in place to maintain that security are rarely visible to the customer, leaving questions over compliance and auditing requirements very much unanswered.
So it’s no surprise that a recent “Healthcare IT Insights and Opportunities” report by CompTIA (Computer Tech- nology Industry Association) showed that while the adop- tion of new technologies, such as smartphones and tablets running medical applications, was growing rapidly (likely to grow to 50 percent of doctors within a year), adoption of cloud services was a rather sickly 5 percent. How realistic are the concerns expressed over cloud computing? Part of the problem is that it’s actually very diffi cult to say – something no security or risk-management offi cer wants to hear. Cloud computing still has a long way to go to reach maturity, and the diffi culty of measuring the risks of this new approach should not be underesti- mated.
The main concerns are, of course, the confi dentiality and availability of the data that is stored in the cloud. And regardless of the company offering the services, the pos- sibility exists for a problem with either. Earlier this year, Amazon, one of the largest providers of cloud services, suffered a serious outage of its AWS Elastic Block Storage, leaving many business websites off line.
Likewise, one of the largest providers of on-demand cloud storage and collaboration, Dropbox, announced in June of this year that due to a problem with their au- thentication systems, any user could theoretically access the accounts of any other. While the problem was short lived, the fact that it happened at all underlies the risk of assuming that data in the cloud is secure. Other concerns arise from the shared nature of the infrastructure. Many shared cloud services rely on de- ploying virtual machines to maximize the effi ciency of the provider’s investment in hardware. And while attacks on virtual servers have been largely confi ned to the lab, the very real possibility still exists that an attack could compromise one system on a shared host and use that foothold to gain access to other hosted servers in order to steal information or entire server images. Underlying most of the concerns regarding the security of cloud services is that it is diffi cult to measure the risk posed by third-party providers’ servers, processes and personnel. Without the ability to monitor and review such processes, it can be diffi cult to ensure that risks are under control and compliance requirements are being met. So where does cloud computing make sense for the healthcare industry? Clearly, there are concerns over the security of sensitive data moved into shared cloud environ- ments, and to some degree those concerns are justifi ed. However, for information that is not sensitive, typically not personally identifi able data, the cloud can offer both signifi cant savings and the ability to quickly adopt new services and software.
Software services, such as email, are obvious candidates to move early to cloud providers. Likewise, the cloud of- fers considerable opportunities to collaborate and store information for access almost anywhere.
As more specialist medical cloud services are launched, it is likely they will directly address some of the privacy and compliance concerns that exist with more general- purpose cloud offerings. For many healthcare organizations, the lure of cloud computing is already forcing a serious review of the risks and benefi ts associated with adopting these new approach- es. Indeed, for many the question of whether or not to adopt cloud computing is already moot. Consumer-focused cloud services, especially for fi le storage and collaboration, have already permeated many organizations through ser- vices like Box.net, Dropbox and iCloud. Windows 8 will arrive with cloud storage already embedded in the form of Skydrive, further eroding the ability of IT and security departments to control cloud storage use.
Ensuring that the data housed in cloud services is secure and protected is the single biggest barrier to widespread cloud adoption in the healthcare industry.
As a result, many are looking for ways to rapidly make cloud storage, and ultimately other cloud services, safer. Foremost in these efforts are technologies that provide what is generally termed “data-centric” security. These approaches provide protection to data regardless of where it resides; whether that’s on a laptop, a thumb drive or in the cloud. Encryption, and to a lesser extent tokenization, will form the backbone of such solutions, and the state-of- the-art in such technologies is progressing rapidly, driven in large part by the pent-up demand for safe cloud storage in the fi nancial and healthcare industries. The benefi ts of cloud computing are demonstrable and compelling. However, the ability to safely store information in the cloud has lagged behind the development of cloud services, and this situation has left the healthcare indus- try facing a diffi cult choice. Early adoption of the cloud will undoubtedly enable greater effi ciencies and provide unprecedented collaboration capabilities between practi- tioners and even patients themselves. Yet, as custodians of highly personal and sensitive data, the healthcare industry must approach cloud computing with a healthy dose of caution. Thankfully, new security technologies, focused around very data-centric technologies, could soon provide a foundation upon which to build a better, more responsive and more effi cient healthcare IT platform – something that will benefi t everyone concerned.
HMT HEALTH MANAGEMENT TECHNOLOGY February 2012 9