3 Key Considerations in Cloud Security for Healthcare Organizations

With medical system consolidation and increasing numbers of medical records created, the need for digital access and storage is gaining steam. Digitizing records allows clinicians to improve accuracy and decrease redundant testing and studies, as well as reduce treatment delays. Greater availability of digitized records has other perks too. With vast amounts of accessible medical data, researchers can move public health studies forward, also potentially improving care and treatment of individual patients.

As a result, cloud storage is taking off, though healthcare organizations are adopting it more slowly than other industries. According to a 2019 Nutanix report, 71% of healthcare organizations using cloud were considered the least mature – relative beginners – in that they were using fewer cloud services. Compare that figure to finance or retail, where 13% and 15% respectively were beginners. However, that is changing.

By 2022, an estimated 30% of hospital data centers will be cloud-based, according to a Gartner study. Even if data centers are not entirely moved to the cloud, a healthcare system may be using the cloud for some workload and computing, given the growth in big data. Cisco estimates that 94% of workload and compute instances will be processed by cloud data centers by 2021, with an anticipated growth from 2019 to 2021, of almost double the storage in cloud.

It’s not only good business sense to ensure protected health information (PHI) and health systems’ security – there are healthcare legal obligations as well. Healthcare organizations are starting to realize that their perceived security concerns are being addressed, leading them to consider three key factors for security when implementing cloud storage and usage: cybersecurity is a threat in on-prem as well as in the cloud; HIPAA and HITRUST frameworks provide security guidance; and there’s no delegating security – shared responsibility is fundamental.

1) Cybersecurity is a Threat – Even in the Cloud

Any organization with computer systems is at risk for cybersecurity issues, whether data is in the cloud or on-prem. In the first half of 2019, health records from more than 35 million patients were exposed or compromised. These breaches often go undetected for extended periods of time.

Cybersecurity breaches cost, not just in money, but in reputation, employee productivity, and regulatory issues. Financially, cybersecurity financial costs will exceed an estimated $150 million in all industries by the end of the year, according to Juniper Research. Healthcare organizations, though, should expect higher costs than other industries. In 2018, the cost for healthcare data breaches was 60% higher than for other industries, healthcare averaging $6.45 million per data breach, including $429 per breached record.

It’s understandable that the healthcare field has concerns over data security. After all, medical records are full of PHI, or Protected Health Information . Contrary to some perceptions, moving to the public cloud does not increase security risks. The public cloud is anticipated to have 60% fewer security incidents than traditional data centers, according to Gartner.

2) HIPAA, HITRUST Security Frameworks

Regulation is both a blessing and a curse. For healthcare organizations, it means complying with the Health Insurance Portability and Accountability Act (HIPAA, from the Health Information Technology for Economic and Clinical Health — HITECH — Act), which has a goal of protecting PHI’s integrity and confidentiality, while promoting industry-wide standards for healthcare information in electronic billing. Healthcare organizations must also ensure their business associates are doing that too. HIPAA doesn’t discriminate between paper and electronic records, so cloud data needs the same protection as paper charts.

HIPAA does not have a specific certification, though. Healthcare organizations rely on HITRUST CHF (Health Information Trust Alliance Common Security Framework), a nonprofit certification organization and framework bringing together multiple compliance frameworks, like HIPAA, ISO, PCI and NIST. It’s a certification serving other industries as well, and its framework covers 19 domains, including healthcare data protection and privacy, transmission protection, network protection and audit logging. It’s healthcare’s most widely adopted security assessment approach.

3) Shared Security: Data Hosts and Healthcare Organizations

More and more companies are migrating to Google Cloud Platform (GCP), as it is cost-effective, flexible – and most importantly – secure. Healthcare organizations are realizing that they also gain security features without having to increase their own IT staffing. GCP’s public cloud security features and products are intrinsically more comprehensive and robust than those in on-prem data centers. Compare a GCP security engineering team of more than 700 with your own healthcare system IT department. And GCP conducts regular third party audits and documents approaches to security and privacy design. The platform holds 22 industry and country-specific certifications and compliance standards, including HITRUST CSF certification, SOCs, WORM, Privacy Shield, and others.

That doesn’t mean the healthcare system is off the hook for security, however. That’s where the concept of shared responsibility enters. GCP provides guidance and multiple security features to customers, but the customers must uphold their end. An estimated 90% of organizations that fail to control their public cloud use, inappropriately share sensitive data, according to Gartner. And Gartner also found that 99% of cloud security failures are the user’s fault. Healthcare systems must maintain their vigilance, and use the cloud security features provided, while maintaining their own rules and environment. Healthcare organizations must determine whether their organization needs additional encryption beyond what HIPAA Security Rule requires for its own applications, even with all data encrypted at rest and in transit on GCP.

As a Google Premier Partner, Maven Wave has deep expertise not only in technology, but its application in healthcare. Maven Wave implements GCP’s Healthcare Data Protection Toolkit for healthcare organizations, helping them to deploy administrative and technical controls to help meet their privacy, security and compliance objectives. For more information, see our white paper, Securing Personal Healthcare Information in the Cloud, and reach out to us to talk more about your organization’s needs.

Maven Wave’s healthcare experts will be at HIMSS 2020 from March 9 – 13 in Orlando, Florida. Stop by booth #4243 to meet our experts and learn how we are enabling patient-centric care with Google Cloud. Learn more about where you can find us at HIMSS here.

About the Author

Harrison Sonntag
Harrison Sonntag
Harrison Sonntag is a Principal Consultant with Maven Wave, focused entirely on helping healthcare organizations with digital solutions that are agile, mobile, rooted in analytics, and built in the cloud. A former educator and graduate of Dartmouth College, Harrison’s passion is equipping healthcare organizations to improve the lives of their population they proudly serve through technological innovation. His main areas of expertise and focus are on applied AI in healthcare and enabling positive change through the application of advanced analytics.
February 10th, 2020
HEALTHCARE

Get the latest industry news and insights delivered straight to your inbox.

2020-09-03T13:21:54-05:00