Why Healthcare and Patient Data Security Need the Cloud

The following is a guest blog post by Laz Vekiarides, CTO and co-founder of ClearSky Data

Though large organizations are increasingly offloading both compute and data storage to the cloud and services that are built on the cloud, many healthcare organizations have serious concerns about turning over patient health information to the care of anyone other than themselves.

Protected health information (PHI) is heavily regulated, and non-compliance carries stiff penalties. But beyond these regulatory obligations, physicians depend on patient data to make decisions about patient care; if that data is inaccessible or lost, people could suffer death or long-lasting harm.

That said, when run properly, the cloud and managed cloud services are actually safer than storing data on-premises.

Encrypting data end to end

The most basic step to ensuring data is secure is to encrypt it. And it’s not enough to encrypt data just when it is being transferred from one location to another. It must also be encrypted while it is being passively stored. Managing end-to-end encryption is complex, and few organizations possess the resources to do it themselves, but it’s absolutely vital to keeping data secure.

Even in the unlikely event of a cloud data breach, encrypted data is useless to anyone who takes it. For any organization dealing with PHI, data encryption should be standard operating procedure. A well-run cloud service will encrypt all data, and only the customers will possess the key to decrypt it.

Automatic disaster recovery and data protection

Any healthcare organization that is serious about data reliability needs to ensure that data backups happen more often than once a day, ideally coming as close as possible to an RPO (recovery point objective) and RTO (recovery time objective) of zero. Losing any patient information to corruption or accidental deletion could seriously affect patient care. And in the case of a ransomware attack — which a recent survey from Imperva showed was the highest security concern for healthcare IT management — backups are the last line of defense. Cloud providers should backup data nearly continuously throughout the day and replicate data in multiple locations to ensure near-zero data loss. Restoring data should be as close to under one minute, in the event of a data breach or system failure.

It’s critical to question your service provider about backup. Many IT professionals assume that data in the cloud is automatically protected because they typically store copies of all data in multiple locations. Unfortunately, that’s not always the case. For example, in 2014, an attack on Code Spaces’ AWS EC2 control panel not only wiped out many of the company’s compute instances but also all of its S3 storage buckets and EBS snapshots. The company was unable to recover its data and shut down as a result.

A good service will run backup and disaster recovery automatically, with data stored in multiple locations and nearly instant recovery.

Patches and updates are a non-issue

Keeping IT systems up to date and patched is an unrelenting, time-consuming job and, unfortunately, many IT organizations fail to do so. The healthcare industry is no exception. In fact, 57 percent of healthcare organizations that had a data breach fell prey to it because they failed to update their systems to fix a vulnerability for which a patch existed, according to a survey by the Ponemon Institute. Worse, one-third of these organizations knew about the patch, and still didn’t update. If an organization has numerous storage technologies in play — storage arrays, VPNs, backup and DR systems — all of them require individual update schedules to track, manage and implement.

If a healthcare organization is using a good cloud service, their IT teams shouldn’t have to worry about making sure its on-premises systems are up to date. The cloud provider will handle that automatically and will have its systems set to update automatically. That’s a major advantage over on-premises data management systems.

But beyond these concrete capabilities, focus is the biggest differentiator for security between storing it on-premises and in a cloud service. It’s the key to doing anything exceptionally well. Healthcare IT is responsible for a complex mix of critical tasks, and securing the organization’s data is just one of them. A healthcare-ready, secure cloud service will have an entire team whose sole task is to ensure customers’ data is secure.

Not all cloud services are created equal, of course, but as long as a healthcare organization does its due diligence, and ensures the service provider encrypts data in transit and at rest, protects data continuously and automatically, and automates all system updates and patches, storing data in the cloud can be substantially safer than doing so on-premises.

About Laz Vekiarides
Laz Vekiarides is CTO and co-founder of ClearSky Data. Most recently, he served as the executive director of software engineering for Dell’s EqualLogic Storage Engineering group, where he led the development of numerous storage innovations and established the EqualLogic product line as a leader in host OS and hypervisor integration.