Protecting Healthcare Data in the Cloud

Healthcare data is among the most sensitive and personal information that individuals entrust to healthcare providers. With the advent of cloud computing, it has become easier for healthcare organizations to store and manage their data in a more efficient manner.

As the global healthcare industry transitions to consumer-centric care delivery models, Cloud technologies and platforms are helping organizationsadapt to the explosion of data from consumer devices, wearables, IoMT, and clinical trials. In recent years, there has been wholesome acceptance and adoption of hyper scalers like AWS, Azure, Salesforce, and Google Cloud.

The shift to Cloud technologies also significantly shifts in how patient data is stored and managed – across distributed public cloud, multi-cloud, and hybrid cloud environments.Some also offer healthcare-focused APIs to accelerate integration with enterprise healthcare applications and other sources of patient data.Given the shared responsibility operating model of Cloud Service Providers, migrating to the Cloud poses real challenges in terms of governance and in managing the risk triad of –cybersecurity, regulatory compliance, andconsent management.

• Cybersecurity: There has been a sharp spike in cyber-attacks (malware, ransomware, data theft, DDoS attacks, etc.) in recent years. Public Cloud infrastructure,connecting to thousands of applications and IoT devices, gives attackers multiple opportunities to penetrate, compared to on-premises systems behind a firewall. Cyber threats must be cohesively addressed across four keydimensions:
• Security infrastructure: Organizations need to implement best-in-class cybersecurity tools and frameworks that address vulnerabilities in the underlying infrastructure and prevent malicious attacks. This includes encryption, multi-factor authentication, intrusion detection & prevention, security information and event management (SIEM), IoT security, disaster recovery systems, etc.
• Data Security: For any patient data whichhas being shared or processed, data segregation, encryption, data minimization &deidentification will help reduce the risk of the data being compromised.
• Access & Authorization Management: Ensuring that patient data – PHI (Protected Health Information) and PII (Personally Identifiable Information) – is not shared with parties that do not have the necessary authorization using strong Identity Access Management systems. Emerging concepts such as Zero Trust Network Access (ZTNA) provide even stronger access controls.
• Physical Security: Access to patient information, either in person or through remote connected devices, may lead to patient data theft and data loss risks. Healthcare organizations must implement strong physical security and access control measures, with clearly defined protocols around PHI and PII. Also restricting physical access to connecteddevices minimizes the risk of unauthorized access.

• Regulatory Compliance: Consumer data protection has become a sensitive issue across multiple industries, with regulators also getting into the act. A large proportion of Cloud-based platforms are already compliant to security norms under HIPAA, GDPR, PCI, and SOC2. However, it is imperative for healthcare organizations need to put in additional layers of security, for example, implementing strong information security standards such as ISO 27001and ISO 27701. These organizations also need to put in mechanisms and Cloud vendor arrangements to abide by data residency laws pertaining to their geography.

• Consent Management:Consent management has been a highly sensitive topic over the years, and will continue to evolve, as we move towards a cookie-less future. Streamlining and optimizing consent management is far more critical in healthcare, compared to other industries, simply because of the role that patient data plays in clinical outcomes. This is amplified further because of the sheer volume and variety of patient data received through IoT and consumer devices that are connected through the Cloud.The challenge for healthcare organizations is to collect, identify, aggregate, and comprehend the various types of consent that a patient would have provided across the continuum of care. Therefore, handling patient consent becomes a complex and dynamic task, requiring specialized consent management systems that can handle patient data.

In conclusion, while the shift to Cloud is a strategic imperative for healthcare organizations, the need to safeguard healthcare data in Cloud environments will be a key success factor for their digital transformation initiatives. Healthcare CIOs, CISOs, and patient data custodians will need to stay on top of emerging cyber security challenges and architect a robust, enterprise-scale Cloud security framework that withstands today’s challenges and evolves continually to address data access, regulatory, and consent management needs of the future.

Author: Punam Shejale, SVP & Head – Process Excellence, CitiusTech