Many healthcare organizations want to take advantage of cloud-based clinical and support applications. But fear is holding them back. In this guest post, Gerry Grealish, cloud data security product & marketing at a provider of advanced web security solution for global enterprises and government organizations, explains how hospitals can take advantage of cloud solutions while still protecting all regulated and sensitive data.
Recent high-profile data breaches have primed healthcare organizations to be wary of threats and implement security measures to better protect their assets. And while cloud technology has created huge benefits for organizations, it’s also opened the door for new threats.
Software-as-a-Service (SaaS) delivered via the public cloud is one of the fastest growing IT technologies being tracked by Forrester, which reports that worldwide spending on the SaaS market is expected to reach $106 billion by the end of 2016. But the majority of this SaaS growth has been occurring outside of regulated industries or in areas where the application doesn’t require access to compliance-related data.
Because of concerns about putting regulated data in public clouds.
For example, in a recent study of over 63 million documents in the cloud, 26% of them were broadly shared within the organization or externally. Of these, one in 10 were found to contain compliance-related data, such as personally identifiable information (PII), payment card information (PCI) and personal health information (PHI).
Cloud compliance issues
Many facilities are looking to take advantage of new cloud-based clinical and support applications that improve patient care and collaboration while reducing costs. But as mentioned, concerns about patient data security are keeping many of these organizations from taking advantage of these new transformational solutions. Breaches of healthcare data have become common due to the high value that stolen medical records command, and the costs of a breach are especially high. Clouds that aggregate information from many organizations only add to the concern because they make for bigger, more lucrative targets.
As a result, healthcare organizations either find themselves trapped on legacy systems or, when they do move to the cloud, adopt private cloud solutions far costlier and inefficient than their public cloud counterparts.
Loss of control drives concerns
When healthcare organizations do make the decision to adopt cloud apps and services, they’re choosing to hand control of their data to third-party cloud service providers. For some types of data, this isn’t a problem, but for PHI or PII the cloud can introduce a series of complex compliance and data privacy challenges.
In the United States, HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH) are the primary compliance regulations that organizations need to strictly adhere to when considering data. Other countries have analogous rules and, in some situations, have additional requirements specifying the location or geography where the data must physically reside.
In view of all the residency and compliance requirements that companies face, it can be challenging to strike a balance between ensuring compliance on sensitive data and attaining maximum benefit from SaaS applications. Given the strict nature of compliance requirements and the penalties imposed for exposing sensitive data, healthcare organizations need to ensure they meet specific requirements in the cloud.
Cloud compliance best practices
With all of the compliance challenges within healthcare, how can organizations take advantage of cloud solutions while still protecting all regulated and sensitive data?
Here are some tips:
- Consider a CASB: Cloud access security brokers (CASBs) can help support cloud data compliance through a variety of functions, including auditing access and use of regulated cloud data and limiting access to this type of data only to authorized employees and patients. These solutions can also analyze the attributes associated with various cloud applications, such as the types of security measures they have in place, to ensure that each application complies with internal and external security requirements.
- Make sure the right security policies are in place when business needs dictate that regulated data must be stored and processed in cloud apps: Setting additional data protection policies, including the tokenization and encryption of data in the cloud, can greatly help cloud data compliance challenges.
- Do as much employee awareness training as you can: Employees may say that they understand what data lives in the cloud, but mandatory training for all employees working with cloud applications will provide a deeper understanding of cloud data compliance responsibilities.
- Understand what data assets you need to have in the cloud: Understand what information is being placed in the cloud, and ensure that there’s a business reason behind placing that data in the cloud, especially if the data is highly sensitive or regulated. Track these data assets and maintain audit logs that reveal employee access and interaction with this data.
- Define what systems, people and processes need access: Within healthcare organizations, not all employees will be accessing cloud PHI or PII each day. When appropriate technical controls and activities are set to protect confidential data, information can more easily be tracked and secured.
Cloud adoption is projected to grow dramatically. Migration to the cloud in regulated environments, however, will only take off when organizations feel confident they have the visibility and control they need. Control over their enterprise’s use of the cloud and services running within it, the ability to classify and manage the data stored in cloud applications and an effective use policy that ensures sensitive and compliance-related data is properly secured and isn’t maliciously or inadvertently exposed.
Gerry Grealish leads the marketing strategy for Blue Coat’s Cloud Data Protection Platform. Previously, Gerry was CMO of Perspecsys and also ran product marketing for the TNS Payments Division.