The Value of Healthcare Peers in the Cloud
One aspect of cloud security that is posing new complexities is virtual care and the “hospital at home” model, Santiago adds. “All of those devices and care delivery mechanisms need to talk back to the hospital via the cloud, so now we have to look at how we use the cloud to protect them,” she says.
One benefit of Health-ISAC and similar organizations is the opportunity to discuss these and other emerging concerns with peers. Nearly 1,000 healthcare organizations belong to Health-ISAC, which Weiss refers to as a “virtual neighborhood watch program.”
For instance, Health-ISAC members can connect with others who use the same public cloud providers to share information about nuances of those environments. Health-ISAC also develops information about threats and vulnerabilities, a service that is particularly helpful for small organizations without the budget for threat intelligence support, he says.
For most organizations, Weiss notes, moving to the cloud can benefit security, as long as they have the skills and resources to uphold their end of the shared-responsibility model.
“You’re getting the benefit of the managed service in all sorts of ways that boost security, including best practices and the ability to leverage the learnings from those cloud providers,” he says.
Meanwhile, organizations can continue to grow their own expertise, including the ability to leverage observability, automation, and detection and response to optimize cloud security, he adds: “Investing in your team and their skills, especially those that help increase the number of deployments that leverage code and automation, will continue to pay big dividends in security.”
EXPLORE: Answer these five questions to dispel myths about cloud security.
The Many Layers of Security in the Cloud
Franciscan Health, a 12-hospital system serving Indiana and Illinois, recently expanded its cloud environment by migrating its Epic EHR to Microsoft Azure. It already had approximately 400 SaaS applications and an existing relationship with Azure.
However, the Epic move represented a new level of complexity, says Charles Christian, CTO and vice president of technology.
The organization knew that moving Epic to Azure would enhance security and improve data access to support patient care, Christian says. But his team also realized that its involvement was crucial to establishing and maintaining a secure environment.
“In the beginning, we assumed, as many people do, that it’s a walled garden, and you’re going to have some inherent protections. But what we’ve learned is that it’s no different from securing your own data center,” he adds.
That means, for instance, firewalls inside Azure, data loss prevention tools, diligent patching and best practices such as least-privilege principles and temporary admin passwords. The team uses Microsoft’s built-in dashboards and similar tools for monitoring purposes, Christian says.
