HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Mitigating Security Risks in Healthcare Cloud Computing

The healthcare industry is currently experiencing a digital transformation; and, in every area – from the escalation of healthcare consumerism to the change of focus from healthcare volume to healthcare value – healthcare cloud computing is helping organizations reduce IT costs, increase productivity, and deliver better patient outcomes.

However, along with the benefits of healthcare cloud computing, there are also security risks. Security risks will be familiar to all organizations operating in the cloud; but, in the healthcare industry, data has a higher value than in most industries due to the opportunities to monetize it. Therefore, healthcare organizations have to be exceptionally vigilant.

Where the Majority of Security Risks Exist in the Cloud

The majority of security risks in the cloud exist in misconfigured cloud resources. Misconfigured resources often expose vulnerabilities that are identified by botnets and exploited by cybercriminals. What happens after that depends on the nature of the vulnerability and security mechanisms implemented elsewhere in the network to prevent lateral movement.

Most misconfigurations are attributable to “configuration drift” – when changes made to improve the capabilities of a resource expose a vulnerability, and then the revised configurations is used as a template for further deployments. While this can happen in security-conscious IT departments, it is more common in “Shadow IT” cloud environments that lack the same level of awareness.

Please see the HIPAA Journal Privacy Policy

Shadow IT can be Responsible for More Than Misconfigurations

Research into Shadow IT environments in healthcare organizations has uncovered many examples of Lines of Businesses circumnavigating security controls and utilizing unsanctioned cloud services “to get the job done”.  While there may not be any malicious intent, these actions jeopardize security and could easily result in the accidental disclosure of sensitive information or malware infections.

Research has also found that Shadow IT environments can remain unidentified for many years due to a lack of visibility into user activity. The problem is caused by Cloud Service Providers preventing standard cloud management platforms monitoring activity below the “level of abstraction” in order to protect the security and privacy of other customers using the same shared-tenancy infrastructure.

Obtaining Visibility in Healthcare Cloud Computing

The solution to this issue is to implement a cloud management platform that attaches agents to resources. While not providing total visibility inasmuch it is impossible to, for example, inspect packet data as a management platform could in an on-premises infrastructure, the enhanced level of visibility enables organizations to view all activity – even activity they didn´t know previously existed.

Thereafter, organizations should consider creating a Cloud Center of Excellence – a team drawn from all Lines of Business, whose role it is to identify which resources and services are exposing the organization to risk, and either secure them or replace them with secure alternatives. The team should also develop cloud security policies to prevent the accidental/malicious misuse of sanctioned resources and services.

Monitoring Compliance with Cloud Security Policies

Because of the dynamic nature of healthcare cloud computing, it is impossible to manually monitor activity in the cloud. Furthermore, with enhanced visibility and Shadow IT coming under the centralized control of the Cloud Center of Excellence, there will be much more to monitor. Therefore organizations are advised to implement a cloud management platform with policy-driven automation capabilities.

When considering such a solution, it is important the platform does more than just notify SOC teams of security violations. Often what can happen when organizations first apply cloud security policies is that SOC teams are overwhelmed by the volume of notifications and high priority violations can go unnoticed. For this reason, it is important low priority violations are mitigated automatically.

Mitigating Low Priority Violations Automatically

Depending on the capabilities of the cloud management platform, it should be possible to apply a cloud security policy and a function the platform should initiate is the policy is – or is about to be – violated. An example of this would be if the platform was configured to block the deployment of untagged resources or correct misspelled tags in order to enforce accountability. Other examples include:

  • With an enforced tagging policy, the platform can monitoring for storage volumes tagged “PII” and encrypt any that are open to the public Internet.
  • The platform can also be configured to prevent unsanctioned changes to a resource that may expose a vulnerability.
  • Organizations can enforce IAM policies and check that high privilege accounts always have multi-factor authentication enabled.
  • Platforms can also be configured to block attempts to log into accounts outside normal working hours or from unrecognized IP addresses.
  • A similar process can be used to revoke access to an account if a user has failed to log in correctly on three occasions – preventing possible brute force attacks.

Mitigating low priority violations prevents the SOC team being overwhelmed and free to address high priority violations – which will be much simpler with enhanced visibility. It is also possible for administrators to configure the platform to initiate approval workflows if, for example, a user attempts to launch a resource or service that has not yet been sanctioned by the Cloud Center of Excellence.

Beyond Mitigating Healthcare Cloud Computing Risks

Cloud management platforms with policy-driven automation capabilities can be configured to do more than mitigate healthcare cloud computing risks. System administrators can apply cloud financial policies, cloud performance policies, and cloud operational policies to ensure the cloud environment is continuously optimized – thus further reducing IT costs and increasing productivity.

As organizations come under increasing pressure to increase investments in technologies that accelerate the digitalization of the healthcare industry, cloud computing is going to be more widely adopted throughout the industry. With total visibility, the elimination of Shadow IT, and policy-driven automation, organizations can take full advantage of the benefits of cloud computing while mitigating security risks in healthcare cloud computing.