Cloud infrastructure concerns shift to security, agility as tech matures

The healthcare industry is generally very conservative when it comes to adopting new technologies due to the sensitive nature of patient data and the need for uninterrupted access to information.

While cloud-based infrastructure quickly gained traction in other sectors, healthcare CIOs, CTOs, and CISOs have always been a bit wary of its reliability, security, and flexibility to handle the complex needs of a care delivery network.

Their caution is not wholly unfounded. Similar to on-premises architecture, the cloud is indeed vulnerable to a unique set of challenges, including concerns over data privacy, security, access, reliability, and maintenance.

As the technical environment has matured, however, these concerns have shifted away from the basics of downtime and scalability, according to the most recent cross-industry survey from the Cloud Security Alliance (CSA).

With reliability more or less a given in the modern cloud environment, executives are now focusing on the next level of cloud-related issues, such as managing user credentials, defining long-term strategies, and integrating application programming interfaces (APIs) into the enterprise. 

With more than 700 professionals across multiple industries weighing in on their biggest concerns, here are the top three cloud-related issues keeping executive leaders up at night.

Identity and access management in the cloud

Healthcare data is carefully protected by a series of laws, regulations, and internal policies dictating who can access which information under what circumstances. Identity access and management (IAM) systems help to safeguard data and maintain compliance by ensuring that users are correctly credentialed to perform necessary tasks.

But creating and maintaining user identities is an ongoing challenge, especially as employee turnover increases exponentially. Keeping up to date with privileges and continually educating users about access restrictions will require careful planning and sophisticated risk scoring technologies, CSA advises, especially if organizations wish to avoid ransomware attacks and other disruptions.

Insecure interfaces and APIs

The use of third-party apps and APIs is one of the cloud’s biggest selling points, especially as healthcare organizations are now required to use APIs for interoperability and patient data access purposes. But these tools can also be a major area of concern. The more connections to the cloud, the more potential vulnerabilities open up.

Related story: Patient portal advancements create a future of greater health information access

Leaders must ensure that APIs and other “microservices” are correctly configured, coded, and authenticated to avoid data breaches and patient privacy violations. Poor authentication practices, excessive permissions, unpatched systems, and disabled logging or security controls can all increase the likelihood of a negative event.

CSA recommends detailed tracking of all APIs in use and the implementation of automated technologies to monitor API traffic and enable speedy responses to potential intrusions.

Misconfiguration and inadequate change control

Even the best infrastructure, when configured improperly, leaves an enterprise open to attacks. Organizations are struggling to maintain full control over their clouds due to workarounds or shortcuts such as leaving default credentials in place, disabling standard security controls, forgetting to patch systems, or failing to restrict access to ports and services, the survey revealed.

Related story: How to avoid the pitfalls of cloud misconfiguration

Staffing challenges, corporate red tape, lack of employee education, and the use of multiple cloud providers can all contribute to a non-compliant environment. This can result in fines, breaches and hacks, outages, lost revenue, and negative public perceptions of the organization.

Healthcare providers cannot afford the reputational hit of a breach that stems from an internal oversight. Instead, they must implement comprehensive, coordinated change management initiatives that leverage automated scanning technologies and enable real-time responses to problem areas.

These types of unintentional, culture-driven vulnerabilities feature throughout the rest of the survey’s top results, as well. Organizational leaders remain concerned that the cloud will not make their enterprises more agile if the technology is not matched with a system-wide strategy for maintaining privacy, security, and user vigilance in the face of rampant cybercrime.

CIOs and other technical leaders will need to work closely with their cloud service providers to ensure they are starting on a firm foundation of secure, reliable infrastructure. They must then turn their attention to enacting internal policies and procedures that prioritize compliance without being overly restrictive for busy staff.

Balancing these needs isn’t easy, but it is essential to develop and deploy comprehensive cloud infrastructure strategies to avoid disastrous events and continue to meet the needs of the evolving health IT environment.

SHARE YOUR THOUGHTS about what you believe is the most compelling reason to move core applications to the cloud. Join the conversation on DHC >>

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry. Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.