HIT Think

How the cloud can bolster a provider’s security strategy

Register now

The constant barrage of various studies and reports on cyberattacks on healthcare organizations make security executives anxious, and for good reason. Some reports suggest that more than 80 percent of hospitals, health systems, large physician groups and health plans have been hacked.

These attacks include ransomware, malware and theft of data. While all of these are bad, there is another risk that many healthcare IT professionals secretly fear but haven’t talked about much: If hackers get in, they could change or corrupt clinical data. Depending on the data that is affected, this could seriously compromise patient care, and it also could be nearly impossible to detect.

Altered clinical data can affect patient care and could lead to serious medical errors or even a patient death. And if hackers can breach an organization’s systems, they can alter clinical data and then hold hostage the information about what data was changed.

Particularly vulnerable to all types of attacks are those mid-sized organizations with enough data to be attractive to hackers but without the resources to mount a serious security defense. It’s like being the house in a high-crime neighborhood with flimsy locks and no security system. If surrounding houses are robustly protected, criminals will target the weakly defended house, even if it contains less to steal. Better to take what’s easy, thieves reason, than to risk detection in an effort to make a big haul.

Some healthcare organizations make it even easier, leaving the windows open and the doors unlocked. Recent ransom ware attacks using known weaknesses are a case in point. The organizations victimized were largely those that had neglected to install the most up-to-date security patches. Those that kept their patches up-to-date were not affected.

While there have been a small handful of minor breaches at healthcare cloud data centers, there have been zero major breaches. That’s because cloud data centers are hyper-sensitive to the risk and constantly on alert for attempts at hacking. Most have excellent perimeter defenses that keep hackers away from entry. And they constantly monitor attempts, learning what tools are being used and updating defenses to resist future attempts. Even if a careless user has their key stolen, the key only affects one door and they can’t use it to get into other users’ data. So broad intrusion resulting in widespread data compromise is very difficult.

When hackers build malware and attacks, they are looking to achieve the maximum benefit with the smallest risk. Hence, most cyberattacks are aimed at organizations with less security. While they may not have the high volume of data found in a cloud center, an individual organization’s data center often is much easier to breach.

That’s becoming a big selling point for cloud providers, because their cost of mounting a high-security defense can be defrayed across many customers.

But how can healthcare organizations do a better job of protecting their data?

First and foremost, they need to be aware of existing vulnerabilities. If an organization has delayed installing the most recent security patches, that task should be put at the top of the to-do list. And that level of data protection needs to extend down to individual users whose disregard of security may put data at risk.

To get a comprehensive understanding of security weaknesses, organizations need to do a thorough audit of their systems. It is worth the investment to get an objective assessment from a professional security consultant. Unlike internal staff, who may not have security expertise, a consulting group that regularly works with a range of healthcare organizations will be more knowledgeable about the most recent tools cyber criminals are using and also will know where to look for vulnerabilities. They can advise on what perimeter defenses are most effective at preventing intrusions.

Even if an organization doesn’t want to put all its data in the cloud, it may make sense to put clinical data there. Most EHRs can be provided as a cloud-based application and may be more secure on that platform than in an organization’s data center. Imaging data, which contains as much personal information as EHR data, can also be stored in the cloud.

Beyond better security, moving to cloud-based clinical systems can offer other benefits, which include cost savings, regular technology refreshes/upgrades and access to specialized functions such as analytics.

But still, it’s important for the healthcare organization’s IT executives to ensure that the cloud vendor is reputable and serious about security. A competent service provider should be able to provide detailed documentation about how they secure systems, data and their facility.

If an organization can get a high level of security, good SLA compliance and the capability for advanced analytics, the real value achieved from a cloud investment will ultimately be realized.

For reprint and licensing requests for this article, click here.