Guest Column | October 5, 2016

Could The Public Cloud Cure Healthcare's Data-Breach Epidemic?

Cloud

By Rich Campagna, VP Product, Bitglass

The financial services industry has taken steps to shore up security and devalue stolen payment-card data on the black market by using technologies such as EMV (chip-and-PIN) in smart credit and debit cards, and hackers have shifted their target to medical records. With more than one third of Americans affected by medical-record breaches in 2015 alone, these hackers’ efforts have, unfortunately, been very successful. As healthcare organizations scramble to better protect patient data, they will find relief in one of the unlikeliest places — the public cloud.

Once feared to be a death knell for security and compliance, major public-cloud applications such as Office 365 and Salesforce have managed to steer clear of the massive breaches and hacker-induced outages that many originally feared despite being mouth-wateringly large targets for black hats everywhere. How? Major cloud providers spend more on security personnel and security infrastructure than most enterprise CISOs could ever hope to see in their budgets.

Microsoft, for example, has committed to spending more than $1 billion per year on security. Their reason is simple — a cloud vendor’s entire business depends on its ability to safeguard customer data and a massive data breach could very well be terminal. The result is leading SaaS apps suffer from very few application vulnerabilities, and those that are found are patched at lightning speed. These cloud-based apps are also protected as well as possible from denial-of-service attacks and other nefarious attempts at service disruption and data exfiltration.

With such a strong track record for security, why then do security and compliance continue to top the list of public-cloud jitters? Aside from losing the warm fuzzies of being able to physically see the servers in a data center, organizations are starting to realize that while the public cloud can be secure, keeping their data secure in the cloud depends on how they use the cloud. The same features that make the cloud such a productivity boon — such as ubiquitous access from any device and the ability to share data easily — are, ironically, the biggest data-leakage risks. In the first half of 2016, 57 healthcare firms experienced unauthorized disclosures that resulted in 320,000 leaked records, according to the Department of Health and Human Services.

As healthcare organizations migrate their dedicated EHR and practice management systems to the cloud, many are adopting a cloud-first strategy and moving other apps to the cloud as well. In fact, according to recent data, 36 percent of firms in the sector have already deployed a cloud productivity application such as Google Apps or Office 365 (up from only 8 percent in 2014). While dedicated healthcare services systems are architected with data governance and compliance in mind, general cloud vendors are often single-mindedly focused on infrastructure and application security, not on data security or HIPAA compliance.

Productivity applications are a critical piece of the security puzzle simply because a great deal of sensitive protected health information (PHI) inevitably finds its way into these systems. Whether Google Drive, Dropbox, or Office 365, many healthcare organizations are using cloud productivity apps in some capacity. IT is responsible for enabling secure, compliant access to these apps and creating an environment where employees can collaborate more effectively without inadvertently leaking data. Third-party tools such as identity-as-a-service (IdaaS) products and cloud access security brokers (CASBs) are being employed to control how the cloud is used, ensuring the organization does not take on unnecessary additional risk in its quest for increased productivity and a stronger bottom line. These tools are used to control access from unmanaged devices, to ensure that external sharing is done appropriately, and to mitigate the possibility that user credentials are compromised, amongst other things.

Inadequate security precautions and any breach of HIPAA-protected health information, no matter the size or cause, can result in substantial penalties. Ponemon estimates breaches cost healthcare organizations an average of $398 per lost record in the U.S., higher than the $215 cross-industry average. The average total cost of a breach was $6.53 million in 2015. By procuring cloud apps with a strong security track record, and combining them with third-party tools to secure their use of the public cloud, healthcare organizations can improve their ability to protect medical records, which allows them to avoid fines and focus on their core competency — delivering care.