* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/)
* Cloud Native Security for...

# Cloud Native Security for the Healthcare Industry

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcloud-native-security-for-the-healthcare-industry%2F)  
[](https://twitter.com/share?text=Cloud+Native+Security+for+the+Healthcare+Industry&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcloud-native-security-for-the-healthcare-industry%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcloud-native-security-for-the-healthcare-industry%2F&title=Cloud+Native+Security+for+the+Healthcare+Industry&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/cloud-native-security-for-the-healthcare-industry/&ts=markdown)  
\[\](mailto:?subject=Cloud Native Security for the Healthcare Industry)  
Link copied  
By [Chris Tozzi](https://www.paloaltonetworks.com/blog/author/chris-tozzi/?ts=markdown "Posts by Chris Tozzi")  
Mar 25, 2021  
8 minutes  
[Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown)  
[Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)  
[Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)  
[Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown)  
[healthcare](https://www.paloaltonetworks.com/blog/tag/healthcare-2/?ts=markdown)

When you store or process any kind of data in the cloud, you face certain security risks that would not exist in an on-premises environment. However, workloads that involve regulated healthcare data (which is known under the United States Health Insurance Portability and Accountability Act, or HIPAA, as Protected Health Information, or PHI) are especially sensitive, given the highly personal nature of healthcare information and the special compliance rules that govern it. This article offers a primer on cloud native security for healthcare organizations, explaining you need to know about cloud native architectures.

It's **not** a comprehensive guide to cloud computing and HIPAA, but it offers a 101-level overview of the main security and compliance risks that healthcare organizations face when deploying cloud native workloads, as well as which architectural strategies can help mitigate those risks.

## **Healthcare Data and the Cloud: Special Challenges**

Most major service providers have safeguards in place that allow healthcare data to be stored on or processed in the cloud without necessarily requiring separate or special hosting arrangements. However, remaining compliant with [HIPAA requirements](https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html) when using the cloud requires addressing certain challenges:

* **Third-party control** : When data is stored or processed in the cloud, the cloud service provider (CSP) that owns the cloud infrastructure could potentially access it. This makes the CSP a so-called business associate under HIPAA rules. A business associate is subject to the same rules as the healthcare organization itself, and the two companies must enter into a business associate agreement (BAA) that designates their respective responsibilities for PHI.
* **Physical access control** : HIPAA mandates that a healthcare organization must "limit physical access to its facilities." If it runs workloads in a public cloud, this means that it must ensure that the CSP takes proper measures to secure physical access to its infrastructure.
* **Audits** : Because HIPAA requires healthcare organizations to "implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems" that store healthcare data, they must ensure that they can fully audit workloads running in the cloud -- including any parts of those workloads that are controlled or managed by their CSP.
* **Data transmission** : HIPAA requires healthcare organizations to protect data while it is in transit. Because cloud architectures typically require data to pass through the public Internet, where the attack surface is greater than it is on a local network, stronger encryption measures may be necessary.

These HIPAA-related compliance and security regulations can certainly be managed, but they require some special consideration that would not be necessary if all healthcare data were stored and processed directly on an organization's own on-premises infrastructure.

## **Mitigating Risks to Healthcare Data in the Cloud**

Given the tremendous advantages of the cloud -- including its agility, reliability and cost -- many healthcare organizations today are less hesitant to run workloads in the cloud. Those that do adopt strategies that help them take full advantage of cloud native computing while protecting sensitive data.

Below is a list of common methods for minimizing security and compliance risks associated with healthcare data in the cloud.

##### **Review the HIPPA-Compliance Status of your CSP**

First and foremost, ensure that the cloud platform or platforms you use are designed to be HIPAA-compliant, which means (among other things) that their systems meet HIPAA requirements regarding auditing as well as physical and virtual access control. Finding HIPAA-friendly providers is easy because virtually all major CSPs design their services to be HIPAA-compliant, at least if you adhere to certain guidelines when using them.

That said, don't simply assume that just because a CSP promises HIPAA compliance, you can upload your data and applications and assume you're meeting all of your compliance requirements. You must carefully [read the CSP's policies](https://www.paloaltonetworks.com/blog/prisma-cloud/pitfalls-shared-responsibility-cloud-security/?ts=markdown) to ensure that the cloud services you intend to use, and the workloads you intend to run on them, meet the CSP's requirements for PHI.

##### **Anonymize Cloud Data**

In general, anonymizing data by stripping it of personally identifiable information turns that data into what HIPAA calls [de-identified data](https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html). This process frees the healthcare organization from having to comply with most HIPAA rules when using the data.

When possible, then, removing personal information like names and addresses from healthcare data that is stored or processed in the cloud can potentially reduce your HIPAA compliance burden.

Keep in mind, however, that data that you believe to have been anonymized[may still contain personally identifiable information](https://www.theguardian.com/technology/2019/jul/23/anonymised-data-never-be-anonymous-enough-study-finds). As a result, although de-identification can help reduce your compliance and security risks related to healthcare data in the cloud, you should never assume that it totally eliminates them. It's a best practice to act as if all healthcare-related data in the cloud is subject to HIPAA requirements, even if you have anonymized it.

##### **Minimize Data Transmissions**

The more often data travels across a network, especially the public internet, the more frequently you have to ensure that proper access-control measures are in place. For that reason, a cloud architectural strategy that minimizes the frequency of data transmissions can help simplify HIPAA compliance.

