By Adam Stern
Cyber attacks happen. A lot. And more are happening all the time.
Online hacks in healthcare are enormously costly, and these costs are rising. Seemingly every facet of digital life is potentially at risk, from hospital systems to patient records, imaging devices to lab results, billing and insurance files to pharmaceutical protocols. Malware can play havoc with test results, ransomware can be the price of misdiagnosis, and lives can be on the line from breaches by unseen actors in unknown locales.
While these threats transcend dollars and cents, the accounting is stark. According to NetDiligence’s Cyber Claims Study, healthcare and hospital cyber insurance claims represented 28 percent of total data breach costs in 2017:
o Healthcare breaches ranked first among all sectors, accounting for 18 percent overall
o While the average (non-healthcare) cost of a breach was $394,000, healthcare exceeded $700,000 (encompassing crisis services, legal defense and legal settlement fees
o Hackers were responsible for 27 percent of all breaches, while insiders were involved in 25 percent of incidents
o Payment card information (67 percent) was most likely to be exposed, followed by protected health information (17 percent) and personally identifiable information (nearly 16 percent).
Hospitals and healthcare organizations naturally look to HIPAA, the Health Insurance Portability and Accountability Act of 1996, as a security blanket – not because it’s a shield against cyber attacks, but because it’s already there. Healthcare institutions are inherently cybersecurity-aware, although security is often subordinated to patient care. All have a fiduciary responsibility to safeguard PII, personally identifiable information, and HIPAA compliance generally gets that done.
But strict HIPAA compliance doesn’t mitigate against cyber attacks; perversely, it can actually feed a kind of misdirection or confer on healthcare providers a false sense of, pardon the term, security. While HIPAA focuses on leaks of patient information, that’s just one aspect of the cybersecurity challenge. A host of other vectors are at play, and it’s vital to architect a cloud system that addresses these bad actors holistically (DDoS attacks, cyber-triggered physical intrusions, ala Stuxnet, purloined USB drives laced with viruses and/or malware, etc.).
For organizations across the healthcare ecosystem, the need to get the cloud right has never been greater. While the cloud may be here to stay, there’s nothing fixed or “commodity” about it. Designing it, deploying it and operating within it are non-trivial pursuits, particularly where security is concerned.
A well-architected cloud can be defined by any number of parameters, but three are paramount: data protection, security and uptime. As it happens, all three are also the warp and woof of the healthcare business.
Taking them in turn:
o Data protection. Whether data protection measures are deployed at the storage area network (SAN) level or in software, after the fact, makes a huge difference in the quality of protection. Choices around backup architecture (e.g., using agents to run on individual servers) must be part of the original design. HIPAA is of course an enormous part of this discussion. Violations of HIPAA are especially difficult to detect and potentially calamitous because of that difficulty. But healthcare providers and IT providers have distinct roles to play – and getting the lines of demarcation correct is essential for both (see below for more).
o Security. Security mustbe part of the bones of the architecture. Think of security as integral to the design at inception. While building a cloud environment, security vectors need to be part of that process; this isn’t something that can be passed off to a third party. Gaping holes left after the initial build can’t be closed without re-architecting the cloud, and patch management won’t do the trick. Then, too, it’s vital to bake in the principles of Zero Trust and Least Privilege, governing access both inside and outside the network.
o Uptime. A well-architected cloud must have the ability to deliver 100 percent uptime to clients. The architecture needs to look not only at failures and redundancies but also the ability to migrate workload to allow regular maintenance while remaining live, with zero or near-zero downtime.
So how can a healthcare organization achieve a well-architected cloud? To an extent, it’s a process question, pegged to the quality of the engineers on the team – whether those engineers are on your payroll or, more likely, in the employ of an IT firm you retain.
The first move in architecting a cloud is engaging transcendent storage, network and application designers and engineers. While it’s highly desirable that every member of the team think holistically, the individual at the top (again, your employee or your third-party point person) absolutely must.
For the sake of argument, let’s assume that, given the demands of running a healthcare business, you’ll forsake the DIY option. To stretch the analogy a bit further, you don’t need to be a literal architect or a carpenter to know what you want in a house.
The elements of a well-architected cloud are immutable; it doesn’t necessarily matter who does the building as long as these fundamentals are in place. The resulting IT environment needs to be both effective (it gets the job done today) and capable of evolving as business/client/security needs change. In opting to rely on a third party to architect your cloud, you need to be an informed/smart IT consumer. That’s the case whether you’re a sole proprietor, a multi-office medical practice or a healthcare department within a larger enterprise.
A few years back, Roy Stephan, founder and CEO of cybersecurity firm PierceMatrix, offered this aspirational take on cloud architecture: “With the cloud, individuals and small businesses can snap their fingers and instantly set up enterprise-class services.” Although it may not be quite that easy for every healthcare organization, Job #1 for providers seeking cloud designers is to do some serious tire-kicking.
While it’s the cloud architect’s job to fashion something that your healthcare organization can live/compute in, it’s up to you to ensure that the resulting cloud realizes your objectives and feels like home. Your patients deserve no less.