As healthcare providers continue to make the switch to digital records and implement EHR capabilities, being able to store information offsite is becoming more important. The digital data also likely needs to remain accessible from multiple locations, which further underlines the need for strong healthcare data security measures.
Cloud computing for healthcare is quickly evolving into a key area for covered entities, as providers are seeking out the best option to keep ePHI secure and not hinder daily operations.
Healthcare providers need to understand the potential cloud computing security concerns, but they should also be aware of the benefits this digital option can bring. Finding a secure solution that does not disrupt physician or staff member workflow and is not an impossible feat for covered entities is key.
The healthcare cloud has drastically altered data security approach
Vice President of Commercial Operations & Chief Security Officer for IBM Watson Health Carl Kraenzel told HealthITSecurity.com that the implementation of cloud computing creates both challenges and surprise opportunities for healthcare organizations.
He explained that he has encountered many clients and partners who have struggled with the idea of the cloud, and worried that it might not be as secure or as compliant as they needed.
“I’ve found that originally there were a lot of people reluctant to get on the cloud for the unknowns associated with that,” Kraenzel stated. “Fast forward to where we are today, and the majority of businesses in healthcare and outside of healthcare are now familiar with the cloud.
“I’m seeing more of a tendency for people to look for clouds that they know have those capabilities already for them. It’s difficult and challenging to add security capabilities and compliance capabilities within homegrown IT.”
Healthcare organizations must also keep up with the changes, such as malware, other cybersecurity threats, and regulatory alterations in a global setting, he added.
“Over the last 10 years roughly, there has been a radical change in how clients and partner chief security officers approach cloud vendors,” Kraenzel said. “Instead of being afraid of cloud, they now expect cloud to give them a better alternative than doing it on their own.”
Foley Hoag attorney Colin Zick explained to HealthITSecurity.com that cloud computing has been around for some time, and it is not a new notion for data to be stored on remote servers. The sooner that people stop thinking about the cloud as a new concept, the better off they will be.
“By and large, particularly with the established providers of cloud services – Microsoft, Google, Amazon – they devote incredible resources to their services,” Zick stated. “They devote incredible resources to security for those services. Why? Because their reputation is based on it.”
In contrast, physical records are difficult to track or replace if they are stolen, he noted. Organizations may not be sure if an unauthorized individual walked off with records or not, as there is no way to trace that.
The good news is that the cloud providers have gotten the message, and they now will sign HIPAA [business associate agreements].
“When you think about that in a comparative sense, most anything electronic can be traced and it can be reproduced,” Zick stressed. “Even if it is improperly accessed. This is an enormous development above where things were.”
Zick did recommend that as entities start to look into storing information remotely, they find a vendor that knows what it is doing.
“Look at the services agreement,” he urged. “Understand exactly what the scope of the services are, who’s responsible for what, who’s indemnifying who, who has insurance, and what your rights to access are with data of backups, and what their rights are to access.”
Zick added that the attitude of cloud service providers has also changed over the years, and they now have a greater understanding of what being a HIPAA business associate means.
“The good news is that the cloud providers have gotten the message, and they now will sign HIPAA [business associate agreements],” he explained. “They may not negotiate their HIPAA BAA, but it’s progress. You can get the appropriate HIPAA BAA protection if you are a HIPAA-covered entity in terms of getting things in the cloud. But like anything, you’ve got to do your diligence.”
- What Hospitals Should Know About Cloud Computing Security
- Cloud Adoption Slows from Lagging Cybersecurity Skills
Healthcare cloud computing can be a key tool for organizations
Cloud computing can help healthcare organizations improve the strength of tried and true, repeated controls and technologies, noted Kraenzel.
“There still is a knee-jerk tendency of people to hear cloud, think ‘public cloud,’ and think their stuff will be mixed with that of other organizations,” he explained. “But increasingly, the understanding of multi-tenant, secure, encrypted clouds has created an awareness for all enterprises and healthcare and life sciences providers that there is great benefit of trust, repeatability, and auditability.”
