From left to right: Healthcare entrepreneur Shahid Shah, CDW Healthcare's Neal Clark and health IT blogger John Lynn discuss the state of cloud security at CDW's HIMSS 2017 meet-up on Monday.
For many experts and stakeholders who participated Monday in a discussion hosted by CDW Healthcare at the Healthcare Information and Management Systems Society’s 2017 conference in Orlando, Fla., private clouds represent an increasingly attractive option on the infrastructure side, given the ability to scale services quickly.
“[Private cloud] is probably more securable … than what you could do on your own,” said Shahid Shah, a digital-health entrepreneur and renowned health IT blogger. “If you’re in an environment where you’re a server hugger, you love your server, and you don’t trust anyone else, then maybe this conversation could come up that you could go hire the best people that you could, bring them in-house and try to get them to secure it.”
However, given how difficult it is to find people who are good at cybersecurity, and how even more difficult it is to hire them so that they work on your data center internally, Shah said it’s “almost unfathomable” to believe that the large-scale cybersecurity systems that need to be put into place will be more secure inside a data center than they would be outside.
Neal Clark, a cloud client executive with CDW Healthcare, agreed, saying that on the infrastructure side, cloud is very secure and may be safer than a lot of the data centers that some organizations have set up.
Still, Clark offered a caveat.
“At the application level, as long as you match it to what you’re doing in your data center within the cloud, then you should have a very secure environment,” he said.
That is not always the case, though, according to security consultant Mike Semel, who said that some organizations he’s worked with believe that once their data center is secure, they can sleep easier.
“There’s a myth that you don’t have to have a secure network in order to pay as much attention to your endpoints and your users if your data’s up in the cloud,” Semel said. “But if I can get to your network and your endpoints, I can get to your cloud. I think it’s sometimes forgotten that the local network and the users still have to have their security.”
Another factor to cybersecurity, of course, is budget. According to a recent HIMSS Analytics study focusing on health IT security and risk management, 65 percent of participating organizations spent 6 percent of their budget or less on security. Additionally, budget and staffing ranked as the biggest barriers to higher levels of security program confidence.
One remedy to budget issues, particularly for midsized practices with 10 or more doctors, Shah said, is standard Desktop as a Service, which he said could be as little as $30 a month or as much as $50 to $60 per month.
“If you take a look at that, all-in, add immutability, the fact that it can grow to double the RAM or half the RAM, the fact that you can shut them down whenever you don’t need them,” it’s worth it, Shah said. “The other thing we forget about the cloud is, you have networking costs. So, if your desktop is in the cloud and all of your applications are in the cloud, that will actually be faster — the performance will be faster. Your network doesn’t have to be as powerful. Your security doesn’t have to be as powerful. If you keep things thin, it’s totally worth it. You have to look at it as a total cost.”
Be Decisive and Deliberate
Perhaps the most important factor, however, is being decisive, said John Lynn, who runs HealthcareScene, a health IT blog network.
“My experience in talking to all the CIOs that I talk to is that breaches are inevitable,” Lynn said. “An organization that says they haven’t been breached probably hasn’t been monitoring their systems. That’s scarier to me than someone who says ‘Hey, we were breached, we discovered it, this is how we stopped it, this is how we mitigated the risk and here’s our communication plan.’”
To that end, he said, professionals should wait for ransomware or a hack to make them care about cybersecurity. “You should do that now — you don’t wait for the event.”
Clark agreed, saying that in making such decisions, analysis is critical.
“I’ve heard lots of horror stories about organizations that just move to a cloud without doing all the analysis, and now they’re trying to get back,” he said. “Let me tell you, all cloud partners will make it easy for you to get in, but when you’ve got to get back, you find that little uh-oh moment, it’s a challenge. Make sure you do your due diligence up front and understand, ‘What are my business requirements? What are my security requirements? What are my SOAs?’ And then make sure that the cloud is going to adhere to those requirements.”
For more, check out the articles and videos from HealthTech’s coverage of HIMSS17.