Despite Advances, Data Security Still The Key To Cloud Adoption in Healthcare-The HSB Blog 3/28/22
While moving data to the cloud is becoming increasingly common for healthcare organizations as they look to handle the massive volumes of digitized data, data security concerns remain paramount. By choosing the right data storage healthcare solution, organizations can provide better patient health outcomes by controlling how data is accessed (clinician and researcher use) as well as achieving HIPAA compliance and security. Public clouds, on-premise private clouds, and hybrid clouds come with their own set of advantages and disadvantages and should be chosen based on the healthcare organization’s needs and values for managing data growth. However, the security of cloud installations seems to be a common concern that needs to be addressed no matter what type of deployment.
A single patient generates approximately 80MB of data in just EMR and imaging data each year according to the New England Journal of Medicine.
Using clouds as data storage has helped healthcare organizations to adopt new technologies that transform and support their model of patient-centered care.
The global healthcare data storage market is expected to grow at a CAGR of over 16% between 2019-2026, reaching over $8B by 2026.
According to the Flexera State of the Cloud Report, security was the largest concern for enterprises working with the cloud with 85% of respondents expressing concern, a rise of 4% from the prior year.
While healthcare data has increasingly been digitized and moved online, the dramatic rise in the use of telehealth and other online services drove an exponential increase in healthcare data as well as a need to easily access and consolidate all data in one place. For example, according to the New England Journal of Medicine, a single patient generates approximately 80MB of data in just EMR and imaging data each year. As a result, industry research firm Researchandmarkets estimates that the global healthcare data storage market will grow at a CAGR of over 16% from 2019 to 2026, reaching over $8B by 2026. This has given rise to an increase in the exploration of cloud storage by healthcare organizations to increase access while simultaneously reducing costs. According to the National Institute of Standards and Technology (NIST), “the cloud” is “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” As noted in “Security Concerns of Cloud-Based Healthcare Systems” cloud has become a popular option in healthcare “mainly due to reduced cost and increased performance in terms of reliability, scalability, and flexibility.”
Cloud computing deployments can be further divided into three types, public cloud (where a user can access and use the cloud through the public Internet), private cloud or on-premise (which runs on an organization's one infrastructure and security), and hybrid cloud (which is a combination of public and on-premise). Each type has its own storage options, security considerations, and risks for accessibility and control of patient data for healthcare organizations. In general, as noted in “Securing Services in Networked Cloud Infrastructures” there are a number of security considerations for all types of cloud computing. For example, security and privacy challenges arise when there are multiple tenants with different policies and requirements using the cloud infrastructure. When sensitive data belonging to enterprises and individuals are stored and used by services in the cloud, it poses security as well as privacy issues. There are also significant security issues arising out of malware attacks in the cloud which have access to both data and services of many users and also the ability to propagate to many systems over the cloud infrastructure.”
Costs, maintenance, scalability, flexibility, and control are also important factors that healthcare organizations must evaluate when deciding which cloud storage option to deploy. While the following is not exhaustive some of the advantages and disadvantages of each method are listed below:
Advantages: Leverages shared infrastructure, relatively easy to scale and provision, reduction or elimination of maintenance as 3rd party provider responsible for infrastructure.
Disadvantages: Potential security concerns, third party provider will secure the cloud itself but the user must secure the network and applications Users will need to decide on security protocol (ex: encryption) for data in transit or at rest.
Advantages: Stores that organization’s data and resides only on their equipment so the organization has direct control and responsibility for security.
Disadvantages: Generally higher operating costs and slower scalability when more resources are required to accommodate growth. The organization is required to handle all updating and patching of software.
Advantages: Allows organizations to store highly sensitive data on the private portion of the cloud and less sensitive data on the public portion of the cloud. Allows organizations to take advantage or the rapid scalability of the public portion of the cloud.
Disadvantages: More complex and time-consuming process to set up than compared to the public cloud as the cloud service provider has the obligation to ensure only authorized users access the private cloud portion while allowing outside users to access the public cloud. Potential for interoperability issues between data stored on public and private clouds. Requires the assistance of third-party services to deploy.
While there are several delivery models for cloud computing, Software as a Service (SaaS), Platforms as a Service (PaaS), and Infrastructure as a Service (IaaS), the remainder of this Our Take will focus on Infrastructure as Service models as we think they are currently most relevant.
