Healthcare's journey to cloud, powered by security
August 27, 2021
Many thanks to Darren Lacey, CISO & Director of IT Compliance, Johns Hopkins University for his contributions to this blog.
For healthcare organizations, the cloud's advantages are clear, compelling, and numerous: increased agility, reduced infrastructure costs, an improved operating model, more balanced workloads, elastic resources, enhanced disaster recovery, more storage and, more significantly, the ability to put analytics to work on behalf of patients, researchers and the bottom line.
Cloud for Healthcare also provides powerful capabilities to manage health data at scale and at speed, while also making it easier for healthcare organizations to improve the patient experience, coordinate care and drive operational efficiency. But that's not where it ends. Additional benefits include improving security, compliance and interoperability of health data.
In addition, Cloud gives organizations an innovative platform to store sensitive data, along with the ability to minimize any downtime for their staff. In the case of a disaster or technology breakdown, the cloud option can provide multiple avenues to keep an organization up and running with almost no cutover time.
Cloud facilitates the development of applications and technologies such as electronic medical records, mobile apps, patient portals, IoT & IoMT and big data analytics. It provides agility, scalability and flexibility, which in turn improves patient outcomes and the entire decision-making process for the organization.
Cloud computing, which is the delivery of IT services over the internet, has become a must for businesses and governments seeking to accelerate innovation and collaboration. In the medical field, it aims to improve the quality, safety and efficiency of medical services, and to better-engage patients and family, enhance care and improve patient privacy.
According to Health IT Security, top cloud concerns in healthcare include data security, network reliability, and total cost of ownership. But let's focus on security here; A closer look reveals that while the perceived lack of security is sometimes seen as an impediment, or a mere cost factor, in reality it can be one of the most compelling reasons to move to cloud — and more healthcare organizations are starting to recognize this. In fact, Accenture research shows that up to 60% of healthcare CIOs and CISOs recognize the security benefits of the public cloud—and over 66% are in the process of shifting to cloud services.
We sat with Darren Lacey, CISO of Johns Hopkins University, and asked him to share his thoughts and long experience with moving many apps, data and workloads to the cloud:
To put this in perspective, cloud deployments echo many of the same issues we faced several years ago with virtualization. But keep in mind that the cloud, even software-as-a-service, is more flexible, scalable and agile—all good things, even for security. As with virtualization, abstracting applications and operations from the physical space of servers enables organizations to focus on the business and application problems at hand and less on traditional infrastructure. But you are trading one class of infrastructure for another, and while your new charge has fewer one-offs, it may be even more complex. Scaling for performance is much easier in the cloud, but now you must have a deeper understanding of crypto and session management.
The new concerns are more general, and apply across more platforms, but they are deeper and more subtle. In a sense, you are exchanging detailed knowledge of, say, the transmissions on late-era Fords for linear algebra. The latter is more generally applicable and abstract, but more challenging cognitively.
One of the challenges for infrastructure architects is converting their staff from 'mechanics to mathematicians.' How and where one specializes has only some resemblance to legacy security practice. While we still configure, update and monitor, the mechanisms have changed, and more importantly, so have the questions that we ask. In a world where assets can be stood up and torn down all in the same day, how does your monitoring group assess residual risk from ephemeral assets? How do you harden session keys across multiple resources and alert on service anomalies? These are all relatively new issues for most security groups, and just because your group has handled traditional security questions well means little in addressing a new world.
The cloud is a potential godsend for small IT shops, as you can focus higher on the stack and use standard tools furnished by the cloud software or infrastructure provider. Rapid migration to the cloud is one of our best hopes in healthcare for bringing smaller organizations to an acceptable level of cyber hygiene. But the cloud asks different things of us as systems administrators, developers and security specialists. Whether we are able to answer is itself an open question.
Despite all of the public cloud's advantages, the industry is still struggling to make traditional security practices work there: Up to 96% percent of healthcare organizations say their traditional security policies and controls are slowing cloud adoption. One reason for this, we believe, is that traditional policies and controls fail to address the big picture: the desired security outcomes. The answer, in part, lies with CIOs needing a deeper understanding of how to embed a new, more collaborative and outcomes-based approach to data security.
Another factor, postulated in a whitepaper published by Information and Computer Security, is that some organizations fail to understand that security can't be 'lifted and shifted' to the cloud. Success requires a clear strategic intent, a nimble governance/compliance model, alignment across the IT organization and the rest of the business, and implementation in line with enterprise risk tolerance. Container technology, for example, is a packaging approach that healthcare organizations should understand as they move to cloud. While containers offer scalability and agility, if organizations attempt to use traditional container tooling while moving to cloud, security can suffer. As per the Cloud Security Alliance, these challenges can be overcome with technical and non-technical best practices, but the first step is to recognize their existence.
Here are nine possible proven strategies to accelerate the move to cloud while embedding robust security:
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2021 Accenture. All rights reserved.