Years before the pandemic, the healthcare industry had already been busily digitally transforming itself. Yet, the pandemic did pull years of demand for telehealth and remote work forward into 2020. While this created a rapid and considerable shift to cloud computing, it also left a considerable number of legacy systems in place — as well as quite the challenge for cybersecurity teams charged with securing these systems. One could say it's been a very challenging couple of years for healthcare security teams.
Consider the safety concerns raised by the 168 US-based healthcare cybersecurity professionals who responded to the 2020 HIMSS Cybersecurity Survey. That survey found several patient safety concerns resulting from security incidents, including the disruption of non-emergency clinical care (61% of respondents) and the disruption of emergency services (28%). Within the survey, 17% of respondents also cited serious patient injury or harm as a concern.
Today, many of the industry's cybersecurity challenges are due to talent shortages, the heavy burden of legacy systems and technical debt, the growing number of endpoints, and the increased complexity of modern healthcare technical environments. Every year a more significant part of the healthcare technology environment consists of cloud systems. While cloud computing can help simplify the management and security of healthcare systems, it can also be confusing where the responsibility for cloud security starts and ends for the healthcare organization and where the cloud service provider picks up responsibility.
Healthcare organizations must get cloud security right. This post will detail the three primary types of cloud services, how the healthcare industry tends to use each, and provide resources on how to secure each effectively.
Healthcare cloud solutions
There are three distinct types of cloud services: Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS), and Infrastructure-as-a-Service (IaaS).
Let's look at each:
As "infrastructure" as a service, IaaS provides foundational computing resources as virtualized services over the Internet, such as essential storage, servers, and networking. The IaaS provider manages and maintains all of the associated hardware typically found within a traditional data center: the physical building and facilities, the physical computer hardware, physical networking equipment, and more.
The benefits of IaaS in healthcare
This cloud computing model makes it simpler and faster to deploy computer workloads. Because IaaS is pay-as-you-go, it can also make it much more cost-effective for healthcare organizations. IaaS can also alleviate healthcare providers' IT management and burden while also providing scalability to grow computing resources, when necessary, without a capital expenditure burden or having to hire staff. Well-known examples of IaaS include Amazon Web Services, Microsoft Azure, and Google Compute Engine.
How to secure IaaS
When it comes to securing IaaS, the cloud service provider is responsible for managing the security for the underlying networking, storage, servers, and virtualization, while the customer is responsible for managing the security of everything running on top of the infrastructure, such as the operating systems, middleware, data, and applications.
The PaaS model provides everything found within IaaS (managed infrastructure) and a dedicated cloud environment designed to build and deploy applications. That means an integrated development environment (IDE) consisting of application development tools, collaboration tools for developers, and tools for testing code. And just like a physical data center, the PaaS provides the necessary databases and the software used to connect all the various applications so that data and systems are integrated.
The benefits of PaaS in healthcare
Because PaaS provides infrastructure and the IDE, healthcare organizations can securely develop applications in the cloud with fewer resources than they'd need if they were managing that technology stack in-house. Known PaaS examples include AWS Elastic Beanstalk, Google App Engine, and Salesforce's Force.com.
How to secure PaaS
In PaaS delivery, the cloud services provider ensures everything the IaaS provider secures and manages data and applications. This means healthcare providers that develop applications in PaaS, for instance, must still focus on developing those applications with secure coding practices in mind and securing access to those applications and associated data.
Software-as-a-Service is hosted software consumed over the Internet, instead of software installed within a company server or data center and accessed that way. While the SaaS provider maintains centralized control over the software, each customer gets their own version of the software. Commonly known examples of SaaS include Salesforce.com, Google Workspace, etc., and many healthcare-related applications are delivered via SaaS, including healthcare picture archiving and communication systems (PACs), electronic health records (EHR), telehealth services, and more.
The benefits of SaaS in healthcare
With the world of healthcare constanlty evolving, SaaS could be a preferable option due to the software already being configured and installed within your system. This reduced installation and ramp up time could increase the ROI quicker than traditional methods. This integrated cloud infrastructure could also lead to lower costs and the ability to scale should that need arise sooner than expected.
How to secure SaaS
With SaaS, the cloud services provider secures every aspect of infrastructure and service delivery that is secured by IaaS and PaaS providers, in addition to the application security and data security. Of course, the customer is responsible for managing and monitoring the access of authorized individuals to the SaaS application.
Where to find healthcare cloud security insights
Whether it's IaaS, PaaS, or SaaS, cloud computing helps healthcare organizations to achieve more because the cloud offloads the management burdens associated with in-house data centers. The cloud service providers deliver the infrastructure, application and services management, development, and much of the security needed.
Still, we say "much" of the security needed because each cloud service delivery model requires different types of security. For instance, as we saw above, SaaS providers are responsible for the inherent security of the applications they deliver and the security of the data they host. But even here, there are still quite a few security steps necessary for the healthcare organization, such as identity management and effective third-party due diligence (how well does the cloud service provider run its security program?). In contrast, with IaaS, the cloud service provider is responsible for securing the virtualization down the technology stack. At the same time, the customer must make sure that everything used above that layer is secured.
It can get confusing and complicated, especially when trying to secure virtual workloads and containers — and as the number of healthcare-related attacks shows, much more healthcare organizations must do to secure their systems. Fortunately, there are several places to turn for quality help and information regarding cloud security.
The Cloud Security Alliance's Security Guidance for Critical Areas of Focus in Cloud Computing provides organizations with the best practices necessary to keep their clouds secure. The guidance offers real-world cloud security practices. Founded in 2008, the CSA is a not-for-profit that aims to promote best practices for providing security assurance within cloud computing.
The European Union Agency for Cybersecurity, or ENISA, recently published a study, Cloud Security for Healthcare Services. According to ENISA, the study provides security practices for healthcare. It identifies security aspects, including relevant data protection aspects, to be considered when procuring cloud services for the healthcare industry. ENISA was founded in 2004 by EU Regulation No 460/2004 and worked closely with EU Members States and others to improve cybersecurity.
NIST Health IT Program
The U.S.'s National Institute of Standards and Technology (NIST) Health IT Program provides a lot of information about how healthcare organizations can secure their systems, as well as helping to established standards and interoperability with advanced healthcare IT systems. The NIST Health IT page is available here, while the NIST National Cybersecurity Center of Excellence Healthcare can be found here. NIST recently published the NIST Cybersecurity Practice Guide, SP 1800-30, Securing Telehealth Remote Patient Monitoring Ecosystem.
Healthcare security is going to remain challenging for years to come. Still, with the proper understanding and resources, there's no reason healthcare organizations can't both deliver care using the most cost-effective and advanced technologies available while also keeping those systems and patient data secure.