More Than Just Someone Else’s Computer
By Christopher Frenz, Information Security Officer/AVP of IT Security, Mount Sinai South Nassau
If we look back almost a decade ago, any search that occurred for the term cloud computing would likely reveal a few links to the meme that cloud was simply a fancy term for someone else’s computer. While in the early days of using many cloud services, that meme may have been a somewhat accurate description of how cloud worked, the current state of cloud computing has pushed far beyond just simply being someone else’s computer. Cloud adoption has often brought considerable advantages to organizations such as potential cost savings via economies of scale and the ability to be much more flexible in its IT infrastructure offerings as capacity can quickly and easily be scaled up or down. Moreover, cloud has opened up the door for many hospitals to have greatly improved business continuity and disaster recovery options as well as other critical advantages. The flexibility provided by cloud showed its advantages in healthcare during the pandemic as many hospitals had to rapidly rollout capacity for remote work, telehealth, and remote patient monitoring (RPM). Hospitals that had significant investments in cloud technologies (either public or private) were far more able to readily adapt to the challenges brought about by COVID-19 as they could readily scale up VDI for remote workforces, spin up the infrastructure required for telehealth, or perform other required changes far more easily.
Cloud is not inherently insecure and can even have a positive impact on security when done well.
Moreover, many of the advantages of cloud are just starting to be realized. Cloud service adoption increasingly brings with it the option for Big Data Analytics, machine learning (ML), and other analytic techniques to be applied to the health data that healthcare delivery organizations (HDOs) collect. When one considers the vast treasure trove of data that is now sitting in EHR systems, PACS, and other clinical systems, it becomes apparent that there will be identifiable patterns contained within those vast data sets that medical professionals can use to find ways of improving diagnoses, refining treatment options, or enhancing our understanding of conditions that can lead to disease. Cloud-based storage and analytics for the first time makes the resources required to conduct such analyses feasible for many healthcare organizations. Cloud has the potential to fuel not just the next round of IT innovation within healthcare, but also the next round of clinical innovation. When one further considers all of the additional data collected and harnessed via cloud from RPM systems, it becomes easy to imagine how a more complete and consistent mapping of the metrics that define health, for a given patient, can be examined than ever before. It’s an exciting time to be involved in the clinical aspects of healthcare IT.
The promise of all the discoveries and advances offered by cloud really shows that cloud has in many ways far outgrown that snarky old meme of simply being someone else’s computer as that meme does not do many of the benefits of cloud justice. With that being said, however, the meme while now inaccurate due to its oversimplicity, does still convey one very salient point. No matter the benefits of cloud offerings, any form of public cloud offering is not something that will ever be under full control of the HDO that subscribes to the service. It is important to remember that while cloud can be done securely, and in many cases, can even result in security improvements, cloud offerings do come with elements of third-party risk. There have been a number of high-profile data breaches and ransomware attacks in recent years where cloud services were compromised; compromises resulted in operational, clinical, and legal issues for impacted HDOs. As HDOs begin to adopt, or enhance their adoption of cloud services, they need to consider the risks of outsourcing these services to a third party. After all, HDOs can outsource the responsibility for certain aspects of security to these third parties, but they cannot outsource accountability when something goes wrong. A breach of third party housing the HDOs data is still effectively a breach of the HDO.
Any organization looking to adopt cloud services needs to consider implementing a third-party risk management program if they don’t already have one. HDOs need to assess vendors before onboarding them and begin to vote with their wallet by not onboarding vendors that do not meet their security requirements. This risk management process needs to include more than just getting a vendor to sign a BAA and needs to include some due diligence to ensure that the vendor can actually meet the terms of the BAA. Moreover, vendor risk management should not be a one-off process but needs to be assessed on a continuing basis to ensure that the vendor complies with security best practices. Organizations also need to pay special attention to the contracts they sign with cloud vendors and ensure that SLAs and other security languages are specified and agreed upon. Finally, who is responsible for what aspects of security should be clearly spelled out so if an issue arises, it is clear who is at fault. HDOs need to ensure they have as complete a picture as possible as to what risks they are taking on by contracting with any cloud service.
Cloud is not inherently insecure and can even have a positive impact on security when done well. When combined with infrastructure flexibility, disaster recovery, clinical analytics, and other advantages, it is easy to see why cloud is appealing and how it has the clear potential to improve IT operations and patient care. It is just important to keep in mind that cloud, as with any technology, is not a panacea and that it also has elements of risk. HDOs need to take the time to ensure they understand what those risks are before making investments in cloud services so that they help to ensure that the adoption of cloud brings benefits and not unexpected liabilities.