Skip to main content

Securing healthcare organizations when moving to the cloud

Securing healthcare organizations when moving to the cloud
(Image credit: Pixabay)

Organizations across industries have been forced to adapt and adjust digital transformation initiatives to meet the needs of a changing world. While the healthcare industry has a history of embracing new technologies and digital transformation (DX) more slowly than other industries, COVID-19 has served as a driving force for the recent acceleration of such initiatives.

With a shortened timeline to launch new technologies, security and business continuity flaws can quickly arise. Therefore, it is critical that healthcare organizations take the necessary steps to review their IT infrastructure to ensure that new / existing technologies meet the Health Insurance Portability and Accountability Act (HIPAA) as well as perform critical data security and backup functions to ensure business continuity.

As the healthcare industry adapts to new patient and physician needs, the demand for cloud-based solutions and telehealth offerings has increased. In 2019, only 11 percent of U.S. consumers used telehealth offerings, but now, 46 percent of consumers conduct their healthcare appointments via telehealth platforms. Additionally, according to Datto’s 2020 State of the MSP report, upwards of 70 percent of respondents, including managed service providers (MSPs) who work with healthcare institutions, are projected to use Microsoft 365 cloud services within the next two years and anticipate cloud migrations to be the top business driver in 2020.

Why cloud platforms and solutions aren’t enough

Some of the most recent healthcare organizations shifting to cloud computing services include Cerner, Allscripts, and MEDITECH. But what these companies, and many others, may not realize is that the cloud solutions they choose such as Google G suite and Microsoft 365, don’t provide the level of security and business continuity processes needed to protect sensitive data, while remaining HIPAA compliant.

This is because the cyber threat landscape is expanding rapidly. In fact, 75 percent of healthcare organizations have experienced a cyberattack in their lifetime; 53 percent in just the last year. COVID-19 related fear and uncertainty adds to the chaos with malicious hackers employing techniques related to the pandemic to infiltrate healthcare organizations. In order for healthcare cyber security teams to be able to effectively address the threat landscape, improve their overall security posture and protect patient data, it is critical that they take a proactive approach to IT by implementing an effective software-as-a-service (SaaS) protection solution.

With reward comes risk

While moving to the cloud is an important and necessary step to meet DX demands, several risks must be considered and monitored throughout the process. First and foremost, data created in cloud-based offerings like Microsoft 365 and Google G Suite are just as vulnerable to accidental deletion, ransomware, and other corruption as data stored in on-premise applications. Additionally, many SaaS application user agreements state that data protection, data-level security, and long-term retention are ultimately the responsibility of the end-user. 

This is why many cloud-based vendors like Microsoft typically recommend a “shared responsibility model,” a third-party backup solution (such as SaaS protection), in its Services Agreement. In other words, adding SaaS protection will secure the organization’s data against service interruptions, loss of service due to natural disaster or power outage, and prevent unnecessary downtime, which is especially crucial for healthcare organizations which are currently at an increased risk of attack or disruption.

Remaining HIPAA compliant

Not only do healthcare organizations have to worry about cyber and data corruption threats when moving to the cloud, but they also have to keep in mind federal regulations, such as HIPAA. For many industries, storing data for extended periods of time is a nice-to-have, but for healthcare, it is legally mandated. Healthcare organizations are required to store patient data for seven years, so loss of data isn’t an option. 

As the industry shifts to the cloud, cloud solutions such as Microsoft Office 365 will house data for 90 days, which simply won’t cut it in healthcare. For example, if an employee were to leave a healthcare institution, the data on their device and account will only be stored for up to 90 days. That means data generated from various patient encounters would be wiped clean, which is in violation of HIPAA’s requirements for every healthcare organization to store any and all patient data for seven years.

Securing data with SaaS protection

The healthcare industry as we know it has changed forever. Those institutions that learn and adapt to the changing landscape will come out of the pandemic stronger than ever. Healthcare organizations need to be equipped to meet the growing demand for cloud-based offerings, and securely meet those expectations. 

Adopting a cloud-based solution is a crucial first step in a successful DX strategy, but without the proper proactive security measures in place progress stalls and weaknesses become more apparent. It’s only a matter of time before it’s simply too late to patch weaknesses and critical patient data is lost for good, or worse stolen and exploited.

By investing in an effective SaaS protection solution, healthcare organizations can put their worries aside when it comes to data storage and security vulnerabilities and focus on providing the best possible care to their patients.

  • Radhesh Menon is the Chief Product Officer at Datto.