The migration of medical data onto the cloud presents challenges for both healthcare and cloud service providers.
Today healthcare providers are increasingly integrating the cloud into their workflow. According to market research firm MarketsandMarkets, 2017 will see such providers spend upward of $5 billion on cloud-based services and data management.
Exposure of 16 Million Medical Records
This transition to the cloud raises concerns that sensitive information, such as patient data, will be compromised. According to the the US Department of Health and Human Services’ Office for Civil Rights, 2016 saw data breaches leading to the exposure of over 16 million medical records in the United States alone.
While awareness is on the rise, many healthcare providers still do not fully comprehend the nature of the cloud-related security threats that they face. They lack the resources to understand where their patient data is located, how and where it flows, and how to protect it at each stage of its lifecycle.
“When you consider that some hackers spend every waking moment scheming about accessing and controlling patient data, these providers are simply outgunned,” says Chris Bowen, Chief Privacy & Security Officer at US-based, healthcare-focused cloud provider ClearDATA.
With the benefits of cloud computing too compelling for heathcare organisations to ignore, those providing cloud services have a critical role to play in ensuring the virtual healthcare environment is robustly protected.
Mobile devices are increasingly important for the collection, processing and storage of healthcare data. While healthcare providers are becoming more effective at managing such devices, their diversity and highly dispersed nature presents a huge attack surface for those determined to gain illicit access to data. Both the devices themselves and their networks require specific security controls to address this risk.
“Efficient and effective management of mobile devices demands the use of centrally located (preferably cloud-based) software that ensures the same security capabilities are installed across the board,” says Dr. Mike Edwards, a Cloud Standards Customer Council member and Senior Technical Staff Member at IBM’s Hursley Park R&D facility in the United Kingdom. “This software must be able to guard against hacker intrusion without impeding data flow.”
Access and authentication
Today a growing number of patients and non-IT professionals need and want access to medical data through the cloud. The provision of access to these so-called “citizen users”, who may not follow protocols or recognize processing problems, exacerbates the data protection and security challenge associated with cloud-based healthcare data.
Regulations such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States and the General Data Protection Regulation (GDPR) in Europe enforce controls that are intended to protect healthcare data either at rest on storage media, or in motion through networks or processors.
A good first step toward building trust and confidence in the personal data protection and security of cloud-based healthcare systems is to establish identity through three-factor authentication, for both IT support staff and end users.
“This typically involves ‘something you have’, such as a MAC (media access control) address, ‘something you are’, such as video facial recognition enabled through a phone camera, and ‘something you know’, such as a PIN number or the answer to a question,” explains the CSCC’s Edwards.
This kind of system can often be reinforced by examining the location from which access is requested, and putting further challenges in place if access is from an unusual or unlikely location.
Authentication is a step in the right direction when it comes to controlling data access, but it isn’t foolproof. Other measures must be applied, starting at the architectural stage of cloud adoption.
“The cloud should be created in such a way that it isolates data from the web,” says ClearDATA’s Bowen. “Encryption should be applied to data at rest and in transit. Some form of logical encryption at the database level to help protect against malicious insiders should also be considered.”
Perhaps the most revolutionary solution for ensuring the security of cloud-based healthcare data is the blockchain. Based on distributed databases that maintain a continuously growing list of tamper and revisionproof records, state-of-the-art blockchain technology has all the ingredients to solve healthcare IT’s most intractable problems: interoperability and securing the integrity, completeness and privacy of digital health records.
“The blockchain could be used not only to create and maintain longitudinal, life-long and provider-independent electronic medical records, but also to ensure provenance and an audit trail impervious to any kind of modification,” says healthcare IT consultant and CSCC member Peter Melrose.
The human angle
Most healthcare providers understand that they can’t simply rely on cloud security innovation to keep patient data secure. In the digital security realm, where people will always be the biggest weakness, awareness training is also essential.
“Both healthcare providers and their patients can mitigate the risk of data breaches by developing and maintaining a ‘privacy and security mentality’,” says the CSCC’s Edwards. “Patients can play a key role by demanding healthcare providers prioritise security in their cloud-based systems.”