Cloud cybersecurity in health care

A blog post by Justin Rowe, Managing Director, Cloud Security and Data Risk, Deloitte & Touche LLP; Shubhangi Garg, Manager, Cyber and Strategic Risk, Deloitte AERS India Pvt L and Anurag Mishra, Senior Consultant, Supply Chain and Network Operations, Deloitte CON India Pvt Lt

As with other industries, health care organizations have been rapidly migrating to cloud computing, largely because of cloud’s ability to help them modernize their information technology (IT) infrastructure. Cloud computing also brings new opportunities for health care organizations to adapt their security capabilities to mitigate risk presented by advanced threats while meeting the needs of a distributed workforce and customer base.

In this two-part blog series we’ll discuss several cloud cybersecurity topics. In this first part, we’ll talk about management of data risk in cloud and increased security visibility across multi-cloud architectures. In part two we’ll cover enabling policy automation to manage cloud configurations and shifting left to secure the cloud architecture.

Management of data risk in cloud 

Health care organizations moving data to cloud sometimes struggle to gain visibility into which data they have migrated, who and what systems have access to that data, whether that data is secured at rest and in motion via encryption capabilities, and the volume of data that is proliferated within cloud (which leads to an ever-expanding attack surface).

Therefore, it’s essential to perform a data risk assessment within the early stages of a cloud migration and/or when a new application is being built. Without a risk assessment, it’s difficult to estimate the likelihood of a security incident. Because secure data is critical to the effective performance of enabling effective health outcomes, risks need to be identified, assessed, and quantified, and controls should be implemented to manage data risk.

To maximize the effectiveness of data risk management in cloud, determining what data risks the organization faces is crucial from the outset of migration. These risks could include regulatory compliance requirements, classification and criticality of data, the data life cycle, access management of data, as well as internal and/or third-party usage of the data. To this end, having a clear understanding of the “shared responsibility model” with cloud providers (i.e., knowing what each party is responsible for, specific to data in cloud) is one of the many critical components of managing a cloud implementation.

Further, via measurement and quantification of data risk, organizations should design and implement risk controls—leveraging either native cloud or third-party capabilities. Cybersecurity controls for data will vary based on use of detective, preventive, and corrective features and functionality. Data discovery and classification are also foundational controls that should be in place to sustain visibility into what data is in cloud, the sensitivity/criticality of that data, and the view of data flows and lineage of systems and users accessing the data.

Additional controls can also be applied while data is in motion and at rest. These controls include data encryption—including tokenization, masking, etc.—as well as data loss-prevention controls to monitor for data exfiltrating the organization against policies that dictate authorized versus unauthorized business processes. Bottom line: Continuous visibility and implementation of data risk controls will help enable health care organizations to better focus on protecting their business and their patients’ and members’ safety, health, and wellness.

Increased security visibility across a multi-cloud architecture

The adoption of multi-cloud architecture is steadily growing in the health care sector. To remain competitive and operationally efficient while minimizing security and privacy risks, a large majority of health care providers are electing to modernize their data centers and IT operations using hybrid and multi-cloud platforms. However, challenges remain as organizations deal with the complexity of securely managing interoperability and integration across technical borders in a highly regulated landscape.

Further, the lack of a well-thought-out, secure implementation strategy, fueled by the inherent complexity of a multi-cloud environment and technical debts, can make it difficult for organizations to create and secure hybrid cloud operations (such as building a hybrid cloud DevOps pipeline). Platform-specific, inconsistent approaches to monitoring and reporting security risks and vulnerabilities using disparate cloud-native tools and processes can also hobble the ability of security leadership and management teams to derive meaningful insights into critical risks and security priorities.

Integrating data across clouds as well as application mobility and interoperability also increase cost management and governance complexity, and it can also make security management more difficult. What’s more, with the lack of key cybersecurity skills across the health care sector, it is becoming increasingly difficult to provide consistent, secure, and efficient operations across a hybrid infrastructure.

One part of the solution to these issues is to develop and implement a set of common security requirements, processes, and monitoring and reporting tools that can be implemented across cloud platforms. Such a single-pane view of operating platforms and workloads across multiple clouds is essential for detecting, investigating, and responding to cyber threats. As an example, organizations could develop cloud-agnostic operating models that abstract cloud-specific authentication models and centralize user accounts, roles, and policy definitions. 

Organizations could also simplify management by establishing a single cloud security function to manage and secure operations across cloud platforms, as well as leverage standardized templates to operate, manage, and track compliance. Along with the security function, it’s essential to build a collaborative culture to simplify governance, reporting, and knowledge sharing through platform-engineering teams.

Health care organizations could also upgrade their IT processes and tools by identifying automation and abstraction opportunities and move toward self-servicing and consolidation of native tools. Further, they could update existing pipelines to accommodate cloud-native applications and containers, perform automatic software upgrades and continuous testing, and add security checkpoints to promptly report compliance violations and security failures.

Looking forward

Cloud migrations are rarely simple, and security issues can make them more difficult. Therefore, it’s essential to manage risk—especially data risk—and establish security visibility, particularly over multi-cloud architectures. In part two of this blog series, we’ll look at two more security issues—enabling policy automation to manage cloud service configurations and shifting left to secure the cloud architecture.