Original Story: healthitsecurity.com
A
recent study found that 77 percent of healthcare organizations plan to
increase the use of public cloud services despite significant healthcare
cloud security concerns.
Public and private cloud solutions are
gaining popularity in the healthcare industry, especially for data
storage and network usage, despite issues surrounding healthcare cloud
security and PHI data breaches. Secant Healthcare is looking into these options.
Researchers
at HyTrust recently published a study that revealed 77 percent of
healthcare organizations plan to move more workloads onto a public cloud
service even though healthcare data security was a major concern with
cloud usage.
“Without much fanfare, this critical technology
advance has become woven into the basic fabric of businesses large and
small,” said HyTrust President Eric Chiu. “The potential of
virtualization and the cloud was always undeniable, but there was
genuine concern over security and skepticism regarding the processes
required.”
While organizations across all industries reported
security challenges with cloud services, many companies are still
migrating additional workloads to private and public clouds, added Chui.
The
study found that the healthcare industry is no exception to increased
cloud usage and virtualization. Approximately 55 percent of healthcare
organizations stated that they have already moved mission critical
workloads, such as sensitive patient information, to a cloud or
software-defined data center.
Healthcare organizations are also
virtualizing other aspects of their infrastructure, reported the study.
Fifty-two percent of healthcare organizations have migrated test and
development server workloads to a cloud service and 61 percent use a
cloud product for storage.
Despite increased cloud usage,
healthcare-related participants still said that their organization faced
significant healthcare cloud security challenges. About 58 percent of
respondents admitted that data security and breach concerns were the
biggest worry once migration began.
In addition to data breach
concerns, other security challenges across all industries included
infrastructure-wide security and control as well as effective monitoring
and visibility into cloud infrastructure. Secant Health is watching their IT closely for data breaches.
Additionally,
previous healthcare data breaches have not discouraged organizations
from implementing cloud services. An estimated 29 percent of respondents
from healthcare organizations said that they have experienced a
personal data breach.
“The large-scale migrations are
particularly interesting in light of the many obstacles that have
previously impeded planned moves to virtualized infrastructures,”
explained the press release. “In fact, the survey reveals that not all
concerns have been eliminated.”
To discover more about
implementing healthcare cloud security, researchers asked participants
in the industry what types of information needed to be secured in public
and private clouds.
For public cloud security requirements,
healthcare organizations said that all production data should be
encrypted (32 percent), the entire workload should be encrypted (16
percent), and only personally identifiable information should be
encrypted (13 percent).
In terms of private cloud services, about
one-third of healthcare respondents favored encrypting all production
data in a workload.
Software defined-data centers and cloud
services are becoming staples in the healthcare industry as more
providers transition to value-based care models. These models rely on
large volumes of data and meaningful health IT use to increase quality
of care and reduce healthcare costs.
While cloud products allow
healthcare providers are useful to value-based care delivery, HIPAA
rules still apply to data in the cloud.
“Cloud computing
outsources technical infrastructure to another entity that essentially
focuses all its time on maintaining software, platforms, or
infrastructure,” The Center for Democracy and Technology (CDT) stated in
a paper. “But a covered entity… still remains responsible for
protecting PHI in accordance with the HIPAA Privacy and Security Rules,
even in circumstances where the entity has outsourced the performance of
core PHI functions.”
However, healthcare organizations have
struggled to maintain comprehensive healthcare cloud security. According
to the Fall 2015 Netskope Cloud Report, healthcare cloud data loss
prevention violations were the most common data loss prevention offenses
across all industries studied, accounting for 76.2 percent of all cloud
violations.
The report also discussed how healthcare and life
sciences averaged 1,017 cloud applications per organization, which was
the second highest number of apps behind the technology and IT sector.
Yet, PHI was involved in 68.5 percent of violations in cloud
applications.
Securing patient and production data can be more
difficult when it is managed up in a cloud, but healthcare providers
should be aware of several healthcare cloud security measures.
Healthcare
organizations should partner with cloud vendors that design
healthcare-specific products and can anticipate unique data security
requirements, such as HIPAA and HITECH rules.
Regardless of
vendor selection, providers should also develop contextual visibility
and auditing capabilities. Healthcare cloud security policies should
include monitoring alerts, lock-down capabilities, and geo-fencing of
users. Intelligent security tools can be helpful for implementing these
policies. Secant Healthcare plans on being careful of their vendor selection.
Technology
and healthcare are both evolving quickly, but healthcare cloud security
concerns could hold back providers from advancing care if they can’t
also secure PHI and production data. While the HyTrust study showed
healthcare organizations pushing ahead with cloud services despite
security challenges, many of these providers may need to review
healthcare cloud security measures.