Healthcare Organisations In The Cloud

Healthcare organizations are moving their business-critical applications and workloads to the cloud, and while there are many benefits (lower costs, added flexibility and greater scalability), there are also inherent risks that cannot be overlooked.
 
Ensuring organisations’ sensitive data is being monitored and protected (24/7) is key and having analysts who clearly understand security in the cloud is critical. Hiring and staffing these roles can be quite difficult because of the skillset required. 
 
Outsourcing cybersecurity to a managed security service provider (MSSP) is one viable solution for healthcare organisations that are in the process of migrating to the cloud and are concerned with protecting patient information, sensitive data, and applications.
 
Why healthcare organisations are moving to the cloud
HIMSS Analytics conducted a survey of healthcare IT professionals about their views of cloud usage, with nearly two-thirds of respondents saying they are currently using the cloud or cloud services.
 
Why are healthcare organisations finally making the move? 
Many have started to look at the cloud as a disaster recovery and backup option in the event of a ransomware attack, which affected the healthcare sector in 2017. The cloud also enables increased operational and storage flexibility as more healthcare companies use applications like precision medicine and population health.
 
Who’s responsible for keeping the cloud secured?
With so much critical information being accessed and stored in the cloud, it’s important to know who is responsible for monitoring authentication, communication, and client access to devices as well as how they’re securing it. Cloud application vendors are motivated to secure their infrastructure against denial of service attacks, disruption to service delivery, and large backend infrastructure breaches to protect their business. 
 
However, control over data access, user credentials (in some cases the application servers themselves), and regulatory compliance rests on the user organisation’s IT team, not the cloud vendor. 
 
In short, cloud infrastructure providers are responsible for protecting their service, while IT teams must ensure their organisation’s private data and critical applications are protected.
 
Whether you are using cloud providers (such as AWS or Microsoft Azure) to host your sensitive applications and data, taking advantage of Microsoft Office 365, or leveraging the scalability of a cloud-based electronic health record (EHR) application, security is a shared responsibility between the IT security team and cloud provider. 
 
As more healthcare organisations turn to cloud services, it is becoming critical for IT and security teams to understand the delineation of responsibility.
 
Taking the right security measures in cloud infrastructures
Most of the same security risks that apply to data and applications residing within a traditional data center also apply to virtualised assets in cloud infrastructures like AWS, Azure, and others. Virtual servers can be infected with malware or ransomware, credentials can be stolen, and cyber criminals can extract data which makes cyber protection even more important.
 
Web applications are one of the most significant sources of enterprise data breaches, and public-facing web applications are often hosted on cloud platforms. Because cloud platforms are designed for easy sharing, data runs the risk of becoming unintentionally shared or exposed. Misconfigured cloud-based data stores have resulted in many vulnerabilities and threats.
To address these risks, IT security teams are adopting security tools such as virtualised firewalls, web application firewalls, intrusion detection systems, and vulnerability scanning tools developed for cloud infrastructures. 
 
These technologies are integrated using service provider application programming interfaces (APIs) that are designed to address the virtualized and dynamic nature of these environments.
 
Protecting SaaS applications in the cloud
Software as a service (SaaS) applications like EHR software, Office360, and Salesforce often store sensitive patient data and confidential business and operational information. A breach or inadvertent exposure of this data can result in compliance violations, revenue loss, significant recovery expense, and can damage irreparably the organisation’s reputation.
MSSPs and cloud access security brokers (CASBs) can collect and analyze authentication, access control, and cloud application transaction logs to identify suspicious behavior. Such logs include downloads, logins, usage, and application specific behaviors that may be analysed by an MSSP to determine indicators of compromise.
Importance of Maintaining HIPAA compliance
 
For US healthcare organisations, the Health Insurance Portability and Accountability Act (HIPAA) is an omnipresent reality. HIPAA requires patient data to be properly protected, no matter where it is being stored. Those who fail to protect patient data face fines and other regulatory penalties.To meet HIPAA requirements, IT security teams should apply the same level of vigor to safeguarding their cloud-based data and applications as they would to on-premise applications and data. This can include deploying virtualised firewalls, scanning virtual servers for vulnerabilities, and monitoring and retaining log events from the public cloud.
 
How MSSPs can help implement stringent security in the cloud
When cloud migration, many healthcare organisations consider implementing in-house security solutions. This means hiring security experts and around-the-clock staff to manage and respond to alerts. With the current cybersecurity skills shortage, finding and building the right team is not always easy.
 
