Cloud solutions have quickly become the preferred choice for healthcare organizations seeking easier and faster implementation, flexibility, and cost savings. By 2025, Gartner estimates that more than 95% of new digital workloads will be on cloud-native platforms; some healthcare start-ups are coming to market with cloud-only strategies—think electronic medical records (EMRs), telehealth, imaging, billing, etc.
While many benefits play a key role in the rapid adoption of the cloud, the cloud also introduces new risks that differ from those in a traditional IT infrastructure. Many on-prem security and compliance strategies won’t work for cloud environments, so healthcare security professionals must consider how they can evolve current security and compliance strategies, practices, and tools to protect operations in the cloud. Failing to do so can expose an organization to significant risk—both financially, as the impact of response, recovery, and penalty costs can easily reach eight figures for a single breach—and the potential for care delivery disruption that can lead to patient safety concerns.
There have already been 300 healthcare breaches in the first half of 2023, with more than 40 million record exposures. Of those, a vast majority involved at least one cloud component.
What Makes Cloud Risk Different?
As more services move to the cloud, it’s increasingly difficult to separate on-prem from the cloud as many healthcare organizations work in hybrid environments with multi-tenancy. To make it more challenging, not all cloud services are the same, so protecting data in the cloud depends on what you have, how you’re using it, and how different the cloud is from on-prem.
There are three primary cloud service models, as defined by NIST:
- Infrastructure as a service (IaaS): CSP is responsible for the physical data center, physical networking, and physical servers/hosting.
- Platform as a service (PaaS): CSP takes on more responsibility for patching (which customers are historically terrible at and serves as a primary pathway to security incidents) and maintaining operating systems.
- Software as a service (SaaS): The customer can only make changes within an application’s configuration settings, with the control of everything else being left to the CSP
Because of the shared responsibility model for cloud security and compliance, each comes with tradeoffs, for example:
- The customer relinquishes control in exchange for more of a turnkey/managed experience
- CSP handles more operational activities so the customer can focus on their core competencies.
What is a cloud shared responsibility model?
The shared responsibility model delineates what the cloud customer is responsible for, and what the CSP is responsible for. Generally, the CSP is responsible for security “of” the cloud—physical facilities, utilities, cables, hardware, etc. The customer is responsible for security “in” the cloud — network controls, identity and access management, application configurations, data, etc. Division of responsibilities can change depending on service model – be it IaaS, PaaS, or SaaS.
Effectively protecting and securing cloud models is challenging, thanks to:
- Added complexity: The average company uses 254 SaaS applications. Paired with other cloud services and on-prem assets, your environment is increasingly complex and more challenging to secure.
- An expanded attack surface: As you deploy different cloud resources, it’s easy to lose track of how many different instances you have, especially with SaaS providers. That means you have the potential for more vulnerabilities across more services. And, hyper-scalers like Amazon, Microsoft, and Google have a lot of interconnections. That means there are more opportunities for hackers to try to exploit your weaknesses.
- Lack of visibility: The more cloud services you have, the harder it is to see everything. While a benefit is access to complex infrastructure that you otherwise might not have access to, if you can’t see across infrastructure and operations, you can’t monitor and address threats like man-in-the-middle (MitM) attacks happening within that infrastructure. Ultimately, you have to trust your CSP, and sometimes, that can feel scary, especially with the number of compliance standards you must maintain for healthcare data security and privacy.
- Regulatory and compliance requirements (and sovereignty): With interconnected cloud services, your data can be anywhere. Exactly where your data is created, stored, or transmitted has a direct implication on your regulatory and compliance requirements. If you’re a global corporation, for example, you have to understand all of those requirements, where each can be very different. If you’re not configuring the cloud properly, you open the door for potential unauthorized data access. Depending upon the service and where you’re offering it, that could be against regulations and sometimes even the law.
- Governance: Governance is the foundation of security programs, so it’s important to ensure your standards, controls, policies, and frameworks are in sync across operations. If you don’t know where your data flows, you can’t be sure where it’s living. You need controls in place for all the tools and features you’ve enabled. With governance, it’s also important to have an open channel between all of your core departments such as incident response, business continuity, compliance, IT, and security. How you approach governance in the cloud will likely be very different than what you do for your on-prem environment.
- Complex supply chains: With a multi-tier supply chain providing services, more people can access your data. Through HIPAA, you’re required to ensure contractors and subcontractors secure your ePHI. Hackers know healthcare organizations struggle to protect their enterprises, let alone their vendors. They are looking for one chance to slide into your supply chain and compromise your data, and they’re often successful. There’s been a sharp increase in successful breaches originating with healthcare business associates.
- Shared responsibility models: Understanding who’s managing infrastructure, services, data, and technologies is key to overcoming challenges created by shared responsibility models, especially when you’re increasingly dependent on the cloud.
Cutting Through the Cloud
As cloud environments expand and healthcare organizations reap the benefits of better service delivery, the importance of managing cloud risks cannot be overlooked. It’s essential to understand common cloud risks and challenges. Risk analysis is an essential tool for organizations that want to protect cloud assets. By performing regular risk analysis, healthcare organizations can identify potential threats and vulnerabilities and take proactive measures to mitigate them. Risk analysis can also help your organization make informed decisions about your cloud security strategy and provide a comprehensive view of your security posture, on-prem and in the cloud.
If you’re already consistently conducting asset-based risk analysis, the next important practice is ensuring vendor risk management is part of your contracting process. Start the responsibility conversation early so vendors understand your security and privacy standards and aren’t surprised when you hold them to them.
Microsoft Azure is the most commonly used CSP in hospitals and health systems; for a deep dive into Azure cloud security best practices, download our white paper.
As cloud security risks continue to evolve, consider working with a healthcare cloud security and compliance consultant who can help you stay ahead of the curve—and attackers. Clearwater’s healthcare cloud experts can help you proactively identify and address threats to ensure your cloud assets—and your PHI—are always protected.
