Moving Healthcare to the Cloud: Operationalizing Security
Part 5 of 5 of “Moving Healthcare to the Cloud”
In the last blog of our Moving Healthcare to the Cloud series, we presented how organizations can assess, manage and reduce the risk of security attacks. In this blog, we discuss how to operationalize security in order to ensure digital assets remain protected.
After migrating IT systems to the cloud, integrating your cloud environment with on-premises systems, and assessing your security risks, the next step is to operationalize your on-going security program. By following the best practices presented in our previous blogs, you should already have the framework for a robust system in place.
The program should include a consistent security policy to help you determine everything you need related to protection, audits and remediation. A robust policy serves as a bedrock for establishing a strong security posture and helps you make sure you can answer all the key questions as you delve deeply into the details. Here’s just one example of the many scenarios you will need to consider:
- How long can patient records be stored on-premises?
- Does the length of time for storage change if you move records to the cloud?
- Are there privacy and regulatory issues to be concerned about in one cloud platform versus another?
As this example illustrates, security and compliance become more complex when you move part of your IT infrastructure to the cloud and integrate it with on-premises systems and other cloud environments. But with a proper robust framework in place, you can make sure you ask all the right questions so that the answers identify any security policies and controls you need to change.
Security Lifecycle Management Maintains Security Posture
Operationalizing security involves establishing a lifecycle management program in order to maintain the security posture of your cloud and on-premises infrastructure—from conception to the retirement of various components through all the stages of deployment, integration and support. Tools, applications, operating software and even the hardware appliances will likely go through upgrades and then eventually be replaced by new technologies.
Other components, such as policies and controls, will also go through revisions as business, IT and data conditions change. Here’s a rundown of the key components to manage:
- Security Policies—document system constraints that determine the data that the internal staff, patients, Business Associates and other end users can access. The policy should answer the basic questions, “Which groups of end users can do what on each system, and which data sets can they access?” The can also be defined by time, physical position within the facility, and geo-location if the users are operating remotely.
- Security Controls—apply documented processes and countermeasures, such as firewalls, to prevent as well as detect and mitigate security risks to your data and digital assets. The controls should safeguard sensitive information and prevent unauthorized system usage. The controls need to match your policies and must be monitored to ensure proper enforcement. Misconfigured or unattended controls could result in an increase in exposure, oftentimes increasing the risk with a false sense of security.
- Application Development Security Framework—it’s just as important to protect your application development and staging environments as it is to protect your production environment. These environments are also subject to cyberattacks and thus need the same level of defense and monitoring.
- Compliance Auditing—involves a comprehensive review of your adherence to regulatory guidelines, such as HIPAA. While internal audits should occur on a regular basis, regulatory bodies will require you to hire independent consultants to validate your compliance preparations and assessments.
- Security Monitoring and Response Tools—there’s a wide range of tools to choose from for both security risk monitoring and response, and it’s important to rely on multiple, integrated tools so that you can put attacks into context. You need to make sure you focus on those presenting the highest risk and avoid working on any false positives.
As you formulate your policies, controls and tools, the data access given to various end users will need to vary before, during and after a security breach. As data sets grow bigger, as compliance laws evolve, and as end users become more educated and empowered, the need to adhere to mandates is just one of several reasons to keep ahead of any regulation.
Ongoing monitoring to uncover policy violations and to determine if there are corrective actions to be taken is critical. But monitoring under steady state conditions (where no active response is needed) is also vital. It allows you to establish an “All Clear” baseline against which deviations can be realized.
Also a Competitive Differentiator
In addition to protecting your digital assets, maintaining a strong security posture and staying ahead of compliance regulations (even before the deadline) can be used as competitive differentiators. If your patients see evidence that your organization is proactively addressing security issues, the more likely they will want be treated by your doctors and nurses. Likewise, your Business Associates will more likely want to do business with you.
The falsehood that advertising your security policies will result in a hacker attack is not a reason to avoid raising security awareness. In fact, promoting your security efforts will stimulate laggards to get moving, which will benefit the entire healthcare industry!
In our next ‘Moving Healthcare to the Cloud’ blog, we will wrap up the series by discussing how to measure the success of your efforts in establishing a strong security posture.