HITRUST (formerly, the Health Information Trust Alliance) created a security framework to help organizations meet a range of standards, including those required by HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Over time, misconfiguration of public cloud services presents another big vulnerability for healthcare organizations, says Chris Bowen, chief privacy and security officer for ClearDATA, a healthcare public cloud security firm.
“‘Compliance drift’ happens easily, as continuous deployment models are pushed through, and it can be a really big issue,” he says. “Sometimes, the configuration you put in place might drift out of compliance — someone unchecks an encryption check box with a line of code or inadvertently expands a permission group.”
That’s why healthcare organizations must clearly identify where sensitive, protected health information is flowing and bolster defenses around that data before moving to a public cloud.
“Don’t just take a compliance-based approach, but a risk-based approach,” Bowen says.
Thoughtful and Strategic Planning for Cloud Deployment
Geisinger, a Danville, Pa.-based health system, is currently conducting a public cloud assessment as part of a multiyear migration plan encompassing more than 1,500 applications — including its EHR platform. Leaders there know that the move is a significant undertaking.
“Ultimately, we are responsible for protecting our customers’ information as much as possible and not being negligent in any way,” says John Kravitz, the organization’s CIO.
Meeting that obligation, he adds, means working closely with Geisinger’s CISO and security team to ensure data control and access guidelines are followed throughout the migration process, tapping the expertise of outside partners with cloud security experience when needed.
It also means preparing for — and preventing — any potential hurdles.
“People need to take the time to understand the cloud is different than on-premises, because you don’t want to make a mistake when configuring. That’s the part we’re painstakingly going through now, including penetration testing from the outside,” Kravitz says. “It’s a new frontier for a lot of us, and we have to make sure we get this right.”
Taking Internal Responsibility for Cloud Security Measures
A healthcare organization’s CISO must be the resident expert on HITECH and HIPAA to figure out what capabilities are needed to meet compliance standards.
Forming a cohesive strategy with all members of the IT department is an important step, says Wes Wright, CTO at Imprivata, an IT security company.