Healthcare cloud security and compliance — Status, outlook, and opportunities

By David Houlding MSc CISSP CIPP, Director, Global Healthcare Business Strategy Health & Life Sciences

June 28, 2019

Since the dawn of modern cloud computing over 15 years ago, I have seen healthcare sentiment about cloud and security shift 180 degrees from “cloud is not secure” in the early days to “how can we improve security with cloud?”

Increasingly healthcare organizations, whether provider, payor, pharmaceuticals, or life sciences worldwide realize that security is difficult, and good security professionals are expensive and hard to find, and that partnering with a cloud provider that has strong security, compliance, and privacy enables them to alleviate security challenges and costs and focus more on healthcare. In this post, I will share some updates on this important topic. If you want to jump into looking at tactics to get started in addressing security and compliance issues in your organization, take a look at our interactive e-book.

Security is the Top Criterion for Healthcare Selection of Cloud Vendor

Far from simply offloading security to the cloud provider, security continues to be the top criteria for healthcare organizations’ selection of cloud, according to Frost & Sullivan, Healthcare Cloud Computing Outlook – Global 2016-2021.

Cloud Security is a Shared Responsibility

Effective security must be holistic, multi-layered, defense in depth, paying attention to prevention, detection, and response / remediation. As such security with the cloud is a shared responsibility between the healthcare organization and the cloud provider. As shown in the following diagram, even if we just consider the cloud part of the healthcare organization’s IT infrastructure, security is a shared responsibility. The dividing line between what security the cloud provider delivers and what the healthcare organization is responsible for varies according to the particular type of cloud use with the healthcare organization taking on the most responsibility with basic IaaS cloud use, through to the cloud vendor being responsible for the most security with SaaS cloud use.

Effective security requires that all responsibilities are fulfilled and none “fall through the cracks” so it is super important to ensure that these responsibilities are understood and met, continuously over time. This can be a significant challenge with new threats emerging, whether breaches, ransomware, and Distributed Denial of Service (DDoS) or others. More and more healthcare workloads are also moving to the cloud increasing the sophistication of cloud use. Relatively new technologies, such as AI and machine learning (ML), IoT (Internet of Things), blockchain, are also continually changing the risk landscape.

Compliance with Shared Responsibilities

Compliance with shared responsibilities requires assignment of controls and ensuring that all control requirements are met between the healthcare organization and the cloud provider. Microsoft is committed to being a partner in compliance with a wide portfolio of certifications including regulations such as HIPAA, data protection laws including GDPR, security standards including ISO27001, and security frameworks such as the HITRUST CSF. See the Microsoft Trust Center for the complete industry leading portfolio of compliance offerings. HITRUST compliance is increasingly sought by organizations that put information security and privacy front and center. Microsoft is proud to be associated with HITRUST, and that Microsoft Azure and Office 365 are the first hyperscale cloud services to receive certification for the HITRUST CSF.

Continuous Security

Compounding these challenges, effective security must be maintained continuously even as cloud threats, workloads, technologies, and the associated risk landscape changes. Azure Security Center enables the healthcare organizations security team to assess and maintain security continuously and be alerted right away as new threats and vulnerabilities emerge, enabling management of these through remediation. Similarly, Microsoft Compliance Manager enables assessment, tracking, identification of non-compliance items, assignment of items for remediation, and helps the healthcare organizations security and compliance team achieve continuous compliance.

Outlook and Opportunities

To date the healthcare industry has only just begun the process of migration to the cloud, thereby freeing healthcare organizations of the burden of acquiring, maintaining, and securing IT servers and storage infrastructure on premises. This in turn is improving the agility of healthcare organizations, and their ability to innovate, which is timely given the pressure to innovate to reduce healthcare costs, improve patient outcomes, engagement, and experiences, as well as improve the experiences of healthcare professionals. New technologies such as AI / ML, IoT, blockchain, and more can be rapidly prototyped, piloted, and adopted with cloud using click to deploy and manage capabilities enabling healthcare to realize benefits on a much shorter timeframe than would be the case without cloud.

The majority of healthcare IT workloads worldwide remain on premise, within data centers maintained by healthcare organizations. Several concerns are currently “log-jamming”, either gating or impeding, the migration of these workloads to the cloud. Amongst these concerns, security and compliance are top of the list. Microsoft, with leading security, compliance, and worldwide presence, a strong healthcare enterprise focus, and a thriving healthcare security and compliance partner ecosystem is working with healthcare organizations to alleviate these concerns and break the log-jam, paving the way for increased adoption of cloud by healthcare worldwide, and realization of the benefits to healthcare and patients.