How can a healthcare organisation maximize the rewards of cloud-based data and applications while minimising the security risks? One approach is to outsource the security monitoring, investigations, and incident response to an MSSP. MSSPs have a service model that is well-suited for healthcare organizations with limited resources and strict compliance requirements. MSSPs can act as an extension of a healthcare organisation’s IT security team at a fraction of the cost associated with hiring additional employees and operating a 24/7 security operations center (SOC).
 
When choosing an MSSP, it is important that healthcare organisations thoroughly evaluate providers and cross-reference their healthcare expertise to ensure a smooth transition to the cloud. 
 
Key questions organisations should ask an MSSP include:
 
• Are you experienced with helping healthcare organisations protect their data and applications in the cloud?
• Does your mix of security services include 24/7 monitoring, breach detection, and incident response?
• Can you monitor log events from my preferred cloud provider and cloud-based application vendor?
• How do you ensure we will receive accurate and relevant actionable alerts?
• Can you manage or co-manage vulnerability management tools, virtualized firewalls, and endpoint security in cloud environments?
• Do you have a single portal where we drill into security events and understand our security posture for both cloud-based and on-premise assets?
• Do you offer HIPAA reporting and services to prepare us in the event of an HHS audit?
 
By asking these questions, healthcare organisations should be able to determine if the MSSP is equipped to handle security needs. 
 
Especially for healthcare organisations with limited budgets and small IT teams, a qualified MSSP can serve as an extension of their team, help improve cybersecurity posture, and make the most of moving to the cloud.
 
HelpNetSecurity
 
You Might Also Read: 
 
Who's Responsible For Cloud Security?:
 
Cloud Security Analysed For Management (£):
 
In The House Or In The Cloud: Which Is More Secure?:
 
 
« A Cyberattack Could Lead To A Nuclear Strike
A Plausible Domestic Hack To Beware Of »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Irish Reporting & Information Security Service (IRISS)

Irish Reporting & Information Security Service (IRISS)

IRISS-CERT is Ireland's first CSIRT (Computer Security Incident Response Team) to provide services to all users within Ireland.

Intland Software

Intland Software

Intland offer an integrated Application Lifecycle Management platform that offers all-round Requirements, Development, and Testing & Quality Assurance functionality.

QA Systems

QA Systems

QA Systems provides software testing solutions for safety and business critical sectors and software safety and security standards.

Total Cyber-Sec

Total Cyber-Sec

Total Cyber-Sec is a company specialized in providing Professional Information Security and Cybersecurity Services.

Red Sift

Red Sift

Red Sift is the only integrated cloud email and brand protection platform, supporting organizations to secure their communications.

CTM360

CTM360

CTM360 is a unified external security platform offering 24x7x365 Cyber Threat Management for detecting and responding to cyber threats.

Applied Science and Technology Research Institute Company Limited (ASTRI)

Applied Science and Technology Research Institute Company Limited (ASTRI)

ASTRI's mission is to enhance Hong Kong’s competitiveness in technology-based industries through applied research in areas including Security & Data Sciences which encompasses cybersecurity.

AFNOR Group

AFNOR Group

AFNOR Group designs and deploys solutions based on voluntary standards around the world and provides services including training, professional and technical information, assessment and certification.

NeuroChain

NeuroChain

NeuroChain is an intelligent ecosystem that is more secure, more reliable and much faster than blockchain.

PixelPlex

PixelPlex

PixelPlex is a blockchain and custom software development company with offices and developers in New York, Geneva, and Seoul.

White Cloud Security

White Cloud Security

White Cloud is a cloud-based Application Trust-Listing security service that prevents unauthorized programs from running on your computers.

Enzoic

Enzoic

Enzoic is an enterprise-focused cybersecurity company committed to preventing account takeover and fraud through compromised credential detection.

Open Quantum Safe (OQS)

Open Quantum Safe (OQS)

The Open Quantum Safe (OQS) project is an open-source project that aims to support the development and prototyping of quantum-resistant cryptography.

Avalor

Avalor

Avalor are on a mission to help security teams make faster, more accurate decisions by making sense of their data. With Avalor you can bring in data from anywhere, normalize it and analyze it.

CUBE3 AI

CUBE3 AI

CUBE3.AI is a web3 security platform that provides real-time transaction protection for smart contracts, safeguarding against cyber exploits, fraud, and compliance risks.

SafeShark

SafeShark

SafeShark are Product Security and Telecommunications Infrastructure (PTSI) Act and Radio Equipment Directive (RED) compliance specialists.