Cloud Security Risk Management Among ECRI’s Top Health Tech Hazards This Year

January 20, 2023 - Cloud security concerns settled into the number five spot on ECRI’s list of “Top 10 Health Technology Hazards for 2023,” a report that the organization has released annually for the past 16 years. ECRI is a nonprofit organization that focuses on healthcare technology and safety.

The organization’s annual health tech hazards list is compiled by a team of clinicians, healthcare management experts, and biomedical engineers. Last year, ECRI identified cyberattacks as the number one health tech hazard.

This year, among other health tech hazards, ECRI suggested that organizations would struggle with managing cybersecurity risks associated with cloud-based clinical systems.

“Accessing a clinical service such as an electronic health record (EHR) or a radiology system through the cloud can offer significant benefits compared with more traditional systems,” the report stated.

“This deployment model does not, however, eliminate a healthcare delivery organization’s security considerations. It only changes them.”

Cloud adoption is rapidly increasing in healthcare for good reason. Cloud-based systems have significant advantages when it comes to data protection and maintaining backups. But like any technology, the cloud is not immune to cyber risk.

In addition, ECRI suggested, the journey to the cloud typically comes with a natural shift in control and responsibility.

“In a cloud deployment, much of the workload and control shifts to the cloud provider. Consequences of this shift are that the healthcare delivery organization must rely on the cloud company to ensure the security and reliability of its online operations and to remediate any security event and promptly restore service,” ECRI noted.

“Nevertheless, in most cases the liability for any failure remains with the healthcare delivery organization.”

ECRI reasoned that organizations that fail to account for these changes could be at risk from a security perspective. Disruptions to cloud-based services could impact protected health information (PHI) and patient safety.

“To protect itself against a consequential security event, a healthcare delivery organization should evaluate how a cloud provider safeguards both the functionality of its system and the confidentiality and availability of patient data,” ECRI recommended.

“In addition, the organization should implement appropriate internal security controls to reduce the risks.”

In August 2022, the Health Sector Cybersecurity Coordination Center (HC3) released an analyst note detailing cloud security risks. The note addressed issues with shadow IT, misconfiguration, cloud hijacking, and more.

Despite these concerns, cloud technology can have great benefits to healthcare organizations. It is crucial that organizations balance these benefits with carefully considered security measures to mitigate risk. 

For example, HC3 suggested that healthcare organizations use a cloud service provider that encrypts, conduct compliance audits, and implement a zero trust security model.