This week on our blog, we have a guest post on cloud security in hospitals from Sven Gerlach, Senior Manager Infrastructure and Data Center at NTT Security. 

When confidential patient data is concerned, a high level of protection is essential, especially when a hospital is using cloud services. Security must be the first priority, but the reality is often different. Often, basic aspects such as strong authentication or encryption are not adequately considered.

Cloud technology is continuing to grow, and hospitals are often using cloud services – officially or unofficially – such as Salesforce, Microsoft Office 365 or Dropbox. Some hospitals have even moved their internal IT infrastructure to the cloud.

But even if a hospital is officially based on a strict no-cloud policy in order to remove security concerns, this is often only half the truth. The fact that they are on the “safe” side is, in most cases, a fallacy, because what is the use of an organisational ban if there is no way to monitor, enforce and control this policy, and users can therefore access unauthorised cloud services? 

This is otherwise known as shadow IT and, as a rule, it is built up by using unauthorised cloud services within the company. This can be covered by a shadow IT assessment. Therefore, organisations should definitely pursue a strategy to control cloud usage.

The fact that uncontrolled cloud usage in hospitals creates an enormous security risk is unquestionable. However, there are often uncertainties or misjudgements regarding the means and possibilities for dealing with security risks.

When confidential data is stored in the cloud, hospitals must provide the cloud service provider with clear guidelines and ensure compliance with elementary security measures. This includes regulations regarding the data integrity and location of the data as well as measures such as data encryption, multi-factor authentication or protection of privileged accounts. When using cloud services, the monitoring of data access is of great importance with regard to privileged user accounts with extended rights, such as administrators. The reason for this is that the requirements for risk management for the outsourcer also apply when outsourcing data to an external provider.

Above all, the topics of authentication and encryption are essential and should be put to the test. Access rights must be clearly defined and adequate authentication procedures should be used. In view of the sensitive data, a simple authentication, for example with a password, is not sufficient. It is best to use at least two-factor authentication, such as a password and a hardware or software token. For example, in the banking sector, two-factor authentication will be imperative for mobile and online banking, according to the new EU Directive Payment Services Directive 2 (PSD2), which must be implemented by 2018. The same should apply to the use of cloud services in healthcare.

Data encryption is just as important. However, which encryption method a hospital uses is critical. Usually most cloud services only use data-at-rest encryption, which ultimately provides only theft protection i.e. if stored data are lost, they remain encrypted but the data is decrypted and unsecured during processing. However, solutions for end-to-end encryption of data are also available today, and their use should be considered.

Another point that is usually a shortcoming when using a cloud is the potential data flow. Hackers often use malware to steal patient data. Possible damages include the violation of personality rights, imagery and claims for damages. Any unwanted data flow must therefore be reliably prevented. This is ensured by, for example, the management of the access rights, the monitoring of the data transmission from and to the cloud by means of Data Loss Prevention (DLP) and the protection of the data itself by Digital Rights Management (DRM) technologies.

In general, when using cloud services, a hospital must in any case review the security policies of the service provider. If this is not possible for reasons of resources or content, an external service provider with proven cloud competence should be consulted.

Essentially, cloud security mustn’t be overlooked. If hospital IT fails to take a leading role in the case of cloud initiatives, the migration to the cloud will take place nevertheless – unplanned and unsystematic. This creates a shadow IT within the organisation, which entails considerable security risks. So it’s “better today than tomorrow” that should be high on the IT agenda of all hospitals.