The healthcare industry is a minefield of data. Even a small breach can put the lives of thousands of people at risk. Unfortunately, the industry that worked day and night to save the world had its fair share of cyber attacks last year. According to Verizon, healthcare experienced a 58% increase in industry data breaches in 2020.
As COVID-19 changed things, the healthcare industry had to revaluate its security preferences and hospitals began turning to cloud to support telemedicine and other applications. For hospital security teams, the prospect of protecting data in the cloud is, at the very least, unsettling. Securing data in someone else’s datacenter, without having any physical access to the underlying infrastructure, isn’t something they would eagerly do. But in the present times of digital transformation, the cloud is no longer an option.
Healthcare organizations need the flexibility and scalability of cloud applications and services. The more relevant question for the security teams therefore becomes, “Are we using the cloud securely?”
Here are seven practical tips for achieving flexible, scalable protection for your healthcare organization. You will not only get control and visibility, you’ll also know that your patients and data are safe from bad actors.
- Create a Cloud Strategy
Create a comprehensive cloud strategy for your healthcare organization that paves the way for cloud adoption by providing a clear perspective on the cloud and its role. Include inputs from a diverse range of stakeholders and participants. Include distinct objectives, benefits, risks, and key criteria for adoption and compliance. Ensure that the cloud strategy links directly to the business strategy.
Remember, this is not an implementation or migration plan. Look at your cloud strategy
as a dynamic document. It will change as vendors change, the healthcare landscape changes, and organizational goals shift and develop.
- Define Cloud-Relevant Security Policies
The present on-premises privacy and security controls for your healthcare organization may not work in a public cloud environment. If not used wisely, misconfiguring cloud security controls can open your cloud network to cyberattacks. According to Gartner, 99% of cloud security failures through 2025 will be the customer’s fault – not the public cloud provider’s.
To avoid this, get visibility into the current state of your on-premises and public/private cloud security policies. It would also help to understand your cloud service provider’s (CSP’s) security practices. Ensure your policies and procedures optimize the security and reliability of the architectures that are slated for deployment.
- Outline Clear Responsibilities With The CSP
Cloud security is a shared responsibility between the healthcare organization and your CSP. Defining clearly who will do what is not as simple as it may appear. Broadly, CSPs are responsible for securing the cloud environment, while you are responsible for protecting what’s in the cloud – including patient and medical data. You are also accountable for securing your staff and their behaviors, including compliance failures caused by their actions or inactions.
Division of specific responsibilities will depend on your chosen route to the cloud— Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS). Regardless of the route you choose, work closely with your CSP to confirm who is responsible for which security elements. This should be an ongoing process as your hospital’s cloud usage changes or evolves.
Step Up To Prevent Misconfiguration Errors
One of the most commonly associated errors with cloud security incidents are misconfigurations. Organizations with known misconfigured cloud services are said to have experienced 10 or more data loss incidents in a year, says an Oracle-KPMG report. You can deploy cloud configuration monitoring tools to identify misconfigurations. You can also use network traffic monitoring and user behavior analytics to identify anomalies and misconfigurations and associated issues.
Even though your CSP will guide you on configuration and controls, you must look out for a few things. Make sure the cloud’s hardware and software details are set up for interoperability and communication across your staff’s various locations. Ensure that your CSP’s configurations are compliant with various healthcare standards and government regulations.
- Create A Cloud-Specific Security Reference Architecture
You will need to create guidelines to safely place workloads in the cloud. Create a cloud-specific reference architecture that incorporates these components. Access management: Define users who are authorized to operate in the cloud environment.
This should include users, privileged users, patients, devices, applications, and provisioning access.
Define clearly what they are allowed to do. Consider a Zero Trust Network approach to secure your remote staff. Application security: Identify possible threats for all the applications in use. You can use a CASB (cloud security access broker) approach to secure SaaS, PaaS, IaasS and homegrown applications and the DevSecOps model to embed security into the application lifecycle.
Data security: To ensure secure storage and sharing of sensitive patient data, invest in tools that are compliant with industry regulations and apply encryption, if required. Use data loss prevention (DLP) controls along with the cloud provider’s key management services and private key management. Data activity monitoring: Log and audit all data activity at a granular level to comply with your hospital’s security policies and applicable regulations.
- Take Charge of Compliance
Your CSP is responsible for their regulatory compliance but it does not cover your use of the cloud environment. You should not only assess your CSP’s security practices, but also develop and maintain additional controls that coincide with your security risk management framework.
This isn’t as terrifying as it may appear to be. A combination of right technologies and tools such as large libraries of prebuilt templates and DLP tools can automate compliance specific to your region, government and industry regulations.
- Monitor Your Cloud Environment Regularly
Unlike monitoring a static data centre, the cloud is a rapidly changing environment. To track and monitor it, you will need the ability to observe behaviors at every level of your cloud infrastructure. Maintain visibility into the host, container, control plane and application layer. Monitor alerts from a behavioral context to understand if it’s an anomaly or not. This will help combat alert fatigue and prioritize high-risk incidents with risk scoring.
To add a preventive dimension to your hospital’s cloud security, do a security posture assessment of users and non-human entities. This will help you identify incorrectly provisioned or over-provisioned high-risk privileges. These seven steps will help you protect your hospital in the cloud. As you develop your strategy and define new policies, be sure to explore new technologies that will help you put these plans into action.
This is an authored article by Surendra Singh, Senior Director & Country Manager Forcepoint
(Image Courtesy: www.tripwire.com)