Written by HITRUST Independent Security Journalist Sean Martin.
Cloud computing can make your organization more cost-effective, more nimble and more capable. Thanks to the cloud, you can create and use new computing resources incredibly fast, and without having to purchase expensive hardware, allocate floor space in a data center (or overstuffed equipment closet), or even pay for extra power and cooling.
A challenge is that the phrase “cloud computing” doesn’t describe any single technology, product or service. There are literally dozens of different models for cloud computing, all of which can benefit healthcare organizations large and small. Some are as complex as virtual machines hosted by Amazon Web Services, and others are simple and straight-forward, such as cloud-based data center monitoring systems or off-site data backup/disaster recovery providers. Many of these come with four-letter acronyms like “Infrastructure as a Service” (IaaS) or “Billing-as-a-Service” (BaaS).
For our purposes here, we shall crudely divide cloud services into two big categories, and examine the good, the bad, and the scary for each.
Cloud-based virtual servers, storage and computation services where you migrate your existing physical servers into the cloud.
For all intents and purposes, you can consider these to be an extension of your own data center, except located off-site. Amazon Web Services, Microsoft Azure and Google Cloud Platform are examples of this type of cloud computing. In this model, you “rent” the virtual machines, load your software onto those virtual machines, and manage them like they are your own servers. Some of these providers are referred to as “Platform-as-a-Service” (PaaS) and “Infrastructure-as-a-Service” (IaaS).
What’s good? The benefit is that you only need to “rent” what you need; when you need more capacity, you click on the “add more servers” button (metaphorically speaking), and when you don’t need it, you click on the “release some servers” button. You can also have a hybrid strategy, where you migrate some of your servers to the cloud, and keep others on-site in your data center. Also unless you have a very robust internal data center with redundant power and communications, hosted virtual servers are often more reliable – less likely to go down. Migrating to virtual servers is relatively straightforward; it’s like bringing up a new server in your data center, except that it’s off-site. IT staff love virtual servers.
What’s bad? Not much! That’s why cloud computing is so appealing. However, it’s important to realize that in this model, it’s up to you to manage nearly everything about the virtual servers, storage and compute capacity you have “rented” in the cloud. The hosting provider’s job is to maintain general availability of the compute resource, in that the virtual server exists and you can connect to it. The rest is up to you.
What’s scary? In this model of cloud computing, security is your responsibility. It’s up to you to maintain network firewalls and intrusion protection systems, patch and update operating systems, apply security fixes, update access control lists, and verify that everything is working correctly. Otherwise, you could suffer a breach – and might not even know it.
What’s important: The HITRUST CSF Assurance Program can help organizations with the compliance assessments in the use of these types of cloud services. That includes HIPAA reporting, risk management oversight, and assessment methodology designed for the many unique needs of the healthcare industry. Some of the cloud hosting companies and service providers are HITRUST CSF Certified – and this should address many of your security concerns.
Everything else, which includes software that you sign up and use online – this includes “hosted” applications and so-called “multi-tenant” applications like Salesforce.com.
This might include cloud-based billing packages, patient record management, human resources, facilities management, end-user security, telephony/voicemail/email, data backup, inventory management, accounting, equipment maintenance scheduling, and so-on. Here, you would be replacing your own in-house software (and servers) with the service provider’s software. Often, many customers use the exact same software, but of course their data is kept isolated from other customers; those platforms are called “multi-tenant,” because they are like apartment buildings.
The good: The benefit here is that you don’t need to license software, manage your own servers, or hire programmers to write the software. You also generally pay a per-user charge, but in some cases you can negotiate broader site licenses. Because the cloud software provider is focused on the needs of many customers, new features are added often – and you can often benefit from those new features early, if you want to join a beta program. Cloud providers are increasingly good at providing lots of ways of accessing their applications, including through mobile apps. Also, the service provider takes responsibility for the security of the cloud application; your only job is to protect your user passwords. (Be sure to ask about this.)
The bad: You need to migrate from using your familiar applications running your own servers to the cloud-based applications, which can be time-consuming and, well, tricky. It’s just like moving from any application to another. Fortunately, consultants can often help, though that adds cost. It also means that you are usually using the same software as everyone else in your industry, which is good because it can be full featured, but it can be difficult (or impossible) to customize for your specific requirements. Some cloud systems, like Salesforce.com, can be extensively customized. Others are more challenging.
The scary: Once your data gets into the cloud application, it’s in the cloud – not your data center. That means that in the event of a breach of the cloud provider’s security, you are dependent on them to notify you. Also, because you are running their application, it may be hard to backup your data; be sure to ask about that, and if possible, arrange of a way of exporting your data to a secure facility that you control (some organizations “rent” cloud storage from a second provider to use for backups). Also, there’s a real possibility of vendor lock-in: As in the Hotel California, you can check out any time you want, but you may never be able to leave, due to an inability to get your data out. For that reason, if you are using a small, niche cloud provider, make sure there are contingency plans in case they go out of business, or discontinue the services that you use.
What’s important: While it’s generally up to the multi-tenant service provider to handle security, it is imperative that you have the assurance that their services are secured to the specific governance requirements of the healthcare industry. Some multi-tenant service providers are HITRUST CSF Certified. Choosing such a vendor will help you manage third-party risk.