Friday, April 26, 2013

Security In The Cloud For Healthcare Information Needs Decent Planning.

The following appeared a little while ago.

5 steps to managing data security risks in the cloud

By Rick Kam, President and co-founder ID Experts and Doug Pollack, CIPP, Chief strategy officer, ID Experts
Cloud computing. It’s like having a butler for your data — managing them, securing them, and making them available when and where they’re needed. No wonder the cloud is attractive to organizations burdened with time and budget constraints.
But the cloud is not without its risks. The Cloud Security Alliance (CSA) recently released its “Notorious nine,” a list of the top threats associated with cloud computing.  At the top of the charts for 2013: data breaches. With this threat at the forefront, healthcare organizations should determine when, if ever, is an optimal time for placing protected health information (PHI) and personally identifiable information (PII) in the cloud.
Caught in the crosshairs
The cloud offers a “target-rich environment” for those looking to mount cyber attacks, with the intent of either disrupting commerce or more typically monetizing the data through criminal means. It’s logical to assume that cloud providers are better qualified to secure data, given that their job is to provide computing services in a safe and secure manner.  
Unfortunately, the more data that cloud providers are entrusted with, the bigger the target they are for cyber criminals. A recent report from ENISA, The European Network and Information Security Agency, titled “Critical cloud computing,” discusses the importance of preventing large cyber-attacks and cyber disruptions.
It notes that while offering significant benefits, the concentration of IT resources in cloud services represent a “double edged sword … If an outage or a security breach occurs then the consequences could be big, affecting many citizens, many organizations, at once.”
Such is the risk inherent to cloud computing. Cloud providers who are hosting applications or data with mandated privacy protections, such as PII and PHI, are more likely targets for cyber criminals. Consequently, they are more likely to have the “mother of all data breaches,” if they are penetrated and criminals are able to acquire data without detection, at least for a while.
The other problem is cyber disruption, or cloud outages. The loss of service also puts data at risk. According to Gartner, 47 percent of all documented large outages were caused by cloud services going down. In fact, Jay Heiser at Gartner notes that while data breaches are a concern, cloud outages that lead to data loss are even more likely a risk, a perspective that appears in contrast to that of the CSA.
The cloud in healthcare
The cloud has become — and will continue to be — a favored computing model for healthcare organizations.
The Third Annual Benchmark Study on Patient Privacy & Data Security by Ponemon Institute found that 91 percent of hospitals surveyed are using cloud-based services; many use cloud services to store patient records, patient billing information, and financial information. However, 47 percent of organizations lack confidence in the data security of the cloud.
A recent article in Government Health IT highlighted an appeal by Dr. Deborah Peel, founder and chair of Patient Privacy Rights, to the Department of Health and Human Services (HHS) Office for Civil Rights “to create cloud-computing guidelines around the issues of secure infrastructure, security standards and business associate agreements.” Dr. Peel explained. “Issuing guidance to strengthen and clarify cloud-based protections for data security and privacy will help assure patients [that] sensitive health data they share with their physicians and other health care professionals will be protected.”
Lots more here including a plan on what you need to do.
This is a really useful summary with a range of useful links.
Well worth a close read.
David.

No comments: