Healthcare Cloud Security

Feisal Nanji, Executive Director, Techumen LLC

Copyright, Feisal Nanji, 2012

For publication in Asian Hospital & Healthcare Management

1. What is Cloud computing and how does it benefit healthcare providers and consumers?

Three fundamental things have spawned the surge of interest in cloud computing

  • The ubiquity of fast networks for commercial use
  • A web enabled eco‐system – standard protocols for sharing information. These include TCP/IP.
    HTML, HTTP and Web services
  • And finally the concept of the virtual machine.

Combined these three aspects provide a flexible pool of computing, network and storage resources,
which loosely defined is the “cloud”. Diving deeper, or for a more precise explanation of the cloud and
its subsequent benefits to healthcare providers and consumers, we find that the “Cloud” offers:

  • On‐demand self‐service. A consumer can unilaterally provision computing capabilities such as
    server time and network storage as needed automatically, without requiring human interaction
    with a service provider.
  • Resource pooling. The provider’s computing resources are pooled to serve multiple consumers
    using a multi‐tenant model. Different physical and virtual resources are dynamically assigned
    and reassigned according to consumer demand.
  • Rapid elasticity. Capabilities can be rapidly and elastically provisioned —. To a Healthcare
    provider the capabilities available for provisioning often appear to be unlimited and can be
    purchased in any quantity at any time.
  • Measured service. Resource usage can be monitored, controlled, and reported — providing
    transparency for both the provider and consumer of the service.

Thus there are lots of possible uses of the cloud in can substantially improve healthcare delivery and
make it cheaper to implement. Some clear examples include:


  • Innovative imaging PAC systems where several hospitals could share a single expensive Pictorial
    Archiving and Communications (PACS) or Radiology imaging system. One hospital would manage
    the PACS and simply charge an administrative fee. Not only would it lower costs for all hospitals
    but teleradiology specialists all over the world can now easily share diagnostic images to
    examine difficult cases.
  • Innovative Electronic Medical Record (EMR) delivery and exchange. Rather than upgrading
    software on a regular basis as one would with regular EMR systems, a cloud based EMR service
    and allows hospitals with a simple way to keep their systems updated. So one can get the
    benefit of advanced technology without having to invest in a large IT staff.
  • Data mining of healthcare case studies allows for better etiology, disease management and
    more effective therapies. But data mining is usually an expensive proposition for a single small
    hospital accomplish on its own. By aggregating data mining into a “shared resource” through the
    cloud many more hospitals can now afford the full benefits of data mining.

In short, the sky is the limit to the way the cloud can be used for the Cloud has the potential to
makes healthcare IT much cheaper, faster, better.

2. What are the major concerns of securing health information in the cloud?

Perhaps the question could be broadened to ask if the cloud is more secure. The clear answer to this is
that Cloud Computing isn’t necessarily more or less secure than your current environment. In some
cases moving to the cloud provides an opportunity to re‐architect older applications and infrastructure
to meet or exceed modern security requirements. At other times the risk of moving sensitive data and
applications to an emerging infrastructure might exceed your tolerance. However cloud security has the
vast potential to surpass the levels of information security that are possible today but only if it is done
right. This begs the question, how is Cloud security different from traditional IT security?
Let’s consider a traditional (or non cloud) Data center’s security requirements and approach. Again, that
is something that is not in cloud mode. Several things occur to ensure security in a traditional data

  1. Physical configuration management governs deployment and controls implementation. That is
    once you configure a physical system you rely on a specific set of controls. The cloud, on the
    other hand let’s you escape from this throttle so you can be fine grained about your controls.
  2. Physical control ‐‐ if you are facing a massive rapidly spreading virus attack you can literally pull
    the plug in a data center and shut down a system. With the cloud it’s not so easy to pull the plug
    for the cloud is by definition amorphous. Where do really pull the plug in the cloud? It’s not an
    easy answer.
  3. In regular data centers an organization typically has one set of Enterprise policies and
    organization for separation of duties and control. But cloud services providers have to deal
    multiple enterprises so cloud polices have to be very well tailored. Our hospital might, for
    example, have stricter encryption standards than the service provider)
  4. Patch testing and patch management is done one physical‐platform at a time (one by one) in
    regular IT environments. With the cloud one command can update all your virtual machines
    saving time but also opening up a much larger potential for error.

But in the cloud everything changes…. As physical visibility is lost …. With the cloud, unlike a traditional
data center, our concerns or questions arise:

  • Where is your data and where is processing performed? As a hospital you may have some issues
    sending sensitive information across geographies. For example the European Union Privacy laws
    place great restrictions on where an entity can store and/or process information
  • Who else can see your data? (More accurately who might be able to see your data – Remember
    our data is not housed in a single, secure physical data center anymore. And as you ask who has
    seen the data how do you know who has seen it? Do you have the right audit tools to confirm?
  • Has data been tampered with in the cloud? Remember in the cloud we don’t have physical
    control so do we have the right tools and processes to understand if Data has been tampered
    with in the cloud?
  • How is processing configured? Who will manage this for you? Is your provider really managing
    your cloud processing as well as it claims? How do you know if this translates into good security
    for your specific cloud?
  • Does backup happen? How? Where?

3. What factors need to be considered while adopting a cloud‐based solution?

We can make three different types of clouds based on the required service model:

  • Infrastructure as a service (IaaS)
  • Platform as a service (PaaS)
  • Software as a Service (SaaS)

Differences among these three types of clouds are vitally important because they carry important
ramifications for a wide range of operating and security requirements.

Infrastructure as a service (IaaS) includes the infrastructure resource stack from the facilities to the
hardware platforms that reside in them and the logical connectivity to those resources. So IaaS provides
few if any application‐like features, but enormous extensibility. So for healthcare provider this generally
means less integrated security capabilities and functionality beyond protecting the infrastructure itself.
In short, this model requires that operating systems, applications, and content must be managed and
secured by you the healthcare provider.

Platform as a service (PaaS) sits atop IaaS and adds an additional layer of integration by providing
application development frameworks and middleware capabilities. These added functions include
database and message queuing. PaaS is primarily used to enable in‐house developers to build their own
applications on top of the platform. However built in security capabilities are still not fully complete
because of this flexibility. So when using this model the hospital still assumes considerable risk but the
risk is less than a pure IaaS model.

The final cloud variant is software as a service (SaaS). SaaS, in turn, is built upon the underlying IaaS and
PaaS stacks. It provides a self‐contained operating environment used to deliver the entire user
experience including the content, its presentation, the application(s), and management capabilities. So
SaaS provides the most integrated functionality built directly into the offering, but it has the least the
least consumer (hospital) extensibility. And because of this, a SaaS provider must guarantee a relatively
high level of integrated security. The SaaS cloud provider in essence bears a responsibility for most of
your information security.

The key takeaway for security architecture is that the lower down the stack the cloud service provider
stops, the more security capabilities you, as the cloud consumers, are responsible for implementation
and management

4. Do you think healthcare sector is better positioned to adopt cloud than others?

Actually every industry can be a beneficiary of the cloud. But Healthcare, which is often cost constrained
and is more about doing societal good than profit, should be very receptive to its adoption.

5. How has the industry’s initial experience with the cloud been?

There are clear opportunities and options for healthcare providers. The initial forays have been with
Electronic Medical Records, and point solutions say for revenue cycle applications. Over time we expect
many more applications to flourish.

6. Are there any cultural issues that could hinder the adoption of cloud?

First and foremost, the cloud presents those of us in information technology and security a once‐in‐a
career opportunity to make information security better: faster, cheaper, more efficient and less
intrusive. Because cloud platforms are still developing, we have unprecedented opportunities to embed
information security processes and technologies deeper into the infrastructure. This requires a deep
change in the cultural mindset of organizations used to a strong centralized IT function.

More critically your business units must also be ready to share the same infrastructure. For a cloud
solution to make economic sense it has to have periods of high utilization; otherwise, the resources will
sit idle for long periods of time, destroying the return on investment.

7. There exist health information security and privacy concerns in the cloud; How can these issues
be recognized?

The cloud forces user organizations to fully reexamine their methods for Data ownership and control.
Therefore we may to revise our models for establishing trust and consequences and chain of custody,
and how we provide access and authentication.

Providers of Cloud services must also have give user administrators (hospitals) the access and privileges
needed to do their jobs. That is user organizations should clearly retain control over IT policies and
assets, even if they don’t own or directly operate those assets.

One other important point: in the cloud Interactions between software and systems often equal or
exceed those between people and machines. Consequently, it’s imperative for IT and security processes
to account for the reality that a “user” in the cloud may more likely be a machine than a person (or a
machine acting on behalf of a person). This has profound implications on how identities are provisioned,
authenticated and managed


8. What are the key steps to overcome/manage these issues?

In short, the best way to ensure security and privacy for the cloud is for enterprise customers to require
maximum transparency into their cloud providers’ operations. You will be sharing resources with
potentially lots of business units – external or internal – and you need to know what is going on
Also as a CIO or Chief Security Officer you must change your mind‐set about information security.
Several things are important:

  • Think of delivering security as a set of adaptive services that are delivered via programmable
    infrastructure to create adaptive zones of trust.
  • Pressure incumbent security vendors to deliver their security controls in a virtualized form to
    more easily address secure cloud‐computing requirements.
  • Express security policy across physical and virtualized cloud‐computing environments.
  • Maintain separation of duties between security policy enforcement and IT operations in the
    transition cloud‐computing environments.

9. Any other comments?

There are many other cloud related issues that will affect users, IT managers and senior management.
Consider one aspect, that of compliance. Many IT professional have to constantly worry about audits.
Moving to the cloud means you will likely be inundated by audit such as systems reviews, transaction
reviews, policy and procedure reviews and risk assessments. This is a heavy information dissemination,
storage and analysis burden. It happens that information security is tied closely to information
movement and will be among first compliance items we design for the cloud. So if we do this correctly
for information security efforts, we can substantially improve other compliance needs in healthcare.