Healthcare Orgs Move to the Cloud – Are They Secure?

This post is also available in: 日本語 (Japanese)

Healthcare is outpacing many other vertical market segments when it comes to cloud adoption, and for good reason – namely, to reduce IT complexity, slash costs and stay ahead of increased regulatory scrutiny.

According to the Global Healthcare Cloud Computing Market 2017-2021 report, the global healthcare cloud computing market is expected to grow at a compound annual rate of just over 21% between now and 2021.

That said, many small and mid-sized enterprises – not healthcare-specific, but certainly inclusive of healthcare – are struggling to find people with the necessary skill sets as well as the security tool sets to secure their cloud systems and manage them using on-premises security. And it’s even more of a challenge for healthcare organizations when security isn’t centrally managed by anyone, but instead is managed by the CIOs, operations, development and remote office teams.

Under such pressures, public cloud computing provides a way to meet these objectives while also improving the security of IT infrastructure. Security improvements are always relative, of course, to organizational ability to execute. That said, healthcare organizations with significant restraints on resources and lacking dedicated security expertise on staff have a better chance at improving security in the cloud than managing their own on-premises systems.

Let’s put things into perspective.

According to the HIPAA Journal, “Between 2009 and 2018 there have been 2,546 healthcare data breaches involving more than 500 records. Those breaches have resulted in the theft/exposure of 189,945,874 healthcare records. That equates to more than 59% of the population of the United States. Healthcare data breaches are now being reported at a rate of more than one per day.”

Not to mention there are significant fines that come along with it. “2018 was a record breaking year for HIPAA fines and settlements, beating the previous record of $23,505,300 set in 2016 by 22%. OCR [Office for Civil Rights] received payments totaling $28,683,400 in 2018 from HIPAA covered entities and business associates who had violated HIPAA Rules.”

Cloud security is a shared responsibility. No excuses.

Being tight on staff and resources is certainly a reason for rising data breaches and system availability problems – but it’s not an acceptable excuse. This is especially true for healthcare providers. Guidance from the Department of Health and Human Services Office for Civil Rights made it clear – healthcare providers and business associates are the ones responsible for making certain that their cloud environments and cloud service providers are secure and compliant with security and privacy mandates.

There’s no one way for healthcare providers to succeed at managing and securing cloud environments, but there are certainly tactics that don’t work. Those tactics include doing what too many businesses have focused on for too long: ad hoc security and reviews, attempting to secure systems based on checklists, and building “security” programs that focus on compliance rather than mitigating real risks.

Don’t worry – there’s good news.

The good news here is that the cloud can be used to help simplify these efforts through automation and continuous monitoring, both for new systems that may arise as well as systems that fall out of compliance with regulatory and security policies or otherwise become vulnerable. Cloud systems exist in a constant state of flux, where misconfigurations and vulnerabilities can creep in at any time. Continuous monitoring helps identify these anomalies and then automatically respond and remediate them. Automation is also especially beneficial for any enterprise with tight limits on resources. You can learn more in our new eBook, Continuous Monitoring and Compliance in the Cloud. I’d also encourage you to check out the recent automation webinar we hosted with SANS, Delivering Infrastructure, Security & Operations as Code.

If you’re ready to experience the security power of automation and continuous monitoring firsthand, I encourage you to take a test drive of our suite of public cloud security products: RedLock cloud security and compliance service and VM-Series virtualized next-generation firewalls.