Kraenzel used an example of a tenth tenant in a cloud that already has HIPAA and GXP capabilities proven and supporting other production clients. As long as that organization can have that auditability and verifiably show that their data and their activity is kept separate from other tenants, then the cloud now is a better place than a home-grown deployment.
That entity can point at the repeatability and the shared advances in protective technologies that are going in for all the other tenants.
“That rigor and robustness allows them to both inspect for the better capabilities that they’d like to see, but also have an assurance that these controls have been stretched, vetted, and tested by multiple other parties,” Kraenzel stated.
The 21st Century type of security thinking has also evolved, he pointed out. Previously, the mindset was to “go at? it alone.” Now, there is a great awareness of the importance of cooperative technology and controls.
The reality is that as healthcare becomes more and more electronic, it's our job as industry leaders to help protect your and my data from being incorrectly used.
Dell Cloud Client-Computing Vice President and Chief Strategy Officer Jeff McNaught told HealthITSecurity.com that HIPAA regulations tend to drive everything that healthcare does with patient data. Cyber criminals have also turned to medical records as a primary source for their activity, and certain doctors have even reported payments to insurance companies that never occurred.
“What happens is the patient now has the record of these procedures being performed in the insurance records,” McNaught explained. “That affects the patient's medical history and now corrupts that patient's medical history in terms of the insurers and healthcare providers that they speak to after that. One way to prevent that is by better protecting the electronic medical records from attack.”
An increasingly popular way to better protect that data is by positioning all that information in a virtual desktop infrastructure (VDI) server, McNaught stated.
“It's supported by companies that you already know; Citrix and Microsoft and VMware,” he said. “Then we access those servers where all the software is running and all the data is stored with these Thin Client devices. The key to doing a great Thin Client is you want to make it really, really fast so that the experience that someone using one gets is identical to what they get with PC.”
McNaught added that organizations need to ensure that this approach is secure. This can be done by relying on the storage and the processing power of the cloud and not having that sensitive data stored on the local device.
“The reality is that as healthcare becomes more and more electronic, it's our job as industry leaders to help protect your and my data from being incorrectly used,” said McNaught. “It is our job to keep our customers in healthcare out of harm's way using terms of the regulatory requirements.”
- Top 10 Cloud Data Storage Companies
- Healthcare Data Storage Options: On-Premise, Cloud and Hybrid Data Storage
Working with the cloud provider to assuage security concerns
There are common cloud security concerns, for the healthcare and life sciences industry, as well as other sectors, Kraenzel noted.
“Cloud or not, everyone is concerned about insider threats, phishing, and other vectors toward data breaches because of the increasing realization that the classic perimeter defense is highly insufficient,” he stressed.
Citing the large-scale Yahoo data breach, Kraenzel explained that approximately 1 billion accounts being hacked likely caused worry across multiple industries.
“I know that I, and other officers in the healthcare industry, are worried how many of those users are in healthcare or life sciences? How many use some variant of the same password or secret questions on their work accounts?” he inquired.
With cybersecurity attacks such as phishing, or other credentialed breaches, Kraenzel pointed out that there is a great worry that the bad guys are already able to get into a network, or through the perimeter.
“With that great worry, combined with general uncertainties about the scope of insider threats, people within the industry are looking for what can they do,” he stated. “People want to know what should they do in the worst case assumption that the bad guys are already through the door? How do you protect your assets and your clients’ data, patients’ data, in that worse case assumption?”
Sidley Austin LLP Partner Anna Spencer pointed out potential HIPAA violation concerns that may arise with the use of cloud computing.
One of the most important things for providers to remember is that cloud providers are business associates, Spencer told HealthITSecurity.com.
