How healthcare can close the cloud security gaps that stall adoption

Recent surveys indicate that healthcare organizations are struggling with cloud security and that executives think their cloud infrastructure is more secure than it really is.

Among the healthcare professionals in Presidio’s survey of IT decision-makers, 46% said security concerns were their top obstacle to adopting cloud technology. The second most significant challenge, cited by 35% of respondents, was finding the right cloud partner. This obstacle is closely tied to cloud security, as 94% of all surveyed organizations expect a broad range of security expertise from their third-party partners.

Likewise, 56% of organizations in a ClearDATA survey of IT, security, and compliance leaders said cybersecurity is the biggest barrier to cloud adoption. Top cybersecurity concerns include regulatory compliance, the impact on patient outcomes, data integrity, and the financial and reputational cost of a data breach. With IBM’s latest Cost of a Data Breach report indicating that 45% of all breaches occur in the cloud, this comes as no surprise.

However, the data suggests that healthcare organizations and their leaders may be their own worst enemies. In the ClearDATA report, 64% of C-level executives described cloud security as “advanced,” compared to just 28% of professionals at a VP, director, or manager level. “Likely, being further away from the day-to-day realities may give [executives] a false sense of security,” the report said.

What drives this false sense of security? According to the ClearDATA report, it stems from a failure to conduct basic risk-reduction practices. Only half of organizations conduct regular cybersecurity audits; fewer than half protect access from remote devices, including remote monitoring sensors; and only one-third use least-privilege principles, which permit users and devices to access only the data and applications necessary for their role.

Combining these practices with frequent readiness tests or mock cybersecurity incidents—which fewer than 60% of organizations do—would go a long way toward closing security gaps in cloud infrastructure. In addition, IBM’s data breach findings suggest five related areas of improvement:

• Avoid cloud misconfigurations, which rank third among the most common initial sources of a data breach (behind compromised credentials and phishing attacks).
• Consider a hybrid cloud environment. Breaches in a hybrid cloud cost an average of $3.8 million to mitigate, compared to more than $4.2 million for private clouds and more than $5 million for public clouds.
• Use identity and access management (IAM) in the cloud to restrict user and device access to data. Organizations that implement IAM spent about $225,000 less to mitigate a data breach than those without IAM in place.
• Don’t stall cloud migration. Breaches that occur amid a migration of core services to the cloud cost nearly $285,000 more to mitigate.
• Apply security best practices across all cloud domains. Organizations at this level of cloud security maturity identify and contain a breach in about eight months, compared to nearly a full year for organizations with less mature cloud security practices.

Brian Eastwood is a Boston-based writer with more than 10 years of experience covering healthcare IT and healthcare delivery. He also writes about enterprise IT, consumer technology, and corporate leadership.