Healthcare organizations are turning to cloud computing in greater numbers – and for good reason. Healthcare is facing unprecedented pressures to streamline operations and slash costs while also experiencing increased regulatory scrutiny. Under such pressures, cloud computing – especially public cloud – provides a way to potentially meet these objectives while also improving security of their IT infrastructure. Security improvements are always relative, of course, to organizational ability to execute. But organizations with significant restraints on resources and lacking dedicated security expertise on staff have a better chance at improving security in the cloud than managing their own on-premises systems. This is especially true for many healthcare organizations.
In a recent talk at a DevOps Connect event, Where Bits and Bytes Meets Flesh and Blood – DevOps, Cybersecurity and IoT, Josh Corman stated that 75 percent of healthcare organizations have no dedicated security staff. If this is the case, there’s no way these organizations can ever hope to maintain the security of complex IT systems.
Perhaps this is why healthcare cloud growth is outpacing many, if not most, other vertical market segments when it comes to cloud adoption. They are moving to cloud to help reduce IT complexity and costs. According to the recent report Global Healthcare Cloud Computing Market 2017-2021, the global healthcare cloud computing market is expected to grow at a compound annual rate of just over 21% between now and 2021.
Few would argue that cloud services don’t provide improved flexibility for most organizations, along with the ability to manage these systems more easily. And it’s that increased agility that is driving most organizations to cloud. According to a recent DevOps.com survey, Security at the Speed of DevOps, about a quarter of the 240 respondents were already running all of their business in the public cloud, and another 25% expected to move more of their computing resources to public cloud. However, as I interviewed users for the report, I found that many small and mid-sized enterprises (not healthcare-specific but certainly inclusive of healthcare) said they were struggling to find people with the necessary skillsets as well as the security toolsets to secure their cloud systems and manage them using on-premises security.
And it’s even more of a challenge for healthcare organizations when security isn’t centrally managed by anyone, but instead is managed by the CIOs, operations, development and remote office teams.
Being tight on staff and resources is certainly a reason for rising data breaches and system availability problems – but it’s not an acceptable excuse. This is especially true for healthcare providers. Recent guidance from the Department of Health and Human Services Office for Civil Rights made clear – healthcare providers and business associates are the ones responsible for making certain that their cloud environments and cloud service providers are secure and compliant with security and privacy mandates.
There’s no one way for healthcare providers to succeed at managing and securing cloud environments, but there are certainly tactics that don’t work. And that’s doing what too many businesses have focused on for too long: ad-hoc security and reviews, attempting to secure systems based off checklists, and building “security” programs that focus on compliance rather than mitigating real risks. The good news here is that cloud can be used to help simplify these efforts through automation and continuous monitoring for new systems that may arise as well as systems that fall out of compliance with regulatory and security policies or otherwise become vulnerable.
This is good advice for all enterprises, as cloud systems exist in a constant state of flux and updating, where misconfigurations and vulnerabilities can creep in at any time. But leveraging automation is especially beneficial for any enterprise with tight limits on resources.