“There was a lot of confusion about the status of cloud computing companies and whether they qualified as business associates, particularly where the data was encrypted in what we’ll call end-to-end,” she stated. “That means at no point did the cloud provider actually view the data.”
OCR has also clarified that those entities are business associates, even if there is end-to-end encryption, Spencer noted, citing OCR guidance from 2016 on cloud computing.
It's clear from the [OCR] guidance that covered entities need to work with their business associate cloud service providers to work in a way that's going to promote the security of the information.
Healthcare organizations need to make sure that they are getting a business associate agreement with their cloud computing vendor, she added.
Collaboration between the covered entity and the cloud provider will also be key, Spencer explained. The two parties need to ensure ePHI is being secured properly and understand where the customer might control who has access to the data, or who can view it through an authentication requirement.
“It's clear from the guidance that covered entities need to work with their business associate cloud service providers to work in a way that's going to promote the security of the information,” Spencer stated.
She noted one aspect of the OCR guidance that covered entities should heed. If the cloud service provider recommends that the customer implement certain security features and the customer refuses, then the cloud service provider is not responsible for the compliance failures. The compliance failures are then solely attributable to the customer, Spencer pointed out.
“If there is a breach or a compliance review, and they find these compliance failures, the implication is that they will take action against the covered entity and not the cloud service provider,” Spencer said. “This just puts an emphasis on working together to achieve compliance.”
- Choosing a Healthcare Cybersecurity Vendor and Solution
- Simplifying the Healthcare Data Center Migration Process
Utilizing layered security for long-term cloud computing success
Kraenzel recommended that to ensure strong cloud security, organizations should focus on a few key areas. Going beyond the foundational basic tenants of protect, detect, and respond is essential.
Cognitive intelligence, which is what Watson Health utilizes, can help protect the inside of a perimeter. This is a key piece to protecting the inside of the cloud, he said.
“Another piece of protecting it is to deploy a combo of encryption key management that is tied with a blast radius analysis,” he suggested. “By that I mean, you don’t put all of your data underneath one encryption key.”
Encrypting data should be a baseline measure, he added. However, using multiple encryption keys will help organizations keep their data more secure. That way if one key is compromised, not all of the data is compromised.
“You have to have sophisticated, well-oiled key management linked to how your cloud is operated,” Kraenzel said.
Decoy techniques can also aid organizations. Even if cyber criminals are able to penetrate a perimeter, they do not necessarily find what they are looking for. Layers of deception can divert an insider threat to the wrong content.
For healthcare and life science compliance, Kraenzel explained that there is a lot of evolution ahead that will be happening both in the US and globally.
If they stay stuck in an old compliance interpretation, they can fall behind competitively and they can fall behind on protecting themselves against new risk factors.
All participants involved in compliance – the IT team, the security team, the compliance team, the vendor – need to go back to a clear-eyed interpretation of the regulations that form the basis of a policy.
“Policies are frequently formed at an institutional or corporate level, and formed by really good compliance people at a certain point in time,” Kraenzel said. “Then those policies are used as a checkmark list, by say the procurement team or other groups downstream.”
While organizations do need to verify that they are compliant, there must be a living interpretation of that document, he stressed.
“If they stay static too long, then a company will get stuck in an old interpretation of something, such as data locality,” Kraenzel maintained. “If they stay stuck in an old compliance interpretation, they can fall behind competitively and they can fall behind on protecting themselves against new risk factors.”
Old compliance interpretation can also prevent an organization from adopting cloud for no good reason, Kraenzel added. That entity’s competitors might be adopting the cloud, or the industry is, but that organization is lagging behind.
“Lagging behind presents business and security risks,” Kraenzel stated. “There’s plenty that’s changing and the compliance team needs to be part of leading the change. Excellent compliance teams get out there and are fighting for the new interpretation that still protects patients, company data, and governmental interests.”
- Coordinating Healthcare Data Center Security, Cloud Security
- Using Layered Security for Evolving Cybersecurity Threats