Slideshow 10 Cloud Security Considerations for Healthcare

  • December 21 2014, 12:58pm EST
11 Images Total

Cloud Security To-Dos in Healthcare

Cloud security vendor Porticor offers 10 issues for healthcare organizations to consider as they assess adoption of cloud computing strategies.

HIPAA Compliance

Though HIPAA has been around since 1996, applying its standards to the cloud is a new challenge. Covered entities and their business associates understand that a breach of e-PHI is a serious incident that requires risk assessment and reporting processes, as well as possible fines, penalties and damage to reputation.

To enable organizations to both protect e-PHI and avoid these problems, HHS published guidance on “technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.” The guidance emphasizes that data encryption is not only a best practice for protecting privacy and security – it also provides a safe harbor to the organization in case of data loss.

Content Continues Below

Data Location

Some American healthcare companies are adopting strategies to restrict data server locations to US soil. Several regulatory regimes may require stateside location for personal information, and some companies feel more secure knowing their data in confined to the US.

Modern cloud technology allows such requirements to be met. It is possible to limit the location of cloud instances to US-only, Europe-only, and so on. Furthermore, through encryption of data, you are sure that no readable data will ever mistakenly “migrate” from the desired location to other locations, whether through human error or otherwise.

Mobile Device Management

Today’s healthcare scene is transforming into a space where care providers may use tablets, smartphones, and laptops off-site or at a patient’s side. Securing these devices, and, moreover, the data on these devices, is a chief concern of healthcare IT departments.

To mitigate risk, a best practice is to focus on securing the data, not the device; and to bar personal health data from being stored on the device. Application architectures use the device for display, but store the data in an encrypted location in the cloud, under the control of the healthcare organization.

HIPAA Business Associate Agreements

Healthcare companies must obtain BAAs from their solution vendors, including cloud vendors and service providers. These agreements define the division of responsibility for compliance.

Content Continues Below

Secure Architecture

A great benefit of migrating to the cloud is releasing the healthcare company’s IT department from establishing and maintaining the physical IT infrastructure. The concern then becomes selecting cloud providers who assure a secure architecture. There are cloud ready solutions available, which allow the Healthcare organization to “own” its data even when it is using a cloud provider for computation and storage. Also, internal IT can request certifications and audits and perform penetration tests periodically.

Identity and Access Management

Identity and access management solutions today are often extended to the cloud. It is an important point to select an IAM solution that spans between your existing management and your cloud management. Using VPNs can allow you to directly extend your existing access control, or you can opt for one of a number of IAM solutions that integrate with your existing Active Directory or LDAP, and simultaneously integrate with your chosen cloud’s IAM.

Authentication and Logging Controls

All devices on a healthcare company’s cloud network must have proper authentication and logging controls. Healthcare companies must verify that all activities are logged and when needed, these logs can be audited. Also it is important to monitor these logs to catch any suspicious activity.

Content Continues Below

Cloud Encryption

One of the most important safeguards healthcare companies can take to protect their data security in the cloud is cloud encryption. By using the latest advancements in cryptography, data and apps can be encrypted in a way that even if a breach does somehow occur, the e-PHI will be protected as it will be unreadable to the attacker. Furthermore, as we discussed above, by encrypting data at rest and in motion, healthcare companies can claim “Safe Harbor.”

Encryption Key Management

Though an important safeguard, proper encryption can be rendered useless if an attacker can access the keys to decrypt the information. For this reason, healthcare companies must be careful not to store encryption keys alongside encrypted data in the cloud, or allow anyone else (including could providers) to have access to encryption keys at any time.

To mitigate these risks, innovations like split key encryption and homomorphic key management enable the data owner to benefit from the cloud while maintaining total control of encryption keys, and therefore, total ownership of data in the cloud.

Incident Response

Taking cloud security precautions will mitigate the risk of incidents or attacks. However, bad stuff does happen! IT departments must consider how incidents will be responded to in case they do occur. Following an honest mistake by an employee, or a malicious attack, there must be procedures in place for analysis, remediation, and service continuity.