Securing Healthcare’s Move to the Cloud

susanbiddleBy Susan Biddle, Sr. Director of Healthcare, Fortinet
Twitter: @Fortinet

A hot topic in healthcare IT discussions these days is the inevitable move of secure data to the cloud, and for good reason. Providing medical care has truly become a consumer market for hospitals and other healthcare institutions. Organizations are being expected to provide the absolute latest in patient care capabilities across the board, including hotel-like amenities to make a patient’s stay as comfortable as possible. People can choose what hospital they go to, and they are choosing based on both the quality of the care and the quality of the services provided.

In this increasingly competitive healthcare environment, cloud technology offers many benefits to healthcare organizations. As “big data” continues to change healthcare, the cloud facilitates the handling and sharing of that data, and the high-powered analytics necessary to use it to better treat patients. It is also eases collaboration and information sharing between physicians and hospitals in different areas. Another advantage: cloud solutions are usually extremely flexible and scalable, allowing organizations to quickly increase processing and storage capacity in order to meet escalating demands.

Increasingly, cloud applications are making it possible to deliver “patient empowerment” tools, like robust educational content and remote patient monitoring (RPM), where patients can use mobile medical devices to perform routine tests and send test data to their healthcare professional. Remote patient monitoring makes it possible to get quality care without even going to the hospital.

Still, despite its numerous advantages, many healthcare organizations are reluctant to move critical information and applications to the cloud. Concerns about privacy, integration and security bring significant challenges and barriers.

Compliance Concerns in the Cloud
Some hospitals are slower to make the move due to changing regulations regarding healthcare information security. Original HIPAA legislation (the Health Insurance Portability and Accountability Act of 1996), which included strict regulations around privacy and security of electronic health data, only applied to health plans, health care clearinghouses and health care providers who transmitted health information in electronic form.

In 2009, that changed with the Health Information Technology for Economic and Clinical Health Act (the HITECH Act). The HITECH Act expanded HIPAA rules to cover “business associates” of healthcare organizations, like healthcare information exchanges, E-prescribing gateways for mail order pharmaceuticals, accounting or consulting firms that work with hospitals or doctors, and any other organization that could have access to health records or health information. These entities must ALL be HIPAA compliant now. This can be a concern as you move to the cloud and relinquish some control over access to this data.

Another concern is the audit trail. When you have your records in-house, you can ensure there is an exact trail of audit for who accessed records and what level of access they had to the information. With the cloud, it’s tougher to get that audit trail because the compute spreads across multiple platforms.

The Issue of Integration
As organizations consider cloud migration, one question that arises is: can both clinical and non-clinical applications be moved to the cloud and integrated? On the clinical side, some of the functions that are already being moved to the cloud include electronic medical records (EMR), picture archiving and communications systems (PACS), computerized physician order entry (CPOE) and health information exchange (HIE). Most of these systems require a considerable amount of storage space, and the ability to expand that capacity quickly, making them ideal candidates for the cloud.

Where many healthcare organizations use the cloud now is on the non-clinical side, to support operational and financial applications. That includes revenue cycle management, patient billing, accounting, payroll and claims management. A lot of these are standard computing practices in the financial world that are in the cloud now.

The issue for healthcare becomes integration. Ideally, you need those two worlds, the clinical and non-clinical, to meet somewhere. Being able to integrate these many different cloud-based functions would improve both patient care and hospital management.

Managing the Security Challenges of Moving to the Cloud
The biggest concern for healthcare organizations is how to protect sensitive patient and financial data when it is not physically housed at your facility? The first step is choosing your cloud provider carefully, making sure it has sufficient security as well as backup capabilities and can meet strict healthcare compliance requirements. Then you need to think about your network and how incorporating the cloud affects your ability to protect it.

As an organization’s IT infrastructure stretches and evolves, the attack surface for cyber criminals expands as well. If your security can’t keep up with the agile public, private and hybrid cloud environments of today, gaps in protection will occur. The biggest challenge is the growing concern of exposing sensitive patient and financial data to advanced malware and other threats in this new, fast-evolving cloud environment.

At the very least, below are three steps to begin the journey to the cloud. By adopting an inside-out perspective, organizations can ensure security is a holistic, end-to-end solution, regardless of the data and where it resides.

  1. Take a big-picture view: The first step is to understand the source—the many different ways an internal threat can originate. Today’s IT environment is much more fluid and mobile. The impact of BYOD is exponential as employees may use a smartphone, tablet, desktop or laptop at any time to access their corporate network, applications and data. Add to that the number of applications, which may or may not be secure, on each of those devices. Then factor in the number of partners and vendors you share data with and the vulnerabilities of their networks due to the same issues of devices and applications. Whether intentional or not, the sources of internal threats are extensive. To tackle these issues, there needs to be clear security visibility across the entire network to view and detect threats and abnormalities in the flow of information.
  2. Develop user-profile security policies: While your view of the threat landscape is at the 30,000-foot level, security policies need to be granular – at the user level. Develop policies that account for different profiles of user groups: who they are, what they regularly need access to, where they are physically located, what device are they using to access the network and what applications they need to access. For example, your finance teams will likely need different information and applications than your medical teams. By creating and enforcing these detailed user profiles within the security infrastructure, you can limit hackers’ access to resources and the damage that could result from the misuse of legitimate credentials to access unauthorized information.
  3. Create trust zones: Within the network, IT has the ability to establish physical segments that create secure areas for users and sources to interact. In these designated areas, people can share certain types of information and access certain applications and data. Any communication between these trust zones should be segmented by a firewall, enforcing the user-profile security policies and deploying a range of advanced security services to detect and protect against threats and hackers. Deploying these internal segmentation firewalls provides visibility into the internal network traffic – which can be used to enhance zero-day attack mitigation and overall security posture.

Data is certainly the main draw for cyber criminals. From electronic medical records to financial transactions to medical devices within hospitals that are constantly feeding information back and forth, there is always a huge amount of data housed in and moving through hospital networks. Healthcare client records are also extremely valuable, going for up to $500 per record on the black market. When you combine the value of the information with the fact that IT infrastructure within the healthcare industry is often fragmented, spread out and outdated, you see why healthcare is targeted by hackers more than any other industry.

The need to keep pace with the rapid transition to the cloud and provide effective security across any cloud environment places serious demands on your cloud security solutions. They must be agile and scalable to meet your changing needs, fully integrated to connect different applications and provide visibility across your network, and segmented to minimize the impact of an advanced threat by isolating applications, data and traffic.

Data must be protected in the cloud and in transit. You must have strong user authentication policies to prevent unauthorized access to data, and you must be able to monitor user and device activity throughout your distributed network. Today’s ongoing threat landscape requires an integrated approach in order to tie all elements of a healthcare organization’s cloud security together and is paramount to be able to ensure adaptive protection for clinical and non-clinical applications alike.

It’s safe to say that as healthcare evolves, its reliance on cloud-based computing will continue to grow. It’s also a safe bet that hackers will continue to target healthcare organizations and their extremely valuable data. For these organizations, taking the time to design a security solution that protects their increasingly complex and distributed network, and all the devices and data on it, will be crucial to their success going forward.