May 07 2019

Cloud Tools Help Healthcare Organizations Extend their Security Coverage

Hospitals and clinics of all sizes increasingly adopt a variety of solutions for more optimized protection.

In seven years as CIO, Michael Gaskin has seen Camarena Health grow from a small, rural community healthcare provider to a midsized one. But he’s continued to prioritize information security just as larger, urban organizations would — including employing cloud security software.

The provider, which runs 14 clinics in Madera County, Calif., uses traditional on-premises security technology, such as network firewalls and anti-virus desktop software. But in recent years, Camarena Health has strengthened its security posture with cloud-based data loss prevention and next-generation endpoint security software.

“We are only an IT staff of 14 people, so we have to rely on partners to help us augment our security,” Gaskin says. “We certainly have internal security products, but we absolutely use the cloud.” Security is a constant battle for healthcare providers of all sizes, but increasingly, organizations are moving to deploy cloud-delivered security tools to reduce risk, simplify management and control costs.

To prevent data breaches and combat evolving threats, providers can choose among a growing number of subscription-based cloud security applications. These include email protection, web content filtering and cloud access security brokers, which allow IT staff to enforce security policies for cloud applications.

Michael Gaskin, CIO, Camarena Health
As we've expanded, we've become a bigger target, so we had to up our game."

Michael Gaskin CIO, Camarena Health

“Now, almost anything you can do on-premises, you can do in the cloud,” says Frank Dickson, research vice president of IDC’s security products research practice.

Cloud security tools are particularly effective for healthcare organizations with multiple locations or for a mobile workforce, such as home healthcare workers, because the IT department can centrally manage computing devices and secure data, he says. “The trend is greater and greater for moving to the cloud,” Dickson says. “You may not have a fully baked IT staff in every location, so the cloud enables simplification and the ability to cover a greater number of facilities. It’s less for you to manage and provides for greater efficiency and effectiveness.”

MORE FROM HEALTHTECH: Here’s our checklist for staying HIPAA-compliant in the cloud.

A Layered Security Strategy

Since Gaskin’s arrival in 2012, Camarena Health has added 11 clinics, and plans to add another three locations soon. Because of the rapid growth, he’s had to scale IT security operations to ensure patient and employee information is protected. To do so, he relies on a multilayered strategy that started on-premises.

“As we’ve expanded, we’ve become a bigger target, so we had to up our game,” says Gaskin, who manages two data centers running mission-critical applications such as electronic health records, financial software and Exchange email.

The organization first standardized on new in-house solutions, installing traditional anti-virus software on computers and a virtualized appliance running Proofpoint’s email DLP solution as well as its email encryption solution, which protects email from viruses, malware and spam and encrypts email if it identifies protected health information.


In 2014, Camarena embraced cloud security tools, deploying Proofpoint’s broader cloud-based DLP software called Data Discover. The solution monitors the organization’s network file systems and SharePoint folders to ensure security policies, such as access rights to data, are enforced.

If the tool discovers data at risk, it alerts IT staff. Data Discover initially uncovered five or six sensitive files that were accessible to every employee. Gaskin quickly remedied the situation by adjusting access control policies or moving the files to secure locations.

It goes back to data sprawl,” he says. “People accidentally put spreadsheets in wrong locations, and this ensures that the proper people have access to PHI.”

The cloud-based software integrates well with Camarena’s Proofpoint email security software. In fact, when Gaskin deployed Data Discover, he used the same security rules and policies from his Proofpoint email security deployment.

“We didn’t have to reinvent the wheel,” he says.

Extended Control Across Multiple Sites

Sacramento, Calif.-based Sutter Health — which comprises 24 hospitals, 33 urgent care centers and several dozen specialized centers throughout Northern California — also takes a multilayered approach to security, using a mix of in-house and cloud security tools. Chief Information Security Architect Jason Elrod calls the latter “force multipliers,” which he says significantly improve the organization’s overall security posture when combined with on-premises solutions.

As employees and patients increasingly use mobile devices and cloud-based software, the boundaries of where and how patient data is accessed are getting blurred. To protect data that’s housed in its internal data centers, Sutter Health last year implemented a cloud-based CASB tool that allows its on-premises DLP software to safeguard data when employees use cloud services, such as online file storage or Microsoft Office 365 for email, Elrod says.

“It takes our on-premises DLP solution and extends that control and visibility into our cloud assets,” he says. “If an employee tries to upload a spreadsheet with patient data to an online file storage site, it stops you from doing it.”


Number of clinics comprising Camarena Health, up from three in 2012

Source: Camarena Health

Sutter Health has also built a security operations center where IT staff uses on-premises security information and event management tools to monitor the IT infrastructure and provide incident response. It takes a best-of-breed approach and deploys cloud security tools if they are the best option for patients and the organization, Elrod says.

For example, Sutter uses Cisco Umbrella, a cloud-based web content filter that prevents employees from going to malicious ­websites. It also uses cloud-based email security software and last year installed cloud-based next-generation anti-virus software to protect computers.

With cloud anti-virus, the company doesn’t have to buy and manage servers to run the software, and it bolsters security because a software agent on each computer communicates with a security solution driven by artificial intelligence that detects attacks. Users no longer have to rely on downloading the latest anti-virus signatures.

“If users are not on-premises and have not VPNed into the network, they can still be protected even though they haven’t talked to the mother ship in a while,” Elrod says.

Easier Integration for Privacy Tools

Ram Ramadoss, vice president for privacy and information security and EHR compliance at CommonSpirit Health (formerly Catholic Health Initiatives), says security tools are easy to deploy, manage and scale, which is important for large, complex healthcare organizations, particularly in an era of mergers and acquisitions.

For example, Englewood, Colo.-based CHI, which has 101 hospitals and clinics in 18 states, has deployed cloud email security software, a cloud SIEM tool to check security logs and a cloud privacy tool that ensures the organization meets privacy compliance requirements.

Providers say they have not faced any integration issues with their cloud and on-premises tools. But that doesn’t mean they can’t occur. To ensure compatibility, healthcare organizations must make sure the tools they purchase have good integration with one another through vendor partnerships or APIs.

Camarena Health, which has about 400 employees, still uses traditional anti-virus software, but for additional protection, it also subscribes to Carbon Black’s cloud-based, next-generation endpoint security software. It goes beyond anti-virus signature files and analyzes behavior to spot suspicious activity and block zero-day attacks. Gaskin has no qualms about adding more cloud solutions in the future.

If the choice is hiring a security specialist and buying all the tools the specialist needs or writing checks for these providers? These cloud offerings win out,” he says.

Illustration by LJ Davids; Photography by Robert Houser

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.