As in any new relationship, there is the rush of elation and anticipation, the secret fear that things will not work out, the uncertainty about the future, and general desire to make things work well for all involved. These thoughts and feelings are also associated with acquiring new technologies and/or services, particularly those that are not well understood, and are relatively new in practice. One of the most advantageous technologies, but also the most misunderstood, is cloud technologies (herein referred to as “the cloud” or “cloud”). A business relationship between a healthcare organization and a cloud provider offers many benefits to any entity, including reduction in costs, increased operability, and enhanced system redundancy.
An HIMSS Analytics Cloud Survey, published in 2014, found some surprising information regarding healthcare organizations and the adoption of cloud technologies. The survey found that “83% of IT executives report they are using cloud services today, with SaaS-based applications being the most popular (66.9%).” (From Forbes.com).
Of that 83%, 67% of those surveyed are running Software-as-a-Service (SaaS) cloud type, with 15.9% using Infrastructure-as-a-Service (IaaS), and only 2.4% using Platform-as-a-Service (PaaS). Figure 1 describes the three types of cloud services. These cloud service types are deployed on the three primary cloud models as follows: 37.1% use a private cloud, 36.3% use a hybrid cloud (community) model, and 23.4% chose the public cloud model. (From Forbes.com)
- End-user applications provided as a service
- Customers can build, deploy and manage custom applications
- Computing resources, storage, firewalls, etc
Figure 1: Three types of cloud services
Most organizations, healthcare organizations included, measure the benefits of adopting cloud services by seeing revenue increase, costs decrease, and/or deployment time reduced, as well as providing a synergy between multiple technologies and services without analyzing what, if any, risks they will be exposed to if they adopt cloud services. Figure 2 describes the benefits of cloud computing based on a 2014 report “Elevating Business in the Cloud” from KPMG.
Figure 2: Benefits of Cloud Computing (KPMG)
The cloud opens up many security concerns that, if not properly addressed early on in adoption, can leave an entity vulnerable. Those vulnerabilities can include system complexity, a shared multi-tenant environment, internet-facing Services, loss of control, architecture, software isolation, access management, and more. Before hospitals adopt cloud technology, the security advantages, dis-advantages, and recommended mitigations should be reviewed.
Reducing these risks will provide the security umbrella that will give many healthcare systems and corporations the confidence and assurance in adopting cloud technologies.
What is the Cloud again?
Before we review the risks and suggested stratagems for mitigation, a brief review of what the cloud is and how it is deployed is needed.
The cloud is, in simplistic terms, a means of storing and accessing data and programs over the Internet instead of your computer. More formally defined by the National Institute of Standards and Technology (NIST), the cloud is “a model for enabling convenient, on demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”. (From NIST Special Publication 800-145)
Cloud technologies are deployed in three models based on three service types: Private, Public, and Community clouds. As their names imply, a Private cloud is an environment that is associated with only one particular entity. A Community cloud is an environment shared between known entities. A Public cloud is an environment that is accessible by any individual or entity. The three service types include Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
Is the Cloud a safe place?
With that covered, we can now begin to review the risks associated with adopting cloud technologies.
In some ways, health care is an easy target. In general most healthcare organizations’ security systems are generally less mature than other industries, such as financial or industrial. Further, due to the nature of what doctors do, and the immediate need to access data to save lives, there has been a lack of focus on data security, as security generally impedes operability. The lack of focus on security is also evident in the way a hospital budgets for IT Security. Where a financial or industrial firm might spend roughly a third of its budget on IT Security, healthcare organizations typically spend roughly about 2 to 3 percent. (From WashingtonPost.com) The HIMSS study identified that the majority of those surveyed encountered significant security and operability issues from adopting cloud services. Of those surveyed, issues with performance and downtime, inaccessibility to data, and weak data back-up rates were common issues participants encountered.
But is it a safe place to store data? There are several leading areas of security concerns involving the cloud, including system complexity, shared multi-tenant environment, lack of control, poor agreement, data storage location(s), multiple entry points (both mobile and traditional), and more.
One of the most serious issues in dealing with cloud services is system complexity and multi-tenant concerns. There are many ways a cloud can be created- if a cloud is created as a multi-tenant entity, organizations may be concerned with the security and accessibility of their data. A cloud could be created by an amalgamation of components for applications, virtual machines, data storage, and supporting middleware. In addition, there are also elements that the cloud service provider (CSP) manages, including self-service, resource quantifying, data replication and recovery, service level monitoring and more. Cloud services themselves may also be realized through layering with services from other cloud providers.
Depending on the type of cloud model deployed, a healthcare organization may be using a cloud that is also used by a variety of other entities concurrently. These other entities, may or may not be healthcare orientated, and may or may not be governed by the same set of rules for compliance, maintenance, governance, and support. Hardware and firmware, etc. are regularly updated, changed, and, depending on the agreements made between the entity and the cloud provider, the healthcare organization may not even be aware of the changes and potential vulnerabilities made possible by these actions. Surely, we see why healthcare organizations may be skeptical of the confidentiality of their data.
