Security in the cloud: Why it’s different and why defining encryption matters
Easy. Accessible. And always on. These attributes describe a large part of the appeal of the immediate information-sharing made possible by cloud-based digital communications solutions of the 21st century. Ubiquitous in the retail sector, these cloud-based solutions – initially shunned by highly regulated industries such as finance and healthcare – are now being embraced by those very industries as they seek to provide customers with the simple, affordable and convenient solutions they have come to expect – and now demand – in other areas of their lives.
But today’s always-immediately-accessible digital information has also given rise to the flip side of the coin: if information is readily available anytime, anywhere, how do organizations ensure that that same information is not readily available to anyone?
Hardly a day goes by without a report of a data or security breach. And it’s no wonder that the same organizations – and customers – who benefit from easy access to cloud-based digital information also worry about whether the personal information that is shared will remain secure.
With new cloud-based digital solutions popping up all over the place, many healthcare organizations are looking to the cloud to ensure a higher level of security. But does the cloud guarantee that? How is securing information that is stored in the cloud different from securing more traditionally housed information? And how do organizations ensure they choose a vendor solution that provides the highest cloud-based security standards possible?
Understanding cloud security
Surprisingly, cloud-based data systems do not necessarily require a higher level of security than data systems that aren’t cloud-housed. The level of security required is actually based on the value of the system or data that is being protected. For example, security requirements for private health information (PHI), personally identifiable information (PII) and payment card information (PCI) are rigidly defined – regardless of the method in which this data is stored.
Security-level differentiation for protected data that is being stored in the cloud is vital, especially in the healthcare industry. Patient privacy, unauthorized datamining and identity theft due to PHI exposure are just a few examples of serious issues that can arise when PHI is compromised. And yet, unbeknownst to most, the security requirements for safeguarding this sensitive data on a cloud-based system are the same as those necessary for maintaining secure paper patient records.
This may seem alarming, but it shouldn’t be. It is critical to analyze the various risks associated with a hacker accessing different types of databases. The level of difficulty that the hacker experiences (both procedurally and technically) when attempting to access protected data is important to consider. The challenges exist on a sliding scale, varying with the data storage method – from paper patient records to the cloud and every storage method in between.
Take, for example, the following hypothetical scenario. A thief is attempting to break into a local hospital system with the goal of retrieving PHI. If the hospital system stores patients’ paper records in a locked safe, the thief would have to not only break into the hospital, but also break into the room with the safe, crack the safe, carry the documents out and then manually sort through mountainous piles of patient data. Clearly, this type of scenario presents a plethora of challenges for the thief who is attempting to access unauthorized information.
Alternatively, a cyber-thief who is after data that is stored in the cloud has only minimal obstacles to overcome. There isn’t just one physical location to break into; cloud-stored data is essentially accessible from anywhere. Every laptop, workstation and smartphone related to the provider healthcare network – as well as automated penetration systems – is a potential target that can be used to gain access to confidential stored information. And, to make matters worse, should an inexperienced would-be-hacker be inclined to take a crack at stealing cloud-stored PHI, hacker kits can even be rented or bought. It is much more difficult for a data thief who has to crack a physical safe to access such data.
The evolving definition of encryption and its vital role in cloud security
With all the risks associated with cloud-based communications, many healthcare organizations wonder whether the cloud is actually safe and secure enough to store and share important patient data. It is, but it’s important to know why and how to ensure that security. Ultimately, while on the surface it appears that the cloud allows hackers convenient access to PHI, PPI or PCI data, understanding the difference between “security” and “encryption” and evolving encryption standards is vital to understanding how to choose a cloud-based vendor solution that provides maximum information security.
Though the terms “security” and “encryption” used to be used almost interchangeably, today, security in cloud-based communications has evolved to mean that data is protected and encrypted – not just some of the time, but all of the time, from cradle to grave, at rest and in transit. Security in cloud-based communications must now be constant – meaning that software is updated twice per year to ensure that exposure to threats is minimized. And, in addition to this expanded definition of encryption, vendors that provide truly secure cloud-based solutions now consider detailed audit trails to be integral to the security of cloud communications.
With cyberattacks on the rise, cloud security is as critical as ever. Though just one click could potentially invite a security threat to the door, a security-first cloud-based solution will keep that threat outside. It will mitigate the risk of a cyberattack and ensure that healthcare organizations can offer customers cloud-based communications that allow them to experience the best of both worlds – convenient, anytime access to the information they want and need with the peace of mind that that information is secure and visible only to authorized users.