Theresa Meadows, Senior Vice President and CIO of Cook Children’s Health Care System in Texas, shares how her organization is keeping security top of mind while migrating to the cloud.

Feb 15 2023

‘A Better Long-Term Solution’: How Health Systems Keep Workloads in the Cloud Secure

IT security remains a priority as healthcare organizations move to the cloud.

Theresa Meadows knows all the stats, especially the ones that show the range of cyberthreats that healthcare organizations face every day. As senior vice president and CIO at Cook Children’s Health Care System in Fort Worth, Texas, it’s her job to keep tabs on such things while looking for solutions to reduce risk.

Cook Children’s has made progress in this area in recent years by moving more of its workload to the cloud, Meadows says.

“It’s probably the same for us as it is at a lot of other healthcare organizations,” she says. “A lot of our applications today are delivered through cloud-based services, and in many instances, these solutions are more secure than what we could provide ourselves.”

The challenge involves ensuring that’s the case. Cook Children’s will typically consider a new cloud solution when it’s ready to upgrade a clinical or business system and identifies a need for better agility and scalability. At the moment, for example, the health system is transitioning its finance and human resources systems to a cloud-based solution from Workday.

Click the banner for access to exclusive HealthTech content and a customized experience.

The evaluation process covers ­everything from compatibility to cost and the quality of customer service, but it also includes a comprehensive risk assessment led by the health system’s CISO.

“Any vendor we’re potentially going to use must go through that assessment,” Meadows says. “We ask them about everything — their security infrastructure, their policy and procedure management, how they segment their networks — and then, based on their response, we can determine whether they’re a good fit or not.”

Cook Children’s also relies on a third-party system that allows it to check whether a particular vendor has experienced significant security issues in the past. “If it has an A rating, we know it’s in good shape, but if we start seeing C’s and D’s and F’s, then that’s probably not a risk we’re going to take,” Meadows says.

For the services that do meet their requirements, Meadows says, the organization bolsters its security posture further by reserving the right to conduct audits of the vendor’s environment and by planning for possible worst-case scenarios. If Cook Children’s will be relying on a cloud company for data backup and recovery, for example, it insists on a legal agreement detailing how that process will take place. The organization also ensures that if anything goes wrong (say the vendor is hacked and goes offline), it’s prepared to manage solo.

“Probably the biggest risk we have is that something happens with a cloud-based system, and we can’t run the business,” Meadows says. She points to the Kronos outage in late 2021, when a ransomware attack left some healthcare organizations without functional payroll systems. “We always have a good contingency plan, so we know what to do in a situation like that.”

EXPLORE: Tips for improving management in complex healthcare cloud environments.

The Importance of Knowing Your Cloud Service Provider

As organizations migrate to the cloud for everything from electronic health record (EHR) hosting to enterprise resource management, many have come to the same conclusion as Meadows and her team at Cook Children’s.

“They’re recognizing that they can look to cloud service providers to improve IT security in ways they simply can’t on their own,” says Lynne Dunbrack, group vice president with IDC. “At the same time, they’re also realizing that moving to the cloud doesn’t solve everything.”

Dunbrack says that over the past several years, IDC has surveyed organizations to get a sense of the benefits they’ve experienced on their cloud journeys and found that many IT leaders said better security topped the list.

“Healthcare organizations must understand exactly how that cloud serv­ice is being provided,” Dunbrack says. “Where will your data be stored? Is it complying with HIPAA? Does it offer a business associate agreement?”

It’s also critical to do due diligence on the cloud service provider’s subcontractors, Dunbrack says. “With a BAA, the vendor is on the hook if something happens, but it’s also your brand reputation that’s at stake, as well as your ability to continue caring for patients.”

That’s good advice, Meadows says, adding that she keeps in mind that the cloud can’t do everything. “It’s right for certain things, but you have to figure out what those areas are. It needs to be a business- and risk-driven decision.”

Making Smarter Decisions About Cloud Security in Healthcare

Mark Fred, COO and CIO at Monticello, Ill.-based Kirby Medical Center, is another healthcare IT leader with plenty of experience making decisions about cloud-based solutions.

KMC moved its EHR to the cloud in 2018, Fred says. “The system we had was becoming obsolete, so our choice was to either migrate then or go ahead and invest millions in new hardware.”

The organization decided on a cloud-based solution in part for the flexibility it offered, but also because it was a clear opportunity for KMC to improve security.

For a smaller facility like KMC, Fred says, it can be harder to maintain a solid patching strategy. “If you don’t have the resources to carry out patching on a regular basis, that alone can be reason to work with a cloud company that has those processes in place.”

Beyond that, Fred says, the primary reason he’s confident that the EHR shift and subsequent cloud migrations have helped his organization become more secure has to do with the decisions that were made when choosing between vendor options. When it comes to backups, for example, he says that KMC hasn’t cut corners on the packages it’s purchased to keep data safe.

READ MORE: Find out why healthcare organizations rely on cloud-driven care.

“We’ve gone all-in,” he says. “Distant backup, frequent replication, local backups, an encrypted backup: You weigh what you’d be willing to lose in the event of a cyberattack, and then you decide what you’re going to do to make sure the worst doesn’t happen.”

Because email is one of KMC’s biggest risks, Fred says, his team is now working to migrate from its current Exchange Server to Microsoft 365. And down the road, he predicts, the organization will pursue other cloud initiatives to adhere to security best practices.

“We’re always looking for ways to remove physical servers and go toward cloud computing where it’s practical and possible,” Fred says. “It saves space, it’s a better long-term solution, and 9 times out of 10, if you choose a good provider, it’s going to make your organization more secure.”

Photography by R.J. Hinkle

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT