Many thanks to Darren Lacey, CISO & Director of IT Compliance, Johns Hopkins University for his contributions to this blog.

For healthcare organizations, the cloud's advantages are clear, compelling, and numerous: increased agility, reduced infrastructure costs, an improved operating model, more balanced workloads, elastic resources, enhanced disaster recovery, more storage and, more significantly, the ability to put analytics to work on behalf of patients, researchers and the bottom line.

Cloud for Healthcare also provides powerful capabilities to manage health data at scale and at speed, while also making it easier for healthcare organizations to improve the patient experience, coordinate care and drive operational efficiency. But that's not where it ends. Additional benefits include improving security, compliance and interoperability of health data.

In addition, Cloud gives organizations an innovative platform to store sensitive data, along with the ability to minimize any downtime for their staff. In the case of a disaster or technology breakdown, the cloud option can provide multiple avenues to keep an organization up and running with almost no cutover time.

Cloud frees healthcare to innovate

Cloud facilitates the development of applications and technologies such as electronic medical records, mobile apps, patient portals, IoT & IoMT and big data analytics. It provides agility, scalability and flexibility, which in turn improves patient outcomes and the entire decision-making process for the organization.

Why security matters

Cloud computing, which is the delivery of IT services over the internet, has become a must for businesses and governments seeking to accelerate innovation and collaboration. In the medical field, it aims to improve the quality, safety and efficiency of medical services, and to better-engage patients and family, enhance care and improve patient privacy.

According to Health IT Security, top cloud concerns in healthcare include data security, network reliability, and total cost of ownership. But let's focus on security here; A closer look reveals that while the perceived lack of security is sometimes seen as an impediment, or a mere cost factor, in reality it can be one of the most compelling reasons to move to cloud — and more healthcare organizations are starting to recognize this. In fact, Accenture research shows that up to 60% of healthcare CIOs and CISOs recognize the security benefits of the public cloud—and over 66% are in the process of shifting to cloud services.

For more perspective... 

We sat with Darren Lacey, CISO of Johns Hopkins University, and asked him to share his thoughts and long experience with moving many apps, data and workloads to the cloud:

To put this in perspective, cloud deployments echo many of the same issues we faced several years ago with virtualization. But keep in mind that the cloud, even software-as-a-service, is more flexible, scalable and agile—all good things, even for security. As with virtualization, abstracting applications and operations from the physical space of servers enables organizations to focus on the business and application problems at hand and less on traditional infrastructure. But you are trading one class of infrastructure for another, and while your new charge has fewer one-offs, it may be even more complex. Scaling for performance is much easier in the cloud, but now you must have a deeper understanding of crypto and session management.

The new concerns are more general, and apply across more platforms, but they are deeper and more subtle. In a sense, you are exchanging detailed knowledge of, say, the transmissions on late-era Fords for linear algebra. The latter is more generally applicable and abstract, but more challenging cognitively.

One of the challenges for infrastructure architects is converting their staff from 'mechanics to mathematicians.' How and where one specializes has only some resemblance to legacy security practice. While we still configure, update and monitor, the mechanisms have changed, and more importantly, so have the questions that we ask. In a world where assets can be stood up and torn down all in the same day, how does your monitoring group assess residual risk from ephemeral assets? How do you harden session keys across multiple resources and alert on service anomalies? These are all relatively new issues for most security groups, and just because your group has handled traditional security questions well means little in addressing a new world.

The cloud is a potential godsend for small IT shops, as you can focus higher on the stack and use standard tools furnished by the cloud software or infrastructure provider. Rapid migration to the cloud is one of our best hopes in healthcare for bringing smaller organizations to an acceptable level of cyber hygiene. But the cloud asks different things of us as systems administrators, developers and security specialists. Whether we are able to answer is itself an open question.

Accenture's take on the healthcare cloud security paradox

Despite all of the public cloud's advantages, the industry is still struggling to make traditional security practices work there: Up to 96% percent of healthcare organizations say their traditional security policies and controls are slowing cloud adoption. One reason for this, we believe, is that traditional policies and controls fail to address the big picture: the desired security outcomes. The answer, in part, lies with CIOs needing a deeper understanding of how to embed a new, more collaborative and outcomes-based approach to data security.

Another factor, postulated in a whitepaper published by Information and Computer Security, is that some organizations fail to understand that security can't be 'lifted and shifted' to the cloud. Success requires a clear strategic intent, a nimble governance/compliance model, alignment across the IT organization and the rest of the business, and implementation in line with enterprise risk tolerance. Container technology, for example, is a packaging approach that healthcare organizations should understand as they move to cloud. While containers offer scalability and agility, if organizations attempt to use traditional container tooling while moving to cloud, security can suffer. As per the Cloud Security Alliance, these challenges can be overcome with technical and non-technical best practices, but the first step is to recognize their existence.

Here are nine possible proven strategies to accelerate the move to cloud while embedding robust security:

  1. Help secure the platform: Design and deploy base security controls to secure 'landing zone' on the cloud solution provider platform.
  2. Address identity access management: Spell out the roles that are authorized to operate in the environment and what they are allowed to do.
  3. Help secure the services: Design reusable cloud solution PaaS templates with integrated security controls.
  4. Integrate tools and operations: Combine the platform and services to bring together existing client enterprise security tools with operational processes and procedure.
  5. Integrate tools and operations: Combine the platform and services to bring together existing client enterprise security tools with operational processes and procedure.
  6. Help secure landing zone configuration policies: This includes applying cloud service provider platform security controls.
  7. Shift security to the 'far left': Yes, reducing risk and protecting data in the cloud is a priority. But too often, it is added at the end of the cloud journey. This can delay business outcomes or result in having to re-do work.
  8. Handle the talent issue: CISOs should be creative to attract the right talent in order to accelerate the journey to a secure cloud. Some organizations are looking for traditional infrastructure SecOps professionals with native premise security skills to succeed in the cloud. That can work, but it requires a mindset shift. Managed Security Services agreements can be easy and more accessible to reach the same goal.
  9. Consider working with a strategic, global ally experienced in helping many clients and enterprises with secure cloud journeys for healthcare organizations. This move alone can make or break a journey that is both complex and rewarding.

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2021 Accenture. All rights reserved.

Salwa Rafee

Global Managing Director – Healthcare Security, Accenture

Subscription Center
Subscribe to Security Blog Subscribe to Security Blog