Healthcare data comes in a variety of types and formats including Electronic Health Records (EHRs), patient registries, claims data, health surveys, Picture Archiving and Communication Systems (PACS), as well as clinical and research data. Using clouds as data storage has helped healthcare organizations to adopt new technologies that transform and support their model of patient-centered care. This is crucial not only for advancing data utilization but improving healthcare outcomes for patients through such mechanisms as population health and predictive analytics. For example, since public cloud infrastructure is easy to scale and empowers geographically dispersed clinicians and researchers to simultaneously work on large data sets it can aid in knowledge transfer and innovation. For example, pharmaceutical companies can use large datasets, patient registries and even create digital twins (allowing virtual copies of patients’ physiological profiles) to explore the potential of drug candidates worldwide for drug development.
As noted in “Security Concerns of Cloud-Based Healthcare Systems”, the public cloud is considered more cost-efficient as it is “pay-as-you-go…it allows users of cloud to purchase the computing resources according to their necessities and requirements without [having] to invest a large amount of cost in purchasing the IT infrastructure.” In addition, given the security concerns associated with public cloud, private cloud data storage is often a popular option amongst healthcare organizations, as it provides more control over data and lets organizations design in whatever customized level of security features it desires to meet regulations such as HIPPA, GDPR, CCPA, etc. According to Xtelligent Healthcare Media, the private cloud is believed to be a more secure option since “on-premise EHR systems must ensure IT professionals are on staff to maintain and oversee hardware and software… [and] must maintain security safeguards and manage all controls.” There is also the benefit of protecting against downtime risks such as outages that can occur in the public cloud. Hybrid cloud storage is viewed as offering the best of both architectures with its public cloud portion typically used for less sensitive web-based services as well as data backup and recovery protocols. According to O’Reilly’s “The Cloud in 2021” report, the top cloud service providers to the healthcare industry are Amazon Web Services, Microsoft Azure, Google Cloud, and other.
Cloud storage and other technologies have dramatic potential to improve the quality, accessibility, and timeliness of healthcare data but healthcare continues to lag behind most other industries, ranking 7th out of 12 industries in cloud usage according to O’Reilly’s “The Cloud in 2021 Report”. Given the importance of data security and privacy in healthcare, this will likely not occur until healthcare overcomes the challenges of security, latency, and manpower. For example, according to the Flexera State of the Cloud Report, security was the largest concern for enterprises working with the cloud with 85% of respondents expressing concern, a rise of 4% from the prior year. Interestingly, while great advances have been made in cloud security, it has consistently remained a concern for healthcare executives. Moreover, the recent increase in healthcare data breaches, with a total of over 700 reported in 2021 (up 11% from 2020) has only reinforced and highlighted these concerns.
While each organization will have to determine which cloud model would be best for them, there are several steps that healthcare organizations in particular should take to secure IT assets as they move to the cloud. As highlighted in “Security Concerns of Cloud-Based Heatlhcare Systems” the most important issue with the public and hybrid cloud is multi-tenancy “The most important security issue involved in cloud computing is the presence of third–party because the healthcare organizations have no command of their medical data dispensation and management.” Healthcare organizations must work with Cloud Service Providers (CSP) and their counsel to ensure they are aware of “what level of security is being enforced by the service provider, what potentials risks exists and what compromises can take place on the cloud infrastructure must be between the healthcare organizations and service provider” (including the right to audit). Importantly, healthcare organizations should note that using a HIPAA compliant CSP is essential and that under HIPPA Business Associates are responsible for ensuring that their software and systems are in compliance with HIPAA. In addition, healthcare organizations should ensure that they have strong access and identity management controls in place. This includes the use of two-factor authentication as well as ------- As noted in “Cloud Computing Security Challenges and Threats” it is important that access controls cover “all stages of the user access life cycle, from initial registration of new users to removal of the last registration of users who do not need access to the latest information systems and services.” Moreover, these groups should ensure that they are using encryption both for data at rest and data in transit. Healthcare organizations considering moving to the cloud need to ensure they have a history of strong auditing and enforcement procedures in place, which include honest assessments of how often they are auditing their systems, consequences for violations, and remedial steps taken when defects or lax enforcement of procedures have been uncovered. Finally, those considering moving to the cloud may want to consider the use of offshore cloud vendors, as data stored outside the U.S. may not be subject to the same level of protection as that stored in the U.S., and should a breach occur with an offshore vendor, HHS’ Office for Civil Rights (OCR) or State Attorney’s General may have limited power to take action.