Organizations Are More Comfortable Putting PHI in Healthcare Cloud
Healthcare organizations are becoming more comfortable putting sensitive PHI in the cloud, observed Mike Jude, digital health research manager at Frost & Sullivan.
Source: Thinkstock
- Healthcare organizations are becoming more comfortable putting sensitive PHI in the cloud, observed Mike Jude, digital health research manager at Frost & Sullivan.
“For many cloud service providers, it's easy to put fairly good security on the cloud. Especially if you're in healthcare, putting a lot of your data in the cloud is one way of leveraging somebody else's cybersecurity investment,” Jude told HITInfrastructure.com.
This hasn’t always been the case. “For a long time, in healthcare there was a deep distrust about the cloud, because you're taking PHI, and you're placing it in a cloud environment that you don't directly control,” Jude observed.
He noted that healthcare organizations had a fear that a compromise could expoise a significant amount of sensitive patient data.
“They've gotten away from that. I’ve talked to a lot of healthcare providers, and the sense now is that you're putting your data in a repository where you can actually control performance by contract,” he said.
Cloud vendors are guaranteeing a certain level of security. "So you can have a cloud provider now who is applying cybersecurity standards in a HIPAA-compliant way,” Jude said.
On the other hand, the proliferation of the Internet of Things (IoT) devices in healthcare is opening networks to cyberattacks.
“In the case of IoT, you're increasing the number of potential points of compromise. IoT can be a significant threat to cybersecurity,” Jude observed.
Healthcare cybersecurity spending to reach $8.7B by 2023
Overall, healthcare cybersecurity spending is expected to increase in network perimeter protection, endpoint protection, access management, public-facing properties, detecting and mitigating exploits, and managed services, driving this market toward $8.7 billion by 2023, according to Frost & Sullivan.
The industry has niche players that deliver specific cybersecurity solutions to address various healthcare security concerns. These companies, as well as the larger ones, can gain additional growth opportunities by:
- Applying integrated security across the clinical workflow
- Providing solutions that can scale to thousands of devices and offer endpoint protection for mobile devices
- Establishing flexible approaches for the acquisition of cybersecurity suites
- Incorporating capabilities that decrease complexity and increase productivity
- Enabling new forms of security management such as location-based access and biometrics
- Addressing the budget issues of healthcare IT by offering flexible pricing models
Network perimeter is getting fuzzy
Jude said that the proliferation of IoT and mobile devices, as well as applications, has made the healthcare network perimeter “fuzzy.”
“It's really hard to secure a fuzzy perimeter, and a lot of the breaches that have been reported over the last year have had to do with breaching that perimeter of security. As everything becomes tied into our IT environments, the need to secure the perimeter is going to become acute,” he said.
Jude admitted that as the edge of the network becomes more dispersed, securining the network and access to data becomes a lot more difficult.
“Many of the breaches occur because things that we know how to do at the perimeter, we're not doing. We're not using good firewall hygiene. We're not doing access management very well. So, before you give up on protecting the perimeter, you should be doing those things that you know are going to curtail a great deal of your cybersecurity points of compromise. There's going to be that certain percentage of threats that are going to get through whatever defenses you build, especially as you put more devices out there,” he said.
If healthcare organizations can narrow the points of vulnerability, then it is easier to detect threats quickly and prevent compromise of the network and devices.
“More and more points of vulnerability develop. But you need to do the basics to keep them down to a dull roar. Things like network perimeter control and access are table stakes.You have to do it,” Jude concluded.
