As healthcare organizations increasingly look toward Infrastructure as a Service as an acceptable form of IT service delivery, it’s imperative that leaders approach the architecture with eyes wide open.
IaaS operates in a shared responsibility model. This means the cloud provider is responsible for certain tasks relating to the physical data center, up to the hypervisor. Covered entities are responsible for tasks associated with maintaining and monitoring their virtual machines and applications.
5 Best Practices for Healthcare IaaS
With new regulations such as the General Data Protection Regulation, which went into effect in May, and growing cybersecurity concerns such as crytpojacking, it’s important to leverage best practices to help secure your IaaS environment. Five recommendations include:
- Protect the data: All too often, organizations will leave data unencrypted in the cloud, even though encryption both in transit and at rest is a key component of the HIPAA Security Rule. Encryption is also a key component of GDPR, which applies to any healthcare entity that processes any European Union patient data.
- Adopt credentialing: Create unique keys for each service and rotate the keys every 90 days. It’s not uncommon for keys to be exposed or breached, as breaches in the headlines illustrate.
- Layer security: Leverage multifactor authentication where applicable, such as for privileged and root accounts.
- Improve visibility: Implement monitoring tools to keep tabs on what is happening in your IaaS environment. Cloud providers can offer such services, or you can leverage third-party tools to help identify unauthorized access attempts while showing a history of application programming interface calls.
- Bolster access control and user provisioning: Implement identity and access management solutions to create the proper user role and permissions for accounts to your IaaS environment. In addition, minimize risk by allowing users the fewest permissions possible. Do not use the root user, except to create your first user.
With new features being launched by public hyperscalers such as Microsoft, Google and Amazon, and attackers growing smarter and more creative about hacking, it’s increasingly difficult to stay continuously compliant in an ever-changing cloud world. Organizations running non-PHI (protected health information) workloads in IaaS should still follow these best practices to ensure that no unauthorized users can access the environment and wreak havoc.