Fact or Fallacy: Should Security Concerns Dictate Public Cloud Adoption?
The agility and flexibility of cloud environments offer organizations on-demand computing resources at the click of a button. Many cloud providers operate multiple data centers in geographically distant locations to provide highly reliable service, even in the event of a major natural disaster. Those benefits have led entities in technology, financial services, manufacturing and other industries to shift their computing strategies to focus on the cloud. Healthcare providers, however, have been slower to follow in those footsteps.
Only 43 percent of healthcare respondents called cloud computing pervasive, according to a survey published last year by The Economist. Meanwhile, 59 percent of finance executives and 58 percent of retail executives called the cloud significant.
Cloud computing represents the future of data storage for IT professionals, including those in healthcare. Technology and privacy leaders at provider organizations now must understand their role in compliance and ensuring security with cloud use.
Fallacy: Healthcare Organizations Are Not Adopting The Cloud
While many individuals in healthcare think that their peers are not adopting cloud technology, that simply isn’t the case. A HIMSS Analytics survey of technology leaders at hospitals and health systems discovered that 65 percent of respondents made at least some use of the cloud. More than 87 percent of those using the cloud adopted at least one Software as a Service (SaaS) product, while 54 percent tapped the cloud’s Infrastructure as a Service (IaaS) building blocks. Cloud use may not be as entrenched in healthcare today as it is in other industries. Still, those statistics dismiss the idea that provider organizations aren’t adopting cloud-based solutions.
Fallacy: The Cloud Is Less Secure than an On-Premises Option
Another misleading statement is that data is safer on-premises than in the cloud. This broad characterization oversimplifies the facts.
Cloud providers have a lot on the line when it comes to security; their entire business focuses on providing secure, reliable service. If they’re found to suffer from serious security vulnerabilities, customers will likely flee to the competition. With so much at stake, providers make significant investments in logical as well as physical security.
If you’ve ever visited a cloud data center, you know that the security is top notch. Guards patrol the facilities, cameras monitor the premises, and alarms warn of break-ins. Cloud providers also adopt strong technical controls to prevent customers and employees from gaining access to data belonging to other customers.
Security is strong in the cloud, but make no mistake: Healthcare organizations must verify those controls through a robust audit and assessment program.
Fact: Cloud Security Is a Shared Responsibility
While organizations can rest assured that cloud providers make security a top priority, that doesn’t absolve provider organization customers from their own security responsibilities. Security in the cloud follows a shared responsibility model, where both the vendor and the customer take responsibility for different security activities. However, the exact nature of the division of responsibilities depends on the specific services provided.
Consider a health system that chooses to adopt a cloud-based backup service to ensure high availability of electronic patient records in the event that a natural disaster damages the primary data center. Behind cost savings, robust disaster recovery is a primary motivation for provider organizations to make a move to the cloud, according to HIMSS Analytics.
While the cloud provider clearly bears responsibility for securing its physical data center, the healthcare customer, too, is responsible for appropriately backing up its organizational data. Other responsibilities should be defined clearly in a written agreement or contract between the customer and vendor. For instance, who bears responsibility for managing and rotating encryption keys? And who controls emergency access to data that’s been backed up?
Fallacy: HIPAA Prohibits the Use of Cloud Providers
One of the earliest ways that healthcare organizations dodged the trend of cloud computing was to hide behind HIPAA, believing that the law prohibited the use of cloud computing services.
The Department of Health and Human Services, however, emphatically answers the question of whether a HIPAA-covered entity may store electronic protected health information (ePHI) in the cloud or allow it to be processed by the cloud service provider or another business associate on behalf of the covered entity.
As long as a covered entity like a hospital or doctor’s office enters into a business associate agreement with a cloud service provider, such use is perfectly legal. The BAA establishes the permitted and required uses and disclosures of ePHI, while requiring the cloud provider to protect such data.