Cloud Healthcare: Benefits and Risks

Many organizations are moving most of their business-critical applications and workloads to the cloud. The healthcare industry is no exception – hospitals, payers and other organizations also are making moves to the cloud.

While they’re working hard to improve their security measures and making great strides to better protect their data, security challenges continue to evolve.

Healthcare, everywhere

As the organizational structure of healthcare facilities continues to advance, cloud adoption brings numerous benefits for these institutions. Not long ago, patient files were all on paper – placed into a folder that never left the physician’s office. But with the consolidation and reorganization of many healthcare organizations, this approach has become outdated and replaced by electronic records.

The cloud helps address this structural shift by solving many problems, such as the ability to store information off-site and allowing patients to access their records from home. In addition, physicians, nurses and administrators, who may need to work remotely or at multiple locations within a healthcare group, now have the freedom to track their work in real time by accessing and uploading critical information. Cloud-based storage and applications can boost collaboration and information sharing, leading to better communication between departments and specialties.

With the proliferation of connected healthcare devices that collect and transmit patient data, the scalability and larger storage capacity of the cloud helps drive this change. Organizations can cut down on operating and physical storage costs, while also streamlining efficiencies.

Do no harm

While there are many benefits of moving to the cloud, there also are inherent risks. The HIPAA Omnibus Rule requires patient data to be properly protected, regardless of where it is stored – and this includes cloud applications. Even vendors or healthcare partners that are working as a third-party firm, and do not necessarily view the stored data on a regular basis, must adhere to the same HIPAA regulations.

With the digitalization of patient data, new threats are putting hospitals increasingly at risk of compliance violations related to patient privacy violations, among other things. Simply storing data in the cloud is not enough. Similar to cloud-based data centers in business, security systems and policies need to be put in place to protect patient data and critical applications.

Many healthcare organizations consider implementing in-house security solutions to protect their cloud-based data, but this means they need around-the-clock staff to properly manage and respond to alerts – and finding and building this team is no easy task. IT teams are often already overwhelmed due to the large volume of security alerts generated each day, many of which are false positives, which means many hospital IT teams simply don’t have enough hours in the day to investigate each threat thoroughly. This opens up the organization to tremendous risk.

Why outsource?

So, how can a healthcare organization maximize the rewards of cloud-based data and applications while minimizing the security risks associated with these systems? One solution is to consider outsourcing the security monitoring, response, and compliance reconciliation to a managed security service provider (MSSP).

MSSPs are growing in popularity in healthcare, along with many other highly regulated industries such as banking and utilities. Their unique skillset and convenient service model is appealing to organizations with limited resources trying to meet stringent requirements. Plus, the costs associated with an MSSP are significantly less than building your own Security Operations Center (SOC) and maintaining the same level of service in-house.

However, not all MSSPs are created equal. That’s why it’s important to thoroughly evaluate MSSP candidates and cross-reference their healthcare expertise to ensure a seamless transition to the cloud.

Six questions for your MSSP

Here are some key questions to ask any potential MSSP prospect:

1. Do you offer service level agreements (SLA) that provide the proper level of security needed for regulatory compliance and system availability?
2. Can you provide an Attestation of Compliance for HIPAA?
3. Does your company have a dedicated SOC? If so, can we have a tour?
4. Does your mix of security services include 24/7 monitoring, breach detection and incident response?
5. Will you agree to comply with our organization’s internal information security policies, as well as any data backup requirements, retention requirements and vulnerability scans required by regulation(s)?
6. Does your standard contract include a termination clause, a right to audit clause and a limitation of liability clause?

For healthcare organizations with limited budgets and small IT teams, the MSSP model backed by a qualified partner can serve as an extension of their team, help close the security gap and make the most of moving to the cloud.

###

By Ken Adamson