- The healthcare cloud is becoming a more popular – and sometimes necessary – option for providers. Entities are evolving into the digital healthcare space, and are steering away from paper records.
Data protection and business continuity measures are often cited as key cloud computing benefits. For example, healthcare organizations can create backup files for their systems. This can ensure entities are able to recover data should a cyber attack take place.
Even so, there are also barriers to the healthcare cloud. Data security concerns, and fearing a loss of control over their data can sometimes prevent organizations from investing in new cloud options. Failing to have the right cybersecurity employees in place could also be a possible hindrance.
Covered entities of all sizes need to understand both the potential pros and cons of the healthcare cloud. Cloud computing advancements can aid daily operations, but understanding the barriers will also help to prevent potential issues, such as a healthcare data breach.
Benefit: Offload data collection
Healthcare organizations have access to and are utilizing more data than ever before. The continued push for nationwide interoperability is also helping to fuel the need for more storage options.
Cloud computing can potentially help covered entities offload some of that data, and keep it securely stored where it can be remotely accessed.
Gartner explained in a 2016 study that healthcare can decrease the time it takes to deploy and realize value from assets, create more rapid and scalable responses to business challenges, and offer higher levels of security capability than within the HDO IT environment.
HIPAA compliance is also critical for secure healthcare cloud, Gartner stated.
“There is no such thing as ‘HIPAA compliance’ per se,” the report’s authors wrote. “There is only the exercise of a standard of due care against the rule. The lack of a BAA does not release a cloud service provider from its responsibilities under the law.”
In 2015, Intel introduced the Collaborative Cancer Cloud (CCC), allowing large amounts of patient genomic data to be analyzed in a distributed and secure way.
Intel Fellow and General Manager of Intel Health & Life Sciences Group Eric Dishman told HealthITSecurity.com in a previous interview that not losing control of the data was a key consideration. CCC works to find the right balance between smooth data sharing and security.
Information will be de-identified, but the data itself does not actually leave the original site, Dishman maintained.
“It's still under their control and hopefully they've got the right security in place for the data center,” Dishman said. “And it's also protecting whoever is doing the query. If a researcher is using that, and they have a really interesting algorithm or new drug they're doing research on, they don't want to share with all of these other places.”
“So that secure container is really connecting both parties,” he continued. “But the moment it's left your data center, that secure container then dissipates any data that was used, and just the results go back to the host institution.”
Benefit: Increase security
One of the more touted reasons to invest in the healthcare cloud is for improved data security measures.
Offsite storage can reduce the likelihood that sensitive data is stolen, as the information is not kept solely in a computer. The data can also be accessed from multiple locations, allowing physicians the ability to move from one hospital to another and have PHI access to properly care for patients.
Healthcare organizations can also choose between private cloud or public cloud. As explained by HITInfrastructure.com, entities can build their own private cloud hosted in their own data center, or they can deploy their private cloud on a private sever hosted by a cloud service provider.
“On-premises private cloud offers healthcare organizations security options that are very attractive especially when it comes to control over the network,” writes Elizabeth O’Dowd. “This method of private cloud storage works well for larger organizations that have the IT staff and security expertise to add whatever security measures they find appropriate.”
Along with more storage options, covered entities can have more hardened database security and optimized organizational performance.
The National Kidney Registry (NKR) upgraded its cloud storage options as the organization became larger and saw that it was time to change how it stored patient data.
“We realized that in order for us to continue to grow we couldn't just simply have servers sitting in our own little data center without us starting to invest a significant amount of money into building out a more robust data center,” NKR Director of Education and Development Joe Sinacore told HealthITSecurity.com in a previous interview. “We also needed to hire people to operate it.”
NKR first migrated its email server, and then worked to gain more control over the structure of the database, the coding that supports it, and all of the functionality for managing its logistics and workflows.
Rackspace Managed Security General Manager Brannon Lacey added that healthcare often lags behind other sectors with adopting new IT tools, including the cloud.
