Providers Move to Healthcare Multicloud, Despite Security Concerns
Healthcare providers continue to move to multicloud environments as part of their digital transformation efforts, with 80 percent of respondents storing sensitive data in the cloud.
Source: Thinkstock
- Healthcare providers continue to move to multicloud environments as part of their digital transformation efforts, with 80 percent of respondents storing sensitive data in the cloud.
A full 61 percent of 100 U.S. healthcare IT security professionals surveyed by IDC on behalf of Thales said they have 26 or more software-as-a-service (SaaS) applications, and nearly half have three or more infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) applications.
Multicloud environments make it more difficult to protect sensitive data, with 46 percent of respondents saying complexity is the top barrier to implementing data security.
IT Healthcare Pros Identify Cloud Data Security Concerns
Survey respondents identified several cloud data security concerns, including lack of visibility into the cloud providers’ security practices, lack of data privacy policy, managing encryption keys across multiple cloud environments, security breaches at the cloud service provider, and security of data if cloud provider fails or is acquired.
In terms of SaaS, respondents are particularly concerned about service level agreements and liability terms for a data breach, configuration management for data controls, and data encryption.
When it comes to IaaS, they are worried about encryption of data within the service provider’s infrastructure with keys managed by the provider, encryption of data with the ability to store and manage keys locally, exposure of dialed security monitoring, and support for hardware security modules.
For PaaS, respondents are worried about configuration management to configure data controls, dialed physical and IT architectural and security implementation information, and written compliance commitments for standards that apply to the organization.
“Data security is increasingly complex, particularly for healthcare organizations immersed in cloud and digital transformation initiatives. The focus should be to encrypt everything in the cloud and keep control of the data by centrally managing the keys to the encrypted data,” said Tina Stewart, vice president market strategy for cloud protection and licensing activity at Thales.
The survey found that less than 38 percent of respondents use encryption in cloud and other digital transformative environments.
Two-Thirds of Respondents Had Been Breached In Past
More than two-thirds of respondents said they had been breached at some point in the past, while one-third said they had a data breach within the past year.
“When sensitive patient information is breached, it poses significantly longer-term risks compared to other sectors – sometimes indefinitely,” said Frank Dickson, program vice president for security products research at IDC.
“Healthcare data is especially attractive to hackers because it’s far more valuable than other kinds of data that can be accessed and exploited. When healthcare data is stolen, damage cannot be fully mitigated. A credit card can be cancelled or a bank account can be closed, but private patient data circulates endlessly which opens opportunities for various types of fraud to occur again and again from a single breach,” Dickson added.
Healthcare organizations are putting more emphasis on data security, such as data loss prevention, digital rights management, encryption, and public key infrastructure, than on network security, such as endpoints, firewalls, and unified threat management, or application security, such as software development security, DevSecOps, and vulnerability scanning, the survey found.
IDC recommended that healthcare organizations take the following steps to improve data security in the cloud: focus on all threat vectors; invest in modern, hybrid, and multicloud-based data security solutions; prioritize compliance issues; and adopt new data security strategies, including encryption and access management.
“Healthcare organizations need to pursue a shared security model between themselves and their cloud providers in which the underlying infrastructure is secured by the PaaS, IaaS, or SaaS provider but the healthcare companies take on responsibility for using data protection methods like encryption, tokenization, and masking within their own environments to ensure protection when data moves between SaaS applications or migrates to other applications,” the IDC/Thales report observed.
