Healthcare Hot Seat: 3 Things to Remember About Cloud Compliance

Feb 11, 2019
5 minutes

The global healthcare cloud computing market is expected to grow to $35 billion by 2022. But not all cloud adoption is created equal. Some healthcare organizations are all in, running the bulk of production workloads in the cloud and even utilizing emerging cloud technologies, like containers and serverless. Other healthcare organizations are still in earlier stages, whether leveraging cloud-delivered infrastructure or only taking advantage of SaaS for more effective business collaboration. According to data published by HIMSS Analytics, the bulk of healthcare cloud use is to support clinical application and data hosting, data recovery and backup, and hosting of operational applications.

Irrespective of where your healthcare business falls on the maturity spectrum, there are benefits behind the steady implementation of cloud computing, including increased consumer interaction and information exchange, improved analytics and advanced data segmentation. But how can you be sure your data is secure?

Ultimately, the cloud represents a massive shift in security and compliance responsibility, where the piles of sensitive data being accessed and exchanged are essentially outside of your control.

Let’s zero in on compliance…

How can you meet compliance regulations and mandates if you don’t have control over the infrastructure and technology where your data is being stored?

The answer: a two-part recipe. First, you must have a keen understanding of the security Shared Responsibility Model to be clear on what your organization is responsible for versus what the cloud service provider will take care of on your behalf. Second, you must attain comprehensive visibility into your cloud deployments. HIPPA, HIPPA High-Tech and other privacy regulations can only be maintained through visibility. With these two pieces in place, you can demonstrate compliance and adherence to regulations.

The fact remains, though, compliance in the cloud is a bit tricky. Compliance requirements are not written to support public cloud infrastructure. And, so, there is an art behind interpreting some of the controls and properly mapping them to your security and compliance tools. For example, PCI requires certain types of infrastructure have antivirus, or some other specific technology implemented. Whereas, in cloud or serverless environments (e.g. SaaS), these controls simply do not apply. Similarly, encryption of data at rest – how do you apply the control if you don’t own the infrastructure? Ultimately, you must change the way you think about compliance in the cloud.


How Do You Achieve Cloud Compliance?  3 Things to Remember


1. Integrated, unified security is a must.

A colleague recently asked, “in a digital world, do firewalls still have a role?” This got me thinking. The short answer is: yes. Firewalls are a crucial piece – an enabler really – to adopting and scaling digital technology (e.g., cloud). They are the foundation of your security strategy to scale your business. If you are using firewalls to demonstrate HIPPA compliance, as an example, in your traditional infrastructure, you can use those same firewalls to take advantage of the same policies in the cloud and speak the same language to key stakeholders.

Firewalls are familiar technology in a foreign world. I like to think of them as a bridge between the traditional on-premises world and the cloud world. Firewalls allow you to use what you know, from a traditional infrastructure POV, to take advantage of unified policies, and enable unified security and compliance – for your data across your entire infrastructure. Virtualized firewalls present organizations with a great option and starting point.

2. You can’t secure what you can’t see. Get comprehensive visibility.

The cloud is highly dynamic and distributed. Visibility is of paramount importance to maintain continuous compliance, especially in an environment where you don’t control the infrastructure or technology. With the right API-based security tool in place, you can get visibility to monitor every API-connected cloud resource across multiple cloud environments in real time. As a result, eliminate blind spots, and quickly and confidently generate data and reporting, the next time an audit rolls around.

3. Opting out of cloud might feel right, but there are implications (hint: Shadow IT)

There are tons of unknowns in the cloud. However, besides the benefits and ROI that I highlighted earlier, there are tremendous implications that healthcare organizations may face if they opt not to adopt the cloud. The cloud is a connector, an enabler of collaboration, particularly SaaS applications.  Doctors want to use mobile and cloud applications – because they make their lives easier. So, if your business opts not to use the cloud, chances are your users and employees will still utilize these services. This creates a huge Shadow IT problem, where doctors are using unsanctioned applications, like social media apps or their personal cellphones, to exchange personal data and personal health information (PHI). The chances that this rogue Shadow IT usage will result in compliance concerns or violations is definite. Digital transformation is upon us. There really isn’t an option if you want to maintain compliance in the cloud.

Rather than opt out, allow the business to do a set number of things that create risk. If your business implements the proper CASB tool, you can achieve the right balance of visibility, control and prevention to ensure you’re enabling the business whilst staying compliant. Without controls, you are forced to rely on policy and education. And humans, as well-meaning as we are, make mistakes.  The only way to win in the age of digital warfare is to defend against the adversary with the same automated techniques they use. The cloud, software and automation must be countered with cloud, software and automation.


Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.