More than ever, data security is top of mind for health leaders. According to Black Book Research, over 93% of healthcare organizations have experienced a data breach since mid-2016. The same research reveals that more than 300 million records have been stolen since 2015.
Health leaders are still skeptical about cloud security. A 2018 Datica survey of 175 hospital CIOs found the shift to the cloud is a priority, but the transition is happening slowly. The main concerns for these CIOs include compliance, security, and privacy—more than 50% cited “concerns about security as a primary worry when it comes to cloud migration.”
Our own 2019 survey of IT leaders revealed similar findings. Of those who have a cloud strategy in place, 74% evaluated security and compliance risks as part of the strategy. Of those planning to create a strategy, that number is even higher at 89% (You can see the full survey results here).
Though transformation has happened slowly, it is happening. The fact is, today’s cloud services can offer better security and privacy for health data and health systems compared to many on-premise solutions.
1. Cloud providers have greater technical expertise
Most healthcare organizations don’t have a robust team of cybersecurity experts to protect on-site data. Almost 80% of healthcare organizations find it difficult to recruit security staff, and without a security leader in place, 74% of organizations find it’s a serious challenge to maintain effective cybersecurity. On the other hand, many cloud platform providers like Amazon Web Services (AWS) follow a shared responsibility model where they share responsibility of security with the users of their services. This allows the organization to focus more on the security of their own applications instead of diverting their attention to the many security challenges associated with running a datacenter.
Moreover, cloud providers/solutions have highly trained security professionals that conduct penetration testing. Essentially, they try to hack their own systems to find vulnerabilities before the “bad guys” do. Many even go a step further and hire third parties to conduct additional penetration tests.
By moving elements to the cloud, organizations can leverage the standards of cloud providers to layer onto their own security and compliance strategy.
2. Cloud computing providers proactively monitor and address security threats
On-premise technology is mostly reactive to security threats and slow to address them—one healthcare cybersecurity professional said “Most organizations with an active cyberattack in their system don’t discover it for 18 months or longer.”
Cloud platform providers like AWS, Microsoft Azure, Google, and IBM proactively monitor for vulnerabilities 24/7/365—and they have the budget to respond to emerging and changing threats nearly instantly. This allows for a solid foundation upon which to build cloud first applications.
With cloud providers, security updates are continuous and easy. Moreover, applications that take a cloud first approach and follow continuous delivery principals create environments which allow for rapid remediation of threats and discovered vulnerabilities. When the provider of your cloud solution needs to push a security update, they are done automatically and don’t require undergoing complex updates to your on-premise IT infrastructure.
3. Cloud computing offers a centralized approach to storing and managing data
According to research in JAMA Internal Medicine, the top cause of PHI breaches is theft, followed by unauthorized access or disclosure. Human error is frequently the cause of data breaches, and security becomes more complicated when patient information is stored across users’ mobile devices, laptops, and departmental servers throughout the organization. It’s safe to assume devices will be lost, and with no centralized data storage you have no way to protect the information on these lost or stolen devices.
By using cloud solutions to store and manage data, you gain greater control over the devices that contain data. For example, if a physician loses their smartphone and is using Spok secure messaging, it’s possible to lock the device’s ability to access message content that may contain PHI. Be careful, though—many SaaS solutions don’t meet HIPAA requirements. It’s important to ensure your solutions are built for healthcare.
Properly configured cloud-native applications allow for a high degree of visibility around data classification. When coupled with the global reach of cloud providers such as AWS, the complexity around managing data residency requirements can be simplified.
4. The cloud has better redundancy
Cloud solutions can easily create copies of your data, called redundancy. If your cloud service has any downtime or corruption, you have data backups of your mission-critical information. In the event of a disaster at your hospital, business recovery doesn’t depend on access to an on-premise data storage and server. When your data is in the cloud, it’s much less likely you can lose data or secured information.
If necessary, the cloud also has automatic failover to other, geographically-separated centers in real-time, resulting in 80% of businesses now expecting an uptime of 99.99% from their cloud service vendors. This level of uptime is nearly impossible to achieve with on-premise solutions.
A properly architected cloud solution can achieve greater redundancy than the majority of on-premises applications.
Keep clinical data and information secure—in the cloud
With the right cloud service provider, organizations find their data and processes are much better protected than with their own security—and require fewer internal dedicated staff. Moving to the cloud provides the flexibility and resources to address healthcare leaders’ most pressing challenges in today’s tremendously fluid environment.