Moving to the cloud? 7 security questions to ask before you go

If your healthcare organization is migrating resources to the public cloud, you are probably looking to benefit from the cloud's flexibility, scalability and high-speed performance, all while reducing expenses.

However, when it comes to security in the cloud, keep in mind that you are not off the hook. All public Cloud Service Providers (CSPs) employ the Shared Responsibility Model. With the Shared Responsibility Model, a significant portion of cloud security concerns lie with the customer. The cloud provider generally is responsible for securing access to the physical servers and the virtualization layer, while your organization is left in charge of security for the hosted operating systems, the applications, and the data itself. Here are seven security issues you need to clarify to enable you to safely migrate data, PHI, and other resources to the public cloud.

1. Who manages the encryption keys?

Encryption is key to security, both for data at rest and for data in motion. While most cloud providers ensure encryption of data at rest, the picture for data in motion is less defined and most often requires a third-party solution. Therefore, maintaining ownership over the end-to-end encryption is only possible if you control all the keys at all points.

Controlling the keys also limits exposure to malicious insider attacks that come from the CSP's employees or partners. As additional levels of "as a Service" live in the cloud, insider attacks are potentially more lethal. Since not all CSPs concur about who should control the keys, it is essential to clarify this issue before signing on the dotted line.

Related issues include determining whether the CSP provides the framework to leverage existing credentials and password policies. This may boil down to ensuring that you can import Active Directory or a similar system instead of recreating all users from scratch, which can greatly simplify any migration.

Also, check out whether Security Assertion Markup Language (SAML) SSO capabilities are available for authentication. Speaking of authentication, since single factor authentication is definitely not sufficient to protect your resources, ensure that multifactor authentication is supported, and if so, which flavors.

2. Does the CSP implement controls to segregate your PHI data from other customers?

The multi-tenant paradigm of cloud computing introduces a significant avenue of attack. For instance, if a multi-tenant cloud service database is not properly secured, a flaw in one client application could allow an attacker access to other tenant's data.

Additionally, check that the vendor is not using system-wide administrator accounts with "super admin" access to their entire cloud environment. Usage of such accounts should be minimal and must be monitored. Personal Health Information (PHI) should obviously

3. How can I tell if a CSP is HIPAA compliant?

The CSP should be able to validate that it has met the HIPAA compliance requirements as defined by the Office for Civil Rights (OCR) through an independent audit. In addition, the CSP should sign a Business Associate Agreement (BAA) ensuring that it will keep its side of HIPAA compliance.

However, HIPAA compliance does not automatically guarantee security. In addition to encrypting your data, ensure that you maintain ownership and control of your encryption keys. Strong encryption policies, such as at least AES-256 Encryption, are crucial in public cloud deployments. Additionally, you may ask for HITRUST-certification to ensure that the most rigorous federal, state, and industry standards are applied to protect your data.

4. What level of Network Security does the CSP offer?

Network security includes a number of components, such as data encryption, firewalls and identity-based firewall rules, anti-virus detection and more. In the public cloud, isolation of the cloud servers can be obtained using private IP addressing and firewall rules. Data in motion between a private subnet in the cloud and a private subnet in another cloud or another location requires a secure connection. IPSec can be utilized to route and transport the IP packets with private IP addresses.

The network must be monitored constantly, and the monitoring system must generate alerts when suspicious events take place. When migrating healthcare data to the cloud, ensure that you understand the level of visibility you can expect and the type of event monitoring, routine security audits and alerts provided.

Furthermore, if you are currently utilizing a Security Information and Event Management (SIEM) system or you would like to incorporate a SIEM down the road, ensure that you will be able to integrate this into your cloud deployment.

5. We're not sure about the migration process and we'd like to start slowly - should we segregate our PHI from our corporate data?

Even though more and more organizations are adopting cloud computing, the highest growth is noted in the 50% growth rate of hybrid clouds. For healthcare organizations, hybrid offers the opportunity to move less sensitive data at first and then migrate other resources if the security measures are deemed as satisfactory. Scaling gradually allows the organization to see if the cloud is actually saving costs. In addition, the healthcare provider can also leverage existing systems without requiring a large initial financial outlay.

6. What is the SLA for availability? What safeguards are present for disaster recovery?

Availability of your healthcare data is critical, and ideally the cloud, with its geographically distributed separate and redundant computing resources, can provide higher availability. Check to see that the CSP's locations fit with your business's requirements.

Four nines (99.99%) uptime means that your data could be unavailable for about 50 minutes per year. Investigate the compensation offered if the CSP does not meet its availability targets as defined in the SLA.

Another benefit of the cloud is how efficiently it can be used to deploy a disaster recovery solution. A CSP should be able to present its disaster recovery plan in case of security attacks, natural disasters and other events that affect systems containing PHI. SANless clustering is a new option, providing a relatively simple, highly cost-efficient disaster recovery solution. However, failures in cloud instances and outages in public cloud provider service do occur; therefore a careful examination of the SLA is critical.

7. Does the CSP provide APIs to automate tasks?

One of the advantages in moving to the cloud is its scalability - expanding or reducing usage dynamically, which often results in lower costs as you only pay for what you use. An additional benefit of cloud scalability is reducing IT admin tasks. However, only with sufficient automation will this be truly realized. APIs are commonly used for cloud provisioning, management, orchestration, and monitoring. You'll want to ensure that your CSP has APIs to launch and stop services, launch VMs (instances), configure security parameters and related settings, and so on.

During the migration, any tasks that can be automated will simplify the transfer of information. For example, if you are using RADIUS or Active Directory, a smooth import of these systems will quicken the uptake of identity-based authentication and authorization procedures.

We've discussed some of the critical security issues to consider when migrating PHI and other healthcare data to the public cloud. In addition, state regulations and other considerations will affect your decision. When choosing between cloud providers look carefully at their security offerings; you may have to supplement with third-party solutions if their native offering does not meet all your requirements.

Alon Maimoni is CMO of FortyCloud, which provides a HIPAA-compliant cloud security solution for healthcare organizations in the public and hybrid cloud environment.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Featured Whitepapers

Featured Webinars