Think the cloud is safer and cheaper?

Sonia Sexton, Chief Security Officer, DP Facilities, Inc.

Many healthcare organizations are being swayed by the siren song of the cloud. But there’s a dirty little secret you should know: The cloud is only as safe as the data center securing it.

Cloud systems leverage the underlying infrastructure of the Internet, which is comprised of more than 550,000 miles of undersea cables plus land-based fiber-optic cables connected to millions of servers housed in data centers. Actually, there are many clouds, from the big commercial cloud services — Amazon AWS, Google Cloud Platform, IBM Cloud and Microsoft Azure — to custom-built single-cloud and multi-cloud systems.

Think twice — and do a lot of research — before putting sensitive data into the typical commercial cloud systems. Don’t get me wrong: The modern Internet couldn’t function without them. But they’re typically built to hold harmless consumer and business data, not highly private health information.

Last year, for example, WikiLeaks revealed the location of Amazon Web Services (AWS) data centers around the globe — some of which reportedly housed cloud servers storing sensitive U.S. government data. Clearly, those data centers were not treated as critical infrastructure by AWS or the government, and the breach had significant consequences for what had been secret government operations.

In healthcare, you obviously have to worry not only about the usual consequences of a data breach, but also getting a knock on your door from HHS to investigate possible HIPAA violations. Look at it this way: What data can you risk getting into the wrong hands? If a cloud data center is breached, what could the hackers grab that wouldn’t keep you in a cold sweat all night? Probably not personal health information, medical record numbers, or billing and reimbursement numbers.

Consumers, and even tech leaders, are more aware of and sensitive to how their data is being stored and used. Last year, none other than Apple CEO Tim Cook spotlighted the risks of the “data industrial complex” when he spoke during the 40th International Conference of Data Protection and Privacy Commissioners. “Our own information, from the every day to the deeply personal, is being weaponized against us with military efficiency,” Cook said.

A healthcare organization — including its customers and stakeholders — has too much at risk to casually or quickly decide on cloud storage for health data. Hospitals and health systems should keep three key considerations in mind when considering cloud storage: security, resilience and responsibility.

Security:

● Make sure the data center securing the cloud is HITRUST-certified and HIPAA-compliant, and is 100-percent U.S.-citizen-owned and operated.
● Does it protect entry points with layered security zones, maintain 24/7 external and internal surveillance, use only top-grade software for security and event management, maintain all proper certifications and audits, and establish and follow stringent access procedures?
● Does it meet SSAE 16 and SOC 1 and SOC 2 type standards to minimize risk and exposure of sensitive medical records and healthcare data stored in the cloud?

Resilience:

● Is the data center insulated from both natural and manmade disasters, yet close to abundant and redundant fiber connections?
● Is it located outside of high-vulnerability power grids, yet supported by a steady and reliable supply of up to 45 MW of low-cost electricity?
● Is it considered critical infrastructure by the government so that it’s eligible for priority fueling during disasters?

Responsibility:

● Take a facility-first approach to data center security.
● Embrace a hybrid colo-and-cloud data management strategy.
● And only contract with data center companies that are committed to truly protecting your healthcare organization’s identity and data.

Deciding what data you can safely store in a cloud environment is ultimately between you and your data center, of course. So, you need a cloud-neutral but cloud-smart data center provider. You need a data center that’s truly secure and resilient. And you need a data center that can tailor its cloud and colocation backup-and-recovery solutions to your requirements.

About the Author

Sonia Sexton is chief security officer for DP Facilities, Inc., which owns and operates Mineral Gap data center in Wise, Virginia. She has more than 20 years of experience in significant security roles within major federal contracting firms.