Cloud Security and Healthcare: Recap of iHT2 Panel with Cameron Camp of ESET
The Institute for Health Technology Transformation (iHT2) brings together private and public sector leaders fostering the growth and effective use of technology across the healthcare industry. Each year, the Institute hosts a series of events & programs which promote improvements in the quality, safety, and efficiency of health care through information technology and facilitating knowledge exchange. I attended the 2014 iHT2 Health IT Summit in Boston last month to see ESET Security Researcher Cameron Camp participate in a panel discussion titled, “Data Security in the Cloud: Leveraging the Low-Cost Advantages while Managing Risk.”
This conference attracts over 200 C-level, physician, practice management and IT decision-makers from North America’s leading provider organizations and physician practices. Moderated by Pat Ouellette, editor of HealthITSecurity.com, Camp spoke with several other local executives in healthcare: David Reis, PhD, CGEIT, CISSP, CRISC, ScrumMaster, CISO, VP of IT Governance, PMO and Security, Lahey Health; Christopher Logan, chief information security officer, Care New England Health System; John Meyers, PhD, assistant professor of Medicine and Director of Technology, Department of Medicine, Boston University Medical Center; Julian Lovelock, senior director of Product Marketing, HID Global.
The premise of the panel was that the healthcare industry must protect and keep private huge volumes of patient data they transmit daily. Regulations, most notably the Health Insurance Portability and Accountability Act (HIPAA), hold providers to high standards. While they protect the data, they must also keep it available. Compliance can be burdensome for practitioners, who specialize in treating patients, not managing IT. This must all be accomplished while simultaneously decreasing costs.
In anticipation of the electronic movement, healthcare providers are turning to cloud computing as an effective way to tackle complex technology issues, panelists explained. By outsourcing IT infrastructure management, providers can free up resources to focus on patients instead of equipment. In addition, cloud computing delivers auditable security levels often difficult to achieve in small hospitals or practices.
Panelists agreed that technologies like cloud and virtualizations can provide an opportunity to improve services to patients, to share information more easily than ever before and improve operational efficiency at the same time.
A few years ago, the cloud was like the gold rush. It is now at a mature phase and organizations are putting more trust in the technology than they did four to five years ago.
A key challenge following this shift is the maintenance of patient privacy. Cloud computing delivers auditable security levels often difficult to achieve in small hospitals or practices. Yet, how can a healthcare organization be sure they are protected from risk using a cloud-based model? Panelists discussed strategies for switching to the cloud while remaining compliant with new HIPAA regulations.
The first issue to be discussed was identifying the risk connected to public and private cloud and how an organization should control encryption keys as needed. Camp suggested that people should first understand “the context around the data, be that in a BYOD setting or in the cloud. All data is not alike and an organization should prioritize the risk of data. Security must also be easy to use and sit within the context of policy.
The discussion also touched on putting uncontrolled data on the cloud. What happens in the event of a breach? How much risk can organizations stomach? It is up to the organizations to require diligent monitoring from cloud vendors. Organizations should not be afraid to ask vendors about details on policies and how they handle breaches.
The panel then talked to the effects of the HIPAA Omnibus Rule changes to business associate agreements (BAAs). For example, what are best practices? Camp pointed out that it is difficult to determine where the perimeter is in an organization’s network. A few years ago, the IT department took care of it all. Now we are relying on cloud vendors, who also depend on others. This makes it more difficult to control the data and keep it secure. He also said that a cloud vendor has different business imperatives, and they have to be honest when it comes to their security approach and process.
One lively conversation pertained to how threat management and risk management are evolving. Panelists agreed that organizations should understand where the data is and adapt policies accordingly. All devices and people are not the same. Along those lines, the panel discussed trustworthiness of people on the inside and the outside. We should be as careful about the behavior and activity of people on the inside as we are with people on the outside.
One of the group’s main conclusions was that healthcare lags most industries in terms of security by a good 10-15 years. They also said that healthcare organizations overall have fewer policies on BYOD than in other industries. This shows that the industry wants to liberate the data to maintain productivity and may not be doing all it can to ensure privacy and security of its data.
I talked for a few minutes with Cameron after the panel, and he said that the cloud will be very different in even two years. That might seem good from a progress standpoint, however, with healthcare being behind now, will it be even further behind when technology advances?
What are your thoughts about cloud security in healthcare?
Latest posts by Davida Dinerman (see all)
- HIMSS16: Building Leadership in Health IT, One Woman at a Time (Part 2) – March 28, 2016
- HIMSS16: Building Leadership in Health IT, One Woman at a Time (Part 1) – March 22, 2016
- #HIMSS16: Education, Exhibition and Networking – Part 2 – February 19, 2016