Keeping Healthcare Safe in the Cloud

Intel Security’s recent cloud security report showed cloud adoption growing globally across all industries. One segment that’s turning to the cloud at a rapid pace is the healthcare industry, with 96% of healthcare organizations adopting at least some cloud services, compared to the cross-industry average of 93%. In fact, the only industry segments with higher cloud adoption than healthcare were finance and technology firms, both at 99%.

It’s not just private cloud services that healthcare organizations are turning to – 81% are working under a “Cloud First” policy, meaning they will build an internal service, only if they cannot find a suitable cloud offering. Perhaps most surprisingly, given that they work under strict privacy regulations, healthcare organizations were among the biggest users of public-only cloud services with 24% adopting at least one type of public cloud service compared to the cross industry average of 19%.

The shift to cloud services hasn’t been entirely smooth for the healthcare industry. More than half the healthcare survey respondents (52%) said they had tracked a malware infection to a software-as-a-service application and 25% had experienced some form of data loss that could be traced back to a cloud service.

Shadow IT is also a major concern, with healthcare organizations saying 38% of their cloud service usage consists of services commissioned without IT’s involvement and 63% of respondents saying Shadow IT is making it harder to keep the cloud secure.  The  combination of Shadow IT, and the sprawl of IP enabled IoT devices demands policy management and visibility tools that span premise, private, and public clouds.

While cloud services are clearly an increasingly popular option for healthcare providers, security is a concern. There are some important steps hospitals and clinics can take to keep their information in the cloud as secure as possible:

1. Communicate clearly and frequently with business leaders: Ensure the IT team knows what the organization’s needs are and build a business case around those needs. Security teams must plan strategically and not just respond to problems and projects as they arise. Communicating with the business units also helps ensure the IT team is involved with commissioning new services and potential risks can be mitigated.

2. Establish a security strategy, potentially by leveraging frameworks such as NIST Cyber Security Framework, NIST 800-53, and the 20 CIS Controls. Once an organization has a security strategy in place, tactical planning can follow. The most up-to-date security technology can’t help a hospital or clinic if it doesn’t have a well-defined strategy.

3. Get visibility into the overall security environment. Many attacks today use legitimate credentials, so the only way to see if an attack is occurring is often by looking at data, who is accessing that data and how they’re using it.

Hospitals rely on patient trust to grow their businesses. That trust isn’t just based on a patient’s belief that they’ll receive excellent healthcare, but also on a hospital’s ability to keep confidential patient health and payment records secure. Healthcare information that is compromised can quickly erode a hospital’s image and brand.

Cloud services will continue to be a popular option for healthcare organizations because they can be deployed quickly and potentially offer cost-of-ownership savings. However, hospitals and clinics need to keep in mind that while it’s possible to outsource IT services, it is not possible to outsource risk. Any attack that exposes information stored in the cloud is a threat to the healthcare organization’s reputation. Cloud services can be used safely, but only if they fit well within a comprehensive security strategy.

For more information on how to build a security strategy that allows you to remain secure in the cloud, contact DynTek.