For example, instead of spreading a workload across an on-premises environment and the public cloud, consider keeping all of the workload in one location so that data doesn't have to be exchanged between the two environments. Or, in situations where you do need to transmit data over the network, consider caching it where possible so that you can avoid having to transmit data that already exists in the cache.

##### **Scan and Continuously Monitor Applications for Vulnerabilities**

As OWASP (a leading security group in the open source community)[points out](https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure), encrypting data when it is at rest or in transit is an incredibly important step, but is **not enough on its own** to protect against unauthorized access. Attackers could take advantage of security flaws within applications that allow them to access the data in decrypted form when it is being processed by the application. For example, an application that doesn't properly validate data input could be subject to a SQL injection attack that reveals sensitive information.

This category of risk exists with applications, and from a cloud architectural standpoint, you cannot mitigate it entirely. Instead, be sure to scan your application source code (if you can access it) for security vulnerabilities, as well as [monitor applications continuously](https://www.paloaltonetworks.com/blog/prisma-cloud/secure-cloud-native-api-microservices/?ts=markdown) for signs of a breach or attempted breach.

#### **Use Immutable Infrastructure**

Immutable infrastructure is a strategy wherein applications and infrastructure are never modified while running, but are instead fully replaced with a new instance whenever a change or update is required. Containers and serverless functions use this paradigm by default, but it can be applied to almost any type of workload or technology.

In addition to being a general best practice and safeguard against the risk that the modification of a [running application](https://www.paloaltonetworks.com/blog/prisma-cloud/runtime-protection-prisma-cloud/?ts=markdown) or server creates an unknown security vulnerability, immutable infrastructure helps to decouple PHI from the infrastructure that hosts it. If your applications and servers are destroyed and replaced each time they are updated, your developers can't decide to store PHI inside those applications or servers. Instead, they'll be forced to store it in a centralized location, where securing and auditing it will likely be easier.

##### **Air Gap Sensitive Data**

Most healthcare organizations will need to retain PHI for a relatively long period of time. HIPAA itself doesn't impose a requirement on data retention for medical records (it does mandate retention periods for other types of data, mostly related to HIPAA compliance operations), but state governments do have[mandatory retention rules for healthcare records](https://www.healthit.gov/sites/default/files/appa7-1.pdf).

If you choose to store this data in the cloud -- which you may if, for example, you wish to take advantage of the low cost of archival cloud storage services -- you can mitigate your security and compliance risks by "air gapping" the data. In a general sense, air gapping means ensuring that air-gapped data is not connected to production environments and can be accessed only by using special tools or procedures. (In the narrowest sense, air-gapped data means data that is not connected to a network in any way, but that level of air-gapping is not possible in the cloud.)

If you use the cloud to archive PHI, then, you should ensure that the [storage buckets](https://www.paloaltonetworks.com/blog/prisma-cloud/guide-protect-aws-s3/?ts=markdown) you use to hold it are fully encrypted, that no applications have access to the archival data, and that the archival data is not mixed in with more recent data. These strategies don't guarantee that unauthorized users can't access the data, but they will help provide a high level of protection for data that is stored in the cloud for a long period.

## **Conclusion**

Despite the security and compliance challenges related to healthcare workloads in the cloud, the risks can be effectively managed through the right cloud architectural strategies. Meeting them is well worth the effort in order to take advantage of the benefits that cloud native architectures offer.

For more information on the cloud and workload security concepts discussed above, check out a few of our other blogs:

* [A Step-by-Step Guide to Secure and Protect AWS S3 Buckets](https://www.paloaltonetworks.com/blog/prisma-cloud/guide-protect-aws-s3/?ts=markdown)
* [Avoiding the Pitfalls of the Shared Responsibility Model for Cloud Security](https://www.paloaltonetworks.com/blog/prisma-cloud/pitfalls-shared-responsibility-cloud-security/?ts=markdown)
* [Intelligently Managing Risk: Multicloud Infrastructure Security](https://www.paloaltonetworks.com/blog/prisma-cloud/multicloud-infrastructure-security/?ts=markdown)

*** ** * ** ***

## Related Blogs

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)

[#### WAAS-Up with Cryptojacking Microservice-Based Web Apps?](https://www.paloaltonetworks.com/blog/cloud-security/waas-cryptojacking-microservice-based-web-apps/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Better Together With IBM and Prisma Cloud Compute Edition](https://www.paloaltonetworks.com/blog/cloud-security/better-together-ibm-prisma-cloud/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Automating Visibility and Protection for Cloud VMs](https://www.paloaltonetworks.com/blog/cloud-security/automating-visibility-protection-cloud-vms/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Open Source License Detection and Expanded Git Repo Scanning](https://www.paloaltonetworks.com/blog/cloud-security/open-source-license-detection-expanded-git-repo-scanning/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)

[#### Prisma Cloud Support for Docker DISA STIG](https://www.paloaltonetworks.com/blog/cloud-security/support-for-docker-disa-stig/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)

[#### Unveiling a Comprehensive Attack Explorer for Cloud Native Apps](https://www.paloaltonetworks.com/blog/cloud-security/comprehensive-attack-explorer-for-cloud-native-apps/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language