When cloud computing entered the mainstream in 2006, it promised to radically — and rapidly — change how organizations stored and processed data. The years since have seen a monumental shift toward the cloud (and away from on-site storage), as businesses in nearly every industry leveraged it to realize significant cost savings, increased flexibility, and other benefits.
While healthcare organizations were initially slow to make the switch, that’s no longer the case. According to McKinsey, healthcare organizations are positioned to enjoy an additional $70-$140 billion in additional EBITDA by 2030 by embracing cloud computing. It should be no surprise, then, that a recent survey conducted by DuploCloud found that an estimated 70% of healthcare organizations have adopted cloud computing solutions — a figure they expect to approach 90% by 2025.
But as more and more healthcare organizations make the move to the cloud, they must answer a critical question: What’s the best way to protect sensitive patient data?
Below, we discuss the importance of cloud security in healthcare, take a look at key threats you should be aware of, and provide an overview of different types of cloud solutions you might leverage. We also offer tips you can use to craft your strategy for protecting patient data as your healthcare organization migrates to the cloud.
Why is healthcare cloud security important?
In order for healthcare organizations to effectively onboard and treat patients, they must collect vast swaths of sensitive patient data, such as medical records, prescription lists, insurance information, payment details, and other personally identifiable information (PII).
This is true of all types of healthcare organizations — from hospitals and clinics to telehealth services, pharmacies, developers of medical products, insurers, and everything in between.
In the wrong hands, however, this information can be used to commit a variety of financial crimes like money laundering, tax evasion, identity theft, and insurance fraud. This means your organization’s data reserves are a treasure trove for bad actors to target and potentially exploit.
With this in mind, you have a responsibility to your patients to ensure any information you collect and store — on or off the cloud — is protected from prying eyes. Failure to meet this responsibility can significantly damage your brand reputation and cause you to lose patient trust. In the worst case, it can lead to legal repercussions and regulatory enforcement such as fines or, in a worst-case scenario, the possibility of jail time.
Types of healthcare cloud solutions
Cloud service providers (CSPs) come in three main forms: Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS), and Platform-as-a-Service PaaS). CSPs in each of these categories typically serve different roles for an organization, and it’s possible for a single healthcare organization to employ multiple CSPs from multiple categories.
Infrastructure-as-a-Service CSPs essentially replace on-site infrastructure (such as servers, networks, and storage) with remote, cloud-based infrastructure. All of the hardware associated with this infrastructure is owned and maintained by the IaaS provider, as opposed to the client. Microsoft Azure and Amazon Web Services (AWS) are two well-known examples of IaaS providers.
With Software-as-a-Service, software is hosted on the cloud instead of being installed on a company’s physical machines. Instead of owning the software outright, client organizations typically pay a subscription fee. SaaS solutions are very common: Many telehealth services, electronic health records (EHR) systems, and customer relationship management (CRM) tools now follow the SaaS model. With this in mind, even organizations that house their data on-site in their own infrastructure likely leverage at least one cloud-based solution.
Platform-as-a-Service providers offer infrastructure (like IaaS providers) as well as a cloud-based environment that organizations can use to build, test, and deploy custom applications. This solution is often leveraged by healthcare organizations that prefer to develop their own solutions instead of (or in addition to) leveraging SaaS solutions. Many IaaS providers also offer PaaS solutions.
Threats to healthcare cloud security
The primary risk of leveraging cloud computing in healthcare is that it introduces a potential pathway for bad actors to inappropriately access sensitive healthcare data.
Bad actors can achieve this in a number of ways, including:
- Misconfigured security settings within the cloud service
- Malware, ransomware, and spyware infection
- SQL injection
- Zero-day exploits
- Denial-of-service (DoS) attacks
- Advanced persistent threats (APTs)
- Data corruption and loss
- Phishing, credential stuffing, password spraying, and other types of account takeover attacks
In order to embrace a cloud computing solution, a healthcare organization must essentially provide a link between itself and the cloud service provider — in the form of a data transfer, an API, or some other connection. This link is what enables all of the benefits that the cloud provides. But that link can also be a vulnerability. That’s why it’s so critical that any cloud service provider you choose to work with has strong encryption and security protocols in place.
Safeguarding your patients’ sensitive data
Under HIPAA, healthcare organizations must secure sensitive patient data. Failure to meet the regulation’s requirements can result in fines of up to $50,000 per incident or a prison sentence of up to 10 years. With this in mind, regardless of whether or not your organization leverages cloud-based solutions, it’s important to follow the best practices for securing health data.
In addition to these best practices, there are additional steps you can take to help safeguard your patients’ data when leveraging cloud-based solutions.
Understand who is responsible for securing the data.
Generally speaking, cloud service providers are not considered Business Associates under HIPAA. This means CSPs typically do not assume responsibility for protecting your patient data out of the box. That said, cloud service providers may be willing to sign a business associate agreement (BAA) when working with healthcare organizations. This agreement shifts responsibility for securing the data over to the CSP.
When selecting a cloud service provider, look for one who is willing to sign a BAA and officially take on the responsibility of protecting your patient data. Likewise, look for a solution that is HIPAA compliant.
Adopt a robust identity and access management (IAM) framework for your organization.
Identity and access management refers to the policies, processes, and technologies your organization uses to manage the digital identities of employees and patients — and it’s a critical piece of safeguarding your organization’s data.
A robust IAM framework that includes identity verification during patient onboarding, two-factor authentication during login, and reverification during high-risk moments (such as when a user tries accessing sensitive information) can all help protect sensitive data from prying eyes and inappropriate access.
Here at Persona, security is our top priority — our business depends on it. Our cloud-based products and solutions were designed with privacy regulations in mind, including HIPAA, CCPA/CPRA, and GDPR, and we’re certified to the highest industry security standards. Let us store sensitive PII for you so that you can focus on what you do best: providing care to your patients.