Moving healthcare to the cloud: Managing security risks
Part 4 of 5 of “Moving Healthcare to the Cloud”
Written by: Anupam Sahai, Vice President, Product Management, Cavirin
In the last blog of our Moving Healthcare to the Cloud series, we discussed the key considerations for healthcare organizations that are defining a cloud migration project. In this blog, we examine the technologies to apply in order to assess, manage and reduce the risk of security attacks.
While the cloud is proving to be less risky, more secure and more innovative than traditional on-premises IT, it is still not foolproof nor without risk. Healthcare organizations need to take every precaution in the cloud to ensure confidentiality, integrity, and availability.
In many cases, data must be properly encrypted, with keys stored separately from where the data is stored in order to maintain confidentiality. The number of admins who have access to the keys to decrypt the data should also be limited and all access should be logged and verified. Data integrity can be ensured only if admins and users who have appropriate levels of authorization can modify, manipulate, or delete the data.
Another key defense measure is your backup and recovery program. If a ransomware attack succeeds, you want to at least be able to fall back to an infrastructure and dataset that are free from compromise and can be safely used to get the business back up-and-running.
To protect your organization from ransomware, be sure to run on-going, frequent backups and test these backups as part of your disaster recovery plan tabletop exercises. Along with backup and recovery, also ensure all of your security policies can be applied uniformly to all public and private clouds as well as your on-premises data center. This will help ensure a consistent end-user experience with limited disruption to the business.
Assessing Your Security Posture
A good way to assess your current security posture is to utilize the “CIA” triad model: Confidentiality, Integrity and Availability. The model can guide your information security policies with respect to your data.
Confidentiality applies rules that limit access to information. Integrity assures the data is trustworthy, accurate, and has not been tampered with. Availability guarantees reliable access to the data only by authorized people.
If your organization achieves all three model components, you’ve got a solid security posture and can more easily address the challenges of cloud security. This is especially true for hybrid environments where users and data move back-and-forth from on-premises and cloud infrastructures.
Deploying Access Control in Hybrid Environments
One of the key challenges when it comes to securing hybrid environments is access control, which requires the enforcement of persistent policies. Adding to the risk is that access in hybrid environments is usually available to a large range of devices. This makes it difficult to create and secure persistency within access policies.
There are a range of access control models to choose from, and it’s imperative to determine which model is most appropriate for your organization—based on data sensitivity and operational requirements. When processing personally identifiable information or other sensitive information types, access control needs to be a core capability of your security architecture to ensure you comply with HIPAA regulations.
Multiple vendors provide privilege access and identity management solutions that can be integrated into your identity management platform, which is key because you may actually require multiple technologies to achieve the desired level of control. Multifactor authentication is another a component to further enhance security.
Given the complexity of access control and the dire consequences, if not handled properly, it’s best to consult with your IT partner!
Multiple Tools Required to Focus Efforts
Another key aspect to consider in enhancing your security posture is the set of tools you deploy for monitoring and responding to risks. This includes identifying risk, measuring risk, and mitigating risk.
It’s critical to rely on a combination of threat intelligence sources backed by analysis tools and security experts so you can put risks into context for the healthcare industry in general and your organization in particular. This makes it possible to know which threats represent the biggest risks so you can focus your efforts in the right place—and avoid wasting time on low-level threats and false positives that don’t represent any real threat at all.
We are excited about how popular this Blog series has been – the next posting will discuss how to operationalize security–this includes managing the security lifecycle, applying security policies, and establishing control to ensure compliance.