“Now, almost anything you can do on-premises, you can do in the cloud,” says Frank Dickson, research vice president of IDC’s security products research practice.
Cloud security tools are particularly effective for healthcare organizations with multiple locations or for a mobile workforce, such as home healthcare workers, because the IT department can centrally manage computing devices and secure data, he says. “The trend is greater and greater for moving to the cloud,” Dickson says. “You may not have a fully baked IT staff in every location, so the cloud enables simplification and the ability to cover a greater number of facilities. It’s less for you to manage and provides for greater efficiency and effectiveness.”
MORE FROM HEALTHTECH: Here’s our checklist for staying HIPAA-compliant in the cloud.
A Layered Security Strategy
Since Gaskin’s arrival in 2012, Camarena Health has added 11 clinics, and plans to add another three locations soon. Because of the rapid growth, he’s had to scale IT security operations to ensure patient and employee information is protected. To do so, he relies on a multilayered strategy that started on-premises.
“As we’ve expanded, we’ve become a bigger target, so we had to up our game,” says Gaskin, who manages two data centers running mission-critical applications such as electronic health records, financial software and Exchange email.
The organization first standardized on new in-house solutions, installing traditional anti-virus software on computers and a virtualized appliance running Proofpoint’s email DLP solution as well as its email encryption solution, which protects email from viruses, malware and spam and encrypts email if it identifies protected health information.
In 2014, Camarena embraced cloud security tools, deploying Proofpoint’s broader cloud-based DLP software called Data Discover. The solution monitors the organization’s network file systems and SharePoint folders to ensure security policies, such as access rights to data, are enforced.
If the tool discovers data at risk, it alerts IT staff. Data Discover initially uncovered five or six sensitive files that were accessible to every employee. Gaskin quickly remedied the situation by adjusting access control policies or moving the files to secure locations.
“It goes back to data sprawl,” he says. “People accidentally put spreadsheets in wrong locations, and this ensures that the proper people have access to PHI.”
The cloud-based software integrates well with Camarena’s Proofpoint email security software. In fact, when Gaskin deployed Data Discover, he used the same security rules and policies from his Proofpoint email security deployment.
“We didn’t have to reinvent the wheel,” he says.
Extended Control Across Multiple Sites
Sacramento, Calif.-based Sutter Health — which comprises 24 hospitals, 33 urgent care centers and several dozen specialized centers throughout Northern California — also takes a multilayered approach to security, using a mix of in-house and cloud security tools. Chief Information Security Architect Jason Elrod calls the latter “force multipliers,” which he says significantly improve the organization’s overall security posture when combined with on-premises solutions.
As employees and patients increasingly use mobile devices and cloud-based software, the boundaries of where and how patient data is accessed are getting blurred. To protect data that’s housed in its internal data centers, Sutter Health last year implemented a cloud-based CASB tool that allows its on-premises DLP software to safeguard data when employees use cloud services, such as online file storage or Microsoft Office 365 for email, Elrod says.
“It takes our on-premises DLP solution and extends that control and visibility into our cloud assets,” he says. “If an employee tries to upload a spreadsheet with patient data to an online file storage site, it stops you from doing it.”