Health Information Exchange Featured Article

August 10, 2012

Healthcare Cloud Computing Becoming More Popular but Be Careful, Warns Expert

For a while now, healthcare organizations have avoided the cloud, worried, with good cause, about its security risks.

But more and more are considering it, in a careful, cautious way. And when they’re doing it, according to Gerry Grealish, PerspecSys vice president, marketing and products, healthcare facilities must be mindful of the distinction between public and private clouds.

“Public clouds are hosted by third parties like Amazon, Oracle, Box, and, who handle the cost and maintenance of the cloud’s hardware and software. Customers ‘rent’ access to these services as they need them for computing power or for access to specific SaaS applications,” he said in an interview.

But because these public cloud providers are accessed by multiple “tenant” customers via the Internet and they provide shared services on the same server(s), “Data hosted there is typically no longer under the control of the organization to which it belongs. This can cause concern for regulated industries such as healthcare, given the sensitive nature of patient data,” he said.

Now, private clouds may be a little safer. They’re hosted inside an organization (or in a dedicated managed environment hosted by an Infrastructure as a service (IaaS) provider). “The organization has dedicated control of the servers, storage and software at all times. You may also hear the term Hybrid Cloud – this would be a cloud environment that has some elements that are private and some that are ‘public,’” Grealish explained.

But private clouds aren’t always fail-safe. “When considering a private cloud that needs to be hosted and maintained on-premise, businesses still own the associated datacenter space and associated equipment – so they have a fixed, up-front investment. Capacity is limited by the amount they put toward this investment, so it is not truly elastic.

“On the people side of the equation, running large, high-availability systems and infrastructure requires a talented, well trained staff. Given this, some organizations simply can’t afford to host a private cloud, so they need to look into public cloud alternatives. Today, many healthcare organizations are struggling with the move to public clouds, with people in the operational areas excited about taking advantage of the benefits of public cloud applications (cost, functionality), but professionals in privacy, compliance and security remain concerned about exposing sensitive data outside of the organization’s firewall,” Grealish noted.

Given the sensitive nature of healthcare data, organizations really need to be extremely careful if they decide to send information to the public cloud, making absolutely sure that personally identifiable data (PII) is “totally non-decipherable and unreadable,” Grealish said.  Even more important, they must carefully investigate claims made by cloud providers about HIPAA compliance or other security credentials.

Don’t assume you’re dealing with a company which knows the details of the industry regulations, let alone those of a specific geographic region, or the specific policies of a hospital group. Should data become compromised, they are not liable in most cases (read the fine print in the SLAs!).

The good news, Grealish noted, is that there are solutions that allow organizations to keep sensitive data on-premise – behind their firewalls and in their complete control – even when using public cloud applications and they should be actively considered by healthcare organizations.

“When evaluating these solutions, make sure the providers give you the option of using tokenization capabilities as well as strong encryption to protect data that is being sent to the cloud. For encryption in particular, a recent report from the National Institute of Standards and Technology (NIST) recommends that FIPS 140-2 compliant encryption be employed to protect sensitive information.”

NIST is an organization that sets data security standards, among other things, for U.S. Federal agencies and those companies that get access to federal data.

Grealish suggests some questions that organizations should ask before switching over to cloud computing.

  • What sensitive data needs to remain private and protected?
  • What level of protection is required?
  • Who needs access to the data?
  • What laws and jurisdictional rules govern information, and are they likely to change over time?

“The unfortunate truth is that, while organizations using the public cloud may think that no one would want to access their specific data in the cloud, large, multi-tenant clouds are one of the prime targets for hackers, given the breadth of data that may be hosted there,” Grealish revealed. “This is why Gartner predicted last year that cloud providers of all kinds will become top targets for hackers from all over the world. So, in the event of a cloud breach, healthcare organizations need to make sure that their sensitive data still can’t be accessed/viewed in a readable form.”

Edited by Rich Steeves