Further, when dealing with public and community clouds, an organization’s cloud, applications, and services may interact with many components, services, applications, and unknown code(s). Challenges exist in understanding and securing interfaces that are often proprietary to a cloud provider or entity utilizing the same cloud environment. Even those who utilize a private cloud still will interact with commercial off the shelf products with its own code and system parameters. Rather than using physical separation of resources as a control, cloud computing places greater dependence on logical separation at multiple layers of the application stack. This creates numerous vulnerabilities that if exploited can leave a healthcare’s or other entity’s data exposed. As one Hospital CIO stated, “If you’re a hacker… would you go to Fidelity or an underfunded hospital? You’re going to go where the money is and the safe is easiest to open.”(From WashingtonPost.com)
Threats to network and computing infrastructures continue to increase each year and become more sophisticated. Having to share an infrastructure with unknown outside parties can be a major drawback for some applications and require a high level of assurance pertaining to the strength of the security mechanisms used for logical separation. (From NIST Special Publication 800-144)
When utilizing cloud services, you are transferring control of some, if not all, of your security to the cloud service provider. This transfer of responsibility and control to the cloud provider over information as well as system components that were previously under the organization’s direct control is usually compounded by the lack of clear points of contact for access management, incident response, data recovery, and continuous monitoring. This leads to a loss of situational awareness, set priorities, and effect changes in security and privacy that are in the best interest of the organization and ability to manage effectively any form of compliance program.
Now that alarms have been sounded and fears agitated, there are steps a healthcare organization can take to mitigate these and other risks when adopting cloud services to develop and maintain a healthy relationship with a cloud service provider.
Determine what you want
The first step is to determine what type of cloud model and type is appropriate for your organization. The second is to review and scrutinize the business to business agreement between the organization and the cloud service provider. The third step is to have the healthcare organization’s information security officer coordinate with the cloud service provider and break down all of the controls, protocols, roles, policies and procedures that the cloud service provider employs to ensure they meet the regulatory compliance requirements of the healthcare organization. This is done by reviewing all contractual documents in detail, such as Service Level Agreements, Data Use Agreements, Memorandums of Understanding/Agreements, general contracts, etc. The last step to be taken is to create a continuous monitoring program to ensure that the controls, policies, and procedures reportedly in place by the cloud service provider are indeed in place and operational.
Determine what is important to you
When determining the type of cloud environment, one must consider factors beyond cost. Know what it is you’re searching in a cloud provider to ensure a long and fruitful relationship.
If the data being obtained and employed by the health organization are attractive to attackers, or if a breach and associate costs for remediation and possible restitution would be crippling a company, a private cloud model offers the most security upfront. If consistent with current trends the use of various applications and access points, Software as a Service (SaaS) offers the most benefits to a healthcare organization.
Once the model and type are selected, the healthcare organization’s information security officer needs to the cloud service provider and review all documentation provided by the cloud service provider. But the information security officer should also elicit the healthcare organization’s legal department to assist in review of the documents. As a lawyer with Borden Ladner Gervais LLP stated “It is absolutely critical to vet the third parties. You need to know who you are dealing with. You need to know their level of expertise and you need to know their level of sophistication.” (From CanadianUnderwriter.ca)
Communication is key
If there is not a dedicated and available security point of contact within the cloud provider, then the relationship is doomed to fail. That security point of contact must be able to address all security concerns, provide security documentation, and evidence of security practices, and should be able to provide this information in a timely manner. If this individual is not made available to you, I would be reluctant in selecting that cloud provider.
Once you have a contact, building the relationship and maintaining the trust is critical. One way to build trust is obtaining and reviewing documents. To help remediate security issues, a healthcare organization should review the contract, Service Level Agreement, and Memorandum of Understanding/Agreement thoroughly with the cloud service provider. These documents should include the right to audit, provisions for incident response management, access control, data segmentation, data recovery procedures, and maintenance schedules, among other provisions. Further, it is beneficial to understand exactly what security functions, controls, and procedures are the responsibility of the healthcare organization and the cloud service provider either in part, or in whole. If using FedRAMP as a baseline model, a healthcare organization and cloud provider can use their Control Inventory Summary which breaks down controls by subpart and includes all control enhancements based on the National Institute of Standards and Technology Special Publication 800-53 Revision 4 controls.
Any document being reviewed must contain provisions that allow the healthcare organization the right to audit. This allows the healthcare organization or a representative of the organization to come and audit the security provisions of the cloud service provider, ensuring a third party review confirms compliance to all regulatory compliance or identifies areas of inconsistency and provide corrective action plans for remediation.
The documentation provided should also clearly provision how incidents are identified, reported, and managed. Attacks involving ransomware, data breaches, and concerns of data accuracy are fueling many internal reviews of how incident responses are managed. This point cannot be emphasized enough as breaches, either resulting in loss of data, or in systems and data being inaccessible; Ransomware attacks are continually making headlines. “The steady drumbeat of ransomware attacks continued this past week with new reports of two hospitals forced to fight off malware that froze IT systems.”(From Healthcareitnews.com)
Keep checking in
Finally, as with all relationships, it is imperative to constantly monitor and evaluate its strengths, and more importantly, its areas of weakness. Then, work together to remediate the weaknesses. Communication is key and crucial when it comes to protecting your data.
I now pronounce you…
After conducting your due diligence, understanding what is important to your healthcare organization, and eliciting the feedback from appropriate stakeholders, healthcare, and the cloud can enjoy a fruitful and mutually beneficial relationship.
Mr. Cory Missimore currently works as a Senior Information Assurance Specialist at IMPAQ International, where he provides Information Security (IS) program support, assessment, and advisory services to IMPAQ International and commercial entities. Mr. Missimore has over eight years of experience in the field of IS/T, privacy, and compliance. His focus areas are cloud technologies, risk management, audit, privacy, and security. He has an extensive knowledge of IS process governance, cloud technologies, healthcare systems, business process management, and federal regulations. He has an established record of applying and facilitating organizational cohesion and compliance between emerging and legacy technologies and processes, with applicable laws, regulations, and standards including the Privacy Act, FISMA, FedRAMP, ARS, NIST, SOX, ISO 27001/2 and HIPPA. Mr. Missimore currently holds CIPP/US and CISM Certifications.