Public cloud-based platforms are not good locations for health care data, correct? While that may sound right, turns out it’s wrong. As we begin to study security issues in general, we’re finding that cloud-based data storage systems are perhaps more secure than traditional on-premise systems.
From both my personal experiences, as well as published analyst reports that are beginning to emerge, I believe this to be true. I suspect that many health care CIOs are reconsidering their position on placing data within public clouds, while many others will continue to be respectfully paranoid.
The data is arriving. According to Alert Logic’s Fall 2012 State of the Cloud Security Report, the variations in the threat activity are not as important as where the infrastructure is located. The report finds that anything that can be possibly accessed from outside, whether enterprise or cloud, has equal chances of being attacked because attacks are opportunistic in nature.
The report further finds that Web application-based attacks hit both service provider environments (53 percent of organizations) and on-premise environments (44 percent of organizations). However, on-premise environment users or customers actually suffer more incidents than those of service provider environments. On-premise environment users experience an average of 61.4 attacks while service provider environment customers averaged only with 27.8. On-premise environment users also suffered significantly more brute force attacks compared to their counterparts.
Clearly, there are myths out there that cloud computing is inherently less secure than traditional approaches. Those myths are prominent in the world of health care IT Consider the nature of the data, and the laws and regulations that typically surround that data. The paranoia is due largely to the fact that the approach itself feels insecure, with your data stored on servers and systems you don’t own or control.
However, control does not mean security. As we’ve discovered in this report, and in incidences over the last several years, it matters not where your data exists, but ways of access. This is the case for both cloud-based systems and traditional enterprise computing.
The path to security in the cloud is not much different than the path to security for internal systems. Why do many cloud-based systems seem to actually do better in these studies? Typically more planning and technology goes into securing public cloud-based systems due to the assumption that security will be an issue. Internal systems may not get the same amount of planning and resources, and thus they can actually be more vulnerable.
All things considered, those running healthcare IT shops, and looking to move to cloud computing, should follow a well-defined path.
First, understand your security and governance requirements for a specific system and/or data store. In the world of health care, this typically means considering auditing, compliance, and other policies to insure that your security approach lives up to the law, as well as best practices. Look at approaches to placing the data in tiers, from the lowest level of security to the highest level of security.
Second, understand that controlling access is much more important than the location of the data. Look at how the data is accessed, and look specifically at opportunities to breach. Again, most of the data breaches occur around finding vulnerability, no matter if it’s cloud-based or on-premise.
Finally, vulnerability testing is an absolute necessity. No matter if you’re testing the security of cloud-based or traditional systems. This goes well beyond security audits; it’s actual, physical testing, typically from an outside organization.
The use of cloud-based platforms to store health care data is something that seems unnatural for most of those who run IT shops in the health care vertical. However, the emerging data seems to pushback on this notion, albeit most health care organizations should approach cloud computing with a clear security plan. If they do that, all will be well with placing data in the cloud.
This column originally appeared at Health Data Management.