- Transitioning data from your own data center to a cloud environment is never a completely smooth process, but recent data breaches have likely forced healthcare organizations to ensure cloud data is secure as possible. Some organizations have gone all-in with cloud storage and have complete trust in their cloud provider, while others prefer to keep sensitive data in-house and within their control.
Dale Atkins, Technical Architect at Munson Medical Center, told HealthITSecurity.com that Munson, a 391-bed regional referral hospital in Traverse City, Michigan, falls somewhere between in the cloud adoption spectrum. Atkins discussed how the organization sees the value in some types of cloud storage, but during internal discussions on moving infrastructure to the cloud, Munson has raised some potential issues.
Can you talk about Munson’s cloud approach and some security considerations?
From an external standpoint, we do have some reservations about moving any part of our infrastructure to the cloud. There are issues in healthcare with the requirements to join health information exchanges (HIEs) as part of the Affordable Care Act (ACA), so we have to resolve those. We don’t know whether some cloud providers have the track record of protecting information at the levels we need. Certainly there are a lot of businesses that are moving their infrastructure to the cloud. We don’t have a comfort level internally with that, as we’re one of the few hospital systems that uses Cerner as our primary EHR where we host our own system. Generally, if you’re a Cerner customer, they’re hosting it for you in their cloud but we actually do it ourselves.
It’s been a long-time philosophy here that we do things in the confines of our own data center. To the extent that we can do that [going forward], we probably will. But that being said, we are looking at some different technologies that we may move onto the cloud, and one of them is mobile device management. We don’t necessarily provide a lot of clinical devices for our employees, but we do have a robust BYOD policy, as we support physicians and other clinical staff members to bring in iPads, tablets and other types of smart phones. We provide device connectivity for them to our network and applications through email as well as our EMR system.
How does your mobile strategy fit into your cloud plans?
So we’re looking to move the management of those devices out to the cloud. We have a few proof of concepts for an internally hosted and a cloud-based system. That may be our first step in terms of anything from a security standpoint. It’s a big gap for us right now in managing our mobile devices, so our first focus from a security standpoint is to lock down those devices in some form. With that, we’d move the management of that security, configuration and application delivery, and email security as well as file and folder access to the cloud.
What are you comfortable with at the moment with respect to cloud storage?
I just spoke with the engineer who’s leading the project yesterday and we’re kind of looking at a hybrid solution where some of the information is hosted in the cloud with a cloud provider. But we would also maintain hooks into certain data within our own data center. The nature of which data stays inside and which data stays outside is still an open question [for us]. But we’re actually looking at that as a hybrid solution, as we’ll be using the [Citrix] XenMobile product for mobile device management (MDM). There are capabilities within that module that allow us to be flexible and [use the hybrid approach]. It’s a little more of a complex setup, as you have a lot more moving parts and when something goes wrong you need to figure out where it happened and whether it was data from the cloud, somewhere in between or within our data center. This is a good solution for us, rather than having to decide whether to go all-in internally or externally in terms of data storage.
What is your biggest security concern in storing data in the cloud?
Any time we use an external cloud, it’s going to be Secure Sockets Layer (SSL) encrypted traffic. There’s no doubt about that because you don’t have a choice, otherwise. I think the biggest problem is that, while the data can be secured and encrypted things get lost inadvertently or maliciously. The internal misuse or loss of data is a big concern.