How Health Systems Manage Security in the Cloud

Cloud Tools and Risk Assessments to Support Healthcare

An essential first step toward ensuring cloud security is determining which cloud model best aligns with an organization’s capabilities, physical profile, budget and other considerations, says Anahi Santiago. She’s the CISO at ChristianaCare, which has hospitals in and around northern Delaware, and a board member at Health-ISAC.

For instance, hospitals with limited IT staff may lean on cloud-based electronic health records (EHRs) systems and other Software as a Service (SaaS) applications with minimal security requirements. As they grow their resources and capabilities, providers may look at models requiring a more active role in security, such as Infrastructure as a Service or Platform as a Service.

ChristianaCare’s cloud-first approach has resulted in a hybrid environment tailored to the needs of various use cases, Santiago says.

“We have a complex mix, but if we can move it to the cloud, we believe that’s best served by the economies of scale that are provided,” she says, adding that vetting potential partners is critical. “We have a very robust risk assessment practice to ensure they are aligned with our security practices and controls and are not posing undue risks.”

In keeping with the shared-responsibility model, ChristianaCare also evaluates whether it may need to implement additional cloud security technologies. “As we start to move workloads to the cloud, we think about what new security tools we need to employ so we have the right level of visibility and control into the cloud environment,” Santiago says.

The Value of Healthcare Peers in the Cloud

One aspect of cloud security that is posing new complexities is virtual care and the “hospital at home” model, Santiago adds. “All of those devices and care delivery mechanisms need to talk back to the hospital via the cloud, so now we have to look at how we use the cloud to protect them,” she says.

One benefit of Health-ISAC and similar organizations is the opportunity to discuss these and other emerging concerns with peers. Nearly 1,000 healthcare organizations belong to Health-ISAC, which Weiss refers to as a “virtual neighborhood watch program.”

For instance, Health-ISAC members can connect with others who use the same public cloud providers to share information about nuances of those environments. Health-ISAC also develops information about threats and vulnerabilities, a service that is particularly helpful for small organizations without the budget for threat intelligence support, he says.

For most organizations, Weiss notes, moving to the cloud can benefit security, as long as they have the skills and resources to uphold their end of the shared-responsibility model.

“You’re getting the benefit of the managed service in all sorts of ways that boost security, including best practices and the ability to leverage the learnings from those cloud providers,” he says.

Meanwhile, organizations can continue to grow their own expertise, including the ability to leverage observability, automation, and detection and response to optimize cloud security, he adds: “Investing in your team and their skills, especially those that help increase the number of deployments that leverage code and automation, will continue to pay big dividends in security.”

EXPLORE: Answer these five questions to dispel myths about cloud security.

The Many Layers of Security in the Cloud

Franciscan Health, a 12-hospital system serving Indiana and Illinois, recently expanded its cloud environment by migrating its Epic EHR to Microsoft Azure. It already had approximately 400 SaaS applications and an existing relationship with Azure.

However, the Epic move represented a new level of complexity, says Charles Christian, CTO and vice president of technology.

The organization knew that moving Epic to Azure would enhance security and improve data access to support patient care, Christian says. But his team also realized that its involvement was crucial to establishing and maintaining a secure environment.

“In the beginning, we assumed, as many people do, that it’s a walled garden, and you’re going to have some inherent protections. But what we’ve learned is that it’s no different from securing your own data center,” he adds.

That means, for instance, firewalls inside Azure, data loss prevention tools, diligent patching and best practices such as least-privilege principles and temporary admin passwords. The team uses Microsoft’s built-in dashboards and similar tools for monitoring purposes, Christian says.

For additional security, Franciscan’s Splunk Cloud Platform also sits in Azure. A managed services provider analyzes Splunk logs, while in-house staffers manage security for Epic, Christian says. It helps, he adds, that Franciscan’s cloud architect has a background in networking and security — valuable expertise as the organization has refined its cloud security strategy.

“We’ve been working for a very long time to ensure that we have enough gates that people have to go through that they’re just going to get tired before they get inside,” Christian says. “It’s a multilayered approach, and that’s what security has to be.”

Moving Epic to Azure also set the stage for more resilient disaster recovery and business continuity capabilities, including limited-access, immutable backups. In addition to separating Epic environments within the cloud, Franciscan Health placed those assets across two data centers in different geographic regions, Christian says.

“We’re trying to create an environment that we can recover very quickly, not within weeks but days,” Christian says.