By Juan Aguirre | April 27, 2017
The healthcare nowadays is in the clouds, and not just the prices.
With the fast pace in which technology advances and the many
different solutions that are offered to all types of users, enterprises across
all sectors are either in the cloud, transitioning to the cloud, or thinking
about making the idea of cloud a reality. Hospitals and healthcare providers
are no exception. The cloud provides near real time, accurate exchange of
information to support a variety of health care scenarios—which is the
objective of the Health Information Technology for Economic and Clinical Health
HITECH Act), (Filkins, 2011).
The first steps hospitals took into migrating to the cloud was
as a Service). "`SaaS` is a way of delivering applications
over the Internet as a service.
Instead of installing and maintaining software, you simply access it
via the Internet, freeing yourself from complex software and hardware
management" (Salesforce, 2016). Now we are one step further, the cloud.
Hospitals handle sensitive patient information and therefore have to abide by a series of laws that were put in place in order to assure privacy, secure access to that information and reduce fraud. Migrating to the cloud raises some concerns regarding those exact issues. Since all healthcare organizations are obligated to comply with these laws, the compliance itself not only brings the biggest risks but also poses the biggest challenge, whether it be in a server room down the hall or in the cloud.
Different countries have different laws in place that all hope to achieve the same objective but may differ in some aspects. In this article we will be talking about the security risk implied in the transition of hospitals and other healthcare organizations to the cloud but focused only on the United States law and healthcare providers.
HITECH act was created in 2009 to stimulate the adoption of electronic
health records (
EHR) and supporting technology in the United States.
This act stipulates that beginning in 2011,
healthcare providers would be offered
financial incentives for demonstrating "meaningful use" of
EHRs until 2015,
after which time penalties may be applied for failing to demonstrate such use
HIPAA act provides data privacy and security provisions for safeguarding
medical information. This is intended to guarantee the privacy of medical
information. This act is not directly related to
HITECH but they both
reinforce each other in some aspects (Rouse, 2015).
Chris Bowen, founder of
ClearDATA, says there are three main focus areas for
HITECH regulations related to technology:
1. Administrative controls: Policies must be in place to determine
who has access to what data.
2. Technical controls: Rules must be in place to secure data.
3. Physical controls: Standards for physical access to data and infrastructure
resources must be abided by (Butler, 2016).
With the right precautions all of these regulations can be met in a cloud
environment. The majority of public clouds now offer a monitoring and log
functionality. Within the functionality, depending on the cloud, you can also
set up alarms to flag and report any unusual activity. That covers the
If the cloud you choose doesn’t offer encryption then you aren’t looking at the
right options. Clouds also offer the possibility to deploy virtual security
controls such as an
WAF or even a
With all data encrypted in the cloud and some security controls deployed,
depending on your needs, you can cover the technical controls.
Finally, most cloud providers offer assurances to customers regarding physical
access to the data centers hosting their clouds.
In this case you are transferring the risk to a third party
but based on the
SLA they are obligated to meet
and therefore satisfying the physical controls.
Now that we can check off compliance we are left with fraud, the other big risk. With the migration to the cloud, it is not only your application but also your data that leaves your sight, which means it is no longer protected by whatever perimeter protection you had previously set up. This combined with the fact that cloud enables users to access information from various devices and various locations makes identity and access management more challenging and leaves room for fraud.
Medical identity fraud,
which has affected an estimated
1.5 million Americans,
and Financial fraud, which is estimated at
$5 billion annually only in New
York, are amongst the most popular types of fraud (Filkins, 2011).
In the cloud, identity becomes the key to maintaining security, visibility and
control (Filkins, 2011). To solve the identity and access management problem we
need to stop the proliferation of user credentials. When a system uses multiple
credentials for one user, the user tends to forget and lose them. A Single Sign
SSO) technology gives us a solution.
A SSO in an authentication service
that allows a user to use one set of credential to access multiple
SSO on its own is not enough,
audits are the Robin to our
SSO Batman and the
periodic auditing of all accesses and critical transactions will complete the
battle against fraud. This by no means implies that a
SSO service and audits
will guarantee that you are going to be fraud free, it is just a strong
strategy and a very good start.
"The allure of on-demand cloud services combined with advances in cloud
security have transformed the healthcare
IT mindset from “Why move to the
public cloud?” to “What should we move, how do we do it?”" (ClearDATA, 2016).
Technology advances everyday, your enterprise must keep up with it. Here is a great article that gives you 9 Tips on securing your hospital’s information on the cloud
Corporate member of The OWASP Foundation