financial fraud, which is estimated at
annually only in New York, are amongst the most popular types of fraud
In the cloud, identity becomes the key to maintaining security,
visibility and control (Filkins, 2011). To solve the identity and access
management problem we need to stop the proliferation of user
credentials. When a system uses multiple credentials for one user, the
user tends to forget and lose them. A Single Sign On (
gives us a solution. A SSO in an authentication service that allows a
user to use one set of credential to access multiple applications.
SSO on its own is not enough, audits are the Robin to our
and the periodic auditing of all accesses and critical transactions will
complete the battle against fraud. This by no means implies that a
service and audits will guarantee that you are going to be fraud free,
it is just a strong strategy and a very good start.
"The allure of on-demand cloud services combined with advances in cloud
security have transformed the healthcare
IT mindset from “Why move to
the public cloud?” to “What should we move, how do we do it?”"
Technology advances everyday, your enterprise must keep up with it. Here is a great article that gives you 9 Tips on securing your hospital’s information on the cloud