Cloud Security Myths Busted During Microsoft’s HIMSS Healthcare Security Forum
<< All Blogs

Date: November 20, 2017

Written by HITRUST Independent Security Journalist Sean Martin.

For many years, covered entities (CEs) and other healthcare providers, throughout North America and beyond, have had challenges thinking through and trying to figure out how to use the cloud to provide better care-related services. They knew they needed to do a better job reaching out to the community and connecting with patients far and wide, wherever they lived. There has been a lot of push-back on the cloud as a technology – the main myth being that it’s not secure. Other myths are that there are no safe options for using services and third-party providers that use the cloud … again, because the cloud is not secure. However, those days are over and the industry needs to get beyond the discomfort to use the cloud. Whether we like it or not, organizations must use the cloud if they are truly going to transform the care delivery model. The key is to work with service providers and cloud-enabled third-party vendors that have transparency in their security posture, such as those that are HITRUST certified.

Here are some compelling reasons to help make the case for the cloud:

  • It’s no longer a choice: Organizations from every industry and every size are using the cloud; it’s inevitable. In the healthcare space, organizations are using it to keep costs down for care delivery while also driving innovation and transformation. Oftentimes, the only way to cut costs, drive better care, and be innovative at the same time is to use the cloud.
  • Third-party business partners are in the cloud: The most innovative and valuable business partners and related service offerings are run in and from the cloud. Most organizations can’t build everything themselves and need to leverage partners in order to fill out the entire care delivery spectrum.
  • Cloud service providers can have top-notch security postures: With the right partners selected, organizations can oftentimes find their data and processes can be better protected than if they attempted to fulfill this need themselves. Of course, you need to make sure you understand what the cloud service providers need to do to prove to you that they are keeping your data and business processes safe – that they have the correct security posture relative to the patient care data – but with the right risk management framework and security management processes in place, this is routinely accomplished.

During the recent HIMSS Healthcare Security Forum, the HIMSS group held an exclusive CISO roundtable, PHI in the Cloud: Driving Sustainable Healthcare Transformation, where industry experts and healthcare leaders had a chance to explore and discuss hybrid-cloud computing strategies that help meet and exceed security, privacy and compliance requirements.

Leading off of the three key points noted above, Clifford Goldsmith, Managing Director for US Healthcare Providers at Microsoft lead the panel discussion with Shaung Liu, Chief Technology Officer at Teladoc, Hector Rodriguez, CISO Worldwide Health at Microsoft, and Michael Parisi, Vice President of Assurance Strategy and Community Development at HITRUST.

During the discussion, Microsoft spoke to the journey they took to build an environment that is secure, revealing how they only work with business partners that take the same level of posture seriously relative to what needs to be done to protect the data. It’s not like they are leaving these potential business partners in the dust, however, Microsoft has a view – and the resources – to be the stewards these organizations need to help them successfully move to cloud-enabled patient care.

HITRUST has a similar position to Microsoft in that they have built a control framework, the HITRUST CSF, which also has an integrated third-party assurance program and comprehensive risk management methodologies. The HITRUST CSF can be applied to the cloud in a similar fashion to how they are applied to an organization’s traditional on-premises infrastructure and data center. Parisi, along with the other panelists, provided some examples of organizations that have gone down the path of moving to the cloud and described some of the ways they could identify and manage the risk along the way. Parisi also emphasized the importance or working with cloud service providers and other business partners that have an appropriate level of third-party assurance in place. Having partners like Microsoft provides comfort over the entire security posture supporting secure, innovative patient care processes.

HITRUST remains committed to progressing, and is very interested in what can be done as a community, to help drive cloud adoption within the covered entity space and throughout their business associate ecosystem, looking at how the third-party partners are using the cloud and have some level of certification to make it real.

Telemedicine is Here! The Cloud Makes It Possible.

Teledoc provides virtual healthcare services: enabling patient care in remote locations across the country, locations that would have otherwise been limited locales that restrict the number of patients that could receive care. With Teledoc, patients located in remote locations now have access to great care as it is delivered via Teledoc’s virtual healthcare services. With Teledoc’s cloud-enabled service, patients can log on to Teledoc, select a specialist and talk to them in real time. The specialist can diagnose the situation, look through a camera to visually see what is happening, read the patient’s vital signs via connected devices, and even write a prescription. Also, through their own innovation – which is HITRUST certified – Teledoc can not only provide remote care, they can provide improved care delivery that did not exist years ago while protecting patient information. In order to do this, they needed to innovate and they needed to leverage the cloud. Of course, patient privacy and health record protection are a must, and therefore the cloud service providers they use must have a strong security posture, complete with proof of compliance. Therefore, Teledoc only works with a cloud service provider that is HITRUST certified, which is Microsoft in this case.

Of course, care delivery isn’t limited to just the doctor’s office and the specialist; there are many business associates involved in providing the care that patients require. Therefore, it is critical that the entire third-party partner ecosystem fit well within the risk profile required to deliver patient care, securely, and safely.

Better Care. More Care.

There is the human element to those providing care delivery that we must not forget as well. Care providers want to see more patients and still be able to go home to their own families at the end of the day. They want to make sure their patients are healthy, and they don’t want to be limited in their care delivery simply because of geography. Through Teledoc’s HITRUST-certified, cloud-enabled offering delivered via Microsoft’s cloud services, doctors can see more patients, connect with them more frequently, and provide better care all around – even if the patients are able to make it to their office. Equally important to all parties involved in delivering and receiving care, the end-to-end process is designed to protect the privacy of the patient in accordance with regulatory and industry guidelines.

<< All Blogs

Chat Now

This is where you can start a live chat with a member of our team