4 healthcare cloud security recommendations for 2022

Despite initial hesitation, healthcare is increasingly moving to the cloud. In a July 2020 survey from Spok, 67% of healthcare professionals said there were no applications that they would not host in the cloud.

There’s no secret as to why: McKinsey has estimated that migrating to the cloud could generate up to $140 billion in additional value for healthcare companies by 2030 in terms of cost reduction, new product development and overall growth.

Still, many healthcare organizations have hesitations about moving to the cloud. Security is a particular concern, as the cloud expands the network perimeter beyond the four walls of the hospital to outpatient clinics, urgent care centers and even individual patients’ homes.

To help healthcare continue its transition to the cloud – whether as part of an ongoing strategic initiative or as a sudden shift due to the need to provide remote care due to COVID-19 – Damian Chung, business information security officer for Netskope, provides four security recommendations for healthcare IT leaders in 2022.

Sign a BAA with your CSP

Under the Health Insurance Portability and Accountability Act (HIPAA), cloud service providers aren’t considered business associates, which are entities that use or disclose protected health information (PHI). Companies that perform services such as claims administration, quality assurance, benefits management, and billing qualifies as business associates.

That said, Chung encouraged healthcare organizations to push their CSPs to sign a business associate agreement, or BAA, to ensure that the provider assumes responsibility for safeguarding the organization’s PHI.

“If a CSP is not willing to sign a BAA, then you have to ask yourself, “Do they treasure your data as much as you do?” Chung said. “The BAA provides assurance to organizations that we protect their data, that we provide training to our employees, and that we store and process consumer data securely.”

See who controls your data

Healthcare’s traditional network perimeter no longer exists. Many physicians and nurses may work at multiple locations for the same institution, sometimes visiting several locations in one day, or clinical staff may conduct research at a nearby university.

These scenarios present challenges that on-premises systems didn’t, Chung said. For example, a physician on rotation at the hospital will need full access to the hospital’s instance of Office 365. They shouldn’t also have full access to their practice’s instance of 365, but they will need limited access in case urgent messages come through. Likewise, if that researcher uses Office 365 within the hospital but Google Drive at the university, then their access to Drive (which the hospital doesn’t manage) needs to be limited while they’re in the hospital.

“Since data is going everywhere, the idea is to be able to control where the users are going,” Chung said. “Your concern shouldn’t be losing control of your data, but retaining visibility of where it’s going and ensuring that it’s secure.”

Manage user access with adaptive trust

As with the traditional network perimeter, traditional role-based architecture no longer exists in healthcare. Part of this stems from clinical professionals working in different settings on different days, and part of this is due to the sheer number of applications, both on-premises and cloud-based, which users may need. For some organizations, the number of cloud-based apps alone can exceed 1,000, Chung said.

“We’ve always been putting users into groups that access certain applications – but does everyone in that group need access to all applications?” he said.

Recognizing that not all healthcare organizations are ready to embrace zero trust, Chung recommended an approach he described as “continuous adaptive trust.” Here, access management is set up to validate users in real-time with every transaction, and access is also reevaluated in the context of trust and risk policy. “That’s where we need to get to,” he said.

Don’t slow down innovation as budgets, hiring tighten

With hospitals forced to postpone the elective procedures that drive revenue, IT departments can expect budgets to tighten in 2022, Chung said. Organizations may also face pressure to prioritize staffing shortages in nursing and residential care, which account for nearly all the industry’s estimated 450,000 jobs lost in the last two years, according to the Bureau of Labor Statistics.

Limited funding and hiring may seem like a signal to slow things down, but Chung said this is actually the opportune time for healthcare organizations to ramp up their cloud efforts.

“The need to become more efficient will drive digital transformation and the push to the cloud, but it’s important to think about that before you make that push,” he said. These steps include proactively setting security policies and controls that anticipate moving applications and data to the cloud, as well as looking ahead at hardware contracts up for renewal to see where a cloud migration makes sense.