by Jon Moore, MS, JD, HCISSP, Chief Risk Officer and Head of Consulting Services, Clearwater
Seeking flexibility, scalability, and cost savings, an increasing number of healthcare organizations are moving systems and data to the Cloud. This trend is accelerating, fueled by increased adoption of telemedicine sparked by the pandemic, wearable medical devices and continuing investment and growth in cloud-native health IT startups.
In a 2021 study by Netwrix[i], nearly 61% of healthcare organizations said they store at least some healthcare and employee data in the Cloud, and 54% of healthcare respondents said they store sensitive data like personal health information (PHI) and personally identifiable information (PII) in the Cloud. Compared to the 2019 study, fewer healthcare organizations are storing healthcare and employee data in the Cloud but more are storing personal healthcare records.
Based on trends we see with the pandemic response, especially the move across all industries to adopt more remote workforce capabilities, we can likely expect cloud adoption—in some form—to continue to increase going forward.
Today, the Nutanix Enterprise Cloud Index[ii] for healthcare finds that hybrid cloud models are thought by almost 87% of surveyed organizations to be the ideal deployment model, with more than 40% of healthcare respondents saying they intend to increase hybrid cloud usage in the next three-to-five years while decreasing traditional data center usage (33%).
That same survey indicated that security and regulation drive hybrid cloud adoption, with 33% of respondents stating they believe it is the most secure alternative, followed by on-prem private clouds as the second-most secure at 21%.
While there are increasing benefits for healthcare organizations that adopt cloud models, introducing sensitive and protected data into the Cloud creates various new risks. As we’ve seen in some surveys, organizations are conflicted on whether cloud security makes it easier or more challenging to manage these risks.
We believe the answer is, it depends. Suppose an organization has the expertise to understand the Cloud’s unique security risks and how to appropriately leverage the many safeguards available from the more reputable Cloud Service Providers (CSPs). In that case, they will be able to manage the risk effectively. If organizations don’t have the expertise, the complexity and difference of the Cloud mean risks can quickly turn into a reality with significant impacts on organizations, partners, and patients.
Organizations likely recognize this. It may provide one possible explanation for why fewer organizations appear to be moving data to the cloud generally and yet we have more sensitive healthcare data in the cloud. Where appropriate, organizations are adopting SaaS applications, transferring much of the security burden to the providers of the SaaS solution and cloud service providers. Otherwise, they are looking to move their data out of the cloud, where they feel more comfortable protecting it.
Netwrix’s 2021 survey indicated that almost 39% of respondents had a cloud security incident in the previous year. Many required days or even weeks to recover.
BUCKETS OF TROUBLE
If you’re keeping your eye on cybersecurity trends, you likely hear about significant data breaches frequently. And while these successful breaches make big headlines, they represent only a fraction of the potential exposures that can exist in cloud environments because of vulnerabilities, misconfigurations, and other undetected security issues.
For example, in February of this year, a researcher discovered a misconfiguration issue for a healthcare entity using Amazon Simple Storage Service (Amazon S3), a private cloud storage solution. This misconfiguration issue exposed 50,000 health records. With Amazon S3, users can store data and then restrict access to ensure it is only accessible by specific, authorized users. However, if a customer does not appropriately configure the Amazon S3 bucket, anyone on the Internet can access the data. Unfortunately, this is one of many examples that show an ongoing pattern of risk created by improperly configured Cloud resources—whether public or private.
Why is this happening?
Well, it is rooted in one of those benefits of cloud adoption. While cloud solutions can be straightforward to set up and use (often just a few mouse clicks to get you on your way), they can be complicated—without the right experience and knowledge—to configure correctly and maintain. This concern is especially relevant when customers are unclear about who is responsible for which security processes and procedures.
GENERAL RECOMMENDATIONS FOR MANAGING CLOUD RISKS
To keep your public, private, hybrid, or community Cloud environment safe, it’s essential to:
- Understand your shared security responsibilities
- Understand the environment because it will influence your security measures
- Classify all information because not all information requires the same security controls
- Implement baseline controls (suggestions: CSA, NIST, FedRAMP, CIS and other regulatory and compliance-based measures)
- Perform risk management, including risk analysis:
- What’s your level of acceptable risk?
- What’s your risk threshold?
- What do you do when an issue exceeds your level of acceptable risk?
- Test controls to ensure they’re functioning as you intended
- Monitor systems to make sure that your controls are effective and protecting the confidentiality, integrity, and availability of your data
For further insight on these and other issues impacting healthcare data in the Cloud, I encourage you view my recent webinar “Healthcare’s Cloud Migration: 7 Emerging Data Security Risks,” available on-demand on the Cloud Security Alliance’s CloudBytes platform.
Reach out to me with your questions at firstname.lastname@example.org.