“A key aspect that has to be addressed within that journey into the cloud is around security,” Lacey said. “With the change of landscape around security, one where you now have advanced persistent threat actors that are no longer just sort of college students in basements, but actually backed by nation states.”
When healthcare organizations manage their compliance tightly, then can turn security and compliance “into a business enabler instead of a business restrictor,” he stressed.
Barrier: Data security concerns
While healthcare cloud can be a boon to security, organizations often hesitate to transition to cloud storage because they are worried that data could become exposed in the cloud.
Healthcare entities must ensure that basic data security options are still implemented with cloud computing. This can include data encryption and business associate agreements (BAAs) with cloud service providers (CSPs). That way, providers know when a BAA is liable and when the BAA is not at fault for a potential data security incident.
Research indicates that sometimes healthcare organizations might not be fully utilizing cloud security options.
A February 2017 HyTrust survey found that 25 percent of healthcare entities utilizing the public cloud are not encrypting their data. Thirty-eight percent of those surveyed that have data deployed in a multi-cloud environment that included Amazon Web Service (AWS) and Azure are not using any form of encryption.
Overall, 63 percent of respondents stated they utilize the public cloud, while 63 percent said they plan to use multiple cloud vendors.
Employees who lack the necessary cybersecurity skills could also be slowing down the cloud adoption rate.
Intel Security’s Building Trust in a Cloudy Sky report showed that the average number of utilized cloud services in an organization dropped from 43 in 2015 to 29 in 2016. Approximately half of surveyed cybersecurity professionals also said that they had slowed their cloud adoption from a lack of cybersecurity skills.
Forty percent of cloud services are now commissioned without the IT department, the report found. Sixty-five percent of respondents said that this practice hinders their ability to maintain cloud security.
“Despite the majority belief that Shadow IT is putting the organization at risk, security technologies such as data loss prevention (DLP), encryption, and cloud access security brokers (CASBs) remain underutilized,” the report’s authors explained. “Integrating these tools with an existing security system increases visibility, enables discovery of shadow services, and provides options for automatic protection of sensitive data at rest and in motion throughout any type of environment.”
Misconfigurations of file sharing and collaboration tools – including cloud computing services – are common issues that could lead to ePHI exposure, the ONC explained in its June 2016 Cybersecurity Newsletter.
“Too often, access, authentication, encryption and other security controls are either disabled or left with default settings, which can lead to unauthorized access to or disclosure of that data,” ONC stated.
Risk analyses or proper risk management should also be part of covered entities’ “evaluation process in response to environmental or operational changes within the organization,” according to ONC.
CSPs are also considered business associates under HIPAA regulations. A BAA will help ensure that each party will be “contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.”
Barrier: Losing control of data
Organizations might also hesitate with implementing cloud options over a fear that they will lose control of their data. With patient ePHI in particular, this can be an overwhelming consideration.
Covered entities need to choose their CSPs or business associates assisting with cloud computing wisely. As previously mentioned, comprehensive and updated BAAs will also help ensure that data remains secured.
Investing in cloud-to-cloud monitoring and security capabilities will also be critical, writes HealthITSecurity.com contributor Bill Kleyman.
“Cloud and on-premise monitoring allows you to mitigate risk and create new levels of visibility into user, application, and data interaction,” Kleyman wrote.
Entities can manage keys, require data encryption, and even opt for whether data lives on one network or link.
Citing Gartner data, Kleyman added that only a small percentage of the security incidents impacting various organizations using the cloud have been caused by vulnerabilities that were the provider's fault.
“Gartner estimated that through 2020, 95 percent of cloud security failures will be the customer's fault,” he stated. “That means the cloud will be inherently secure, but our configurations and workloads will be at risk.”
Legacy IT can also be a roadblock to healthcare cloud utilization, Kleyman wrote.
“Just because an application is still “working” doesn’t mean it’s actually bring much value to your organization,” he said. “Yes, it can be expensive to move to newer platforms or applications. But ask yourself about the tradeoffs and limitations with what you have today. And, review how this impacts your ability to delivery key healthcare services.”