How to secure a private cloud for health care data
- By Mahesh Kalva, Andrew Underhill
- Aug 05, 2015
Government health care agencies’ use of private clouds to house sensitive data and applications is on the rise as internal IT departments aim to provide more holistic solutions to meet the growing needs of multiple business units. Traditionally, IT groups within a government entity deliver data center and desktop capabilities; however, business units now also want the ability to take advantage of cloud services, such as infrastructure as a service, platform as a service and software as a service. Federal health care technology organizations are currently looking to meet these emerging needs through internal resources, rather than forcing non-technical managers to engage with external commercial providers.
As a result, health care IT departments are building private cloud networks and functioning as brokers, offering a private option, but also allowing business managers to choose a range of commodity and hybrid models through the providers with which the internal IT groups already work. When initiating use of a private cloud in health care, a few key steps vital to success include performing ample research, developing a solid risk management policy and ensuring that the ends justify the means from a business perspective.
Private does not equal secure
The fact that a cloud platform is private does not – in and of itself – mean it is highly secure. Health care organizations must develop, maintain and optimize strong security processes for all cloud environments, perhaps even more so than in a traditional data center model. Since these platforms consist of multiple layers, malicious attacks that breach security can occur in numerous places. A successful infiltration in any one of these layers -- hardware, software or virtual -- can compromise the entire system.
This large attack surface means that internal IT staff must monitor firewalls, maintain hardware infrastructure in secure and controlled environments and conduct ongoing penetration testing and auditing. In other words, following best practices in cybersecurity is an absolute requirement to keep health data safe.
A good policy underpins a secure system
To effectively preserve security, health care agencies should pursue a defense-in-depth strategy, meaning the coordinated use of multiple countermeasures to protect the integrity of enterprise information. A defense-in-depth strategy is necessary because organizations must assume that all locations, whether at a physical or binary level, are vulnerable and potentially accessible. This assumption is fundamental to developing appropriate security measures.
A security policy should outline an organization’s defense-in-depth strategy. Some issues to address include clear ownership of data security, rigorous governance, user authentication and authorization, data usage policy, criticality or sensitivity of data, frequency and scope of penetration testing and auditing and the use of automation to scan for vulnerabilities, detect infiltration and ensure all systems are up to date. Robust encryption is another important element to address. Without it, health and identity data become far more vulnerable to theft or tampering. Further, encryption strategies and technology should apply to all data whether in transit or at rest.
The policy should also describe how and when the health care organization will conduct risk assessments for all IT infrastructure components. As a result of these reviews, security professionals should disable or remove any servers or hardware that are not essential to operations, as these can inadvertently provide an attacker with an unprotected port, a vulnerable device or another way of gaining unauthorized access to the system. Even software such as a hypervisor (the software that controls virtual environments) automatically installs many unnecessary features; failure to remove them after installation will needlessly increase the size of the attack surface.
Key business considerations
In addition to setting up and implementing robust security measures, internal IT groups within the health care organization must deal with the business aspects of private clouds to ensure the group meets end user expectations and provides an attractive option to public offerings. Below are a few essential points to keep in mind when preparing for implementation:
Mirror FedRAMP compliance. The Federal Risk and Authorization Program is a risk management initiative that provides a standardized approach for assessing and monitoring the security of commercial cloud products and services. Even when offering a private cloud, health care government entities should adhere to all provisions of the FedRAMP program, paying particular attention to service-level agreements (SLAs) and security protocols. This will increase confidence in the private cloud and allow the IT organization to deliver a comparable product to FedRAMP-certified options.
Verify whether cloud hosting is appropriate before proceeding. Not every software or service is meant for the cloud. To assess suitability for a particular service, government health care entities can employ a detailed decision matrix. This tool includes a series of questions focused on the end users’ needs and requirements relative to security, network latency and other factors. By leveraging a decision matrix, the internal IT department can determine a business unit’s optimal cloud and security requirements.
Craft detailed SLAs. In a cloud environment, SLAs become extremely important because IT is offering a range of different services to multiple business groups, and one cloud configuration is not necessarily appropriate for every unit. To that end, SLAs must be clear and specific about services and issues such as responsibility for data storage and back up. To avoid misunderstandings, IT should incorporate the SLA into any existing contracts with business units.
Stay current to stay secure
Protecting every element of cloud services – including hardware, data and virtual layers as well as storage – is a dynamic and constantly evolving effort. Cybersecurity requires a delicate balance to ensure appropriate protection without hindering employees’ ability to perform their jobs. Building close relationships with others in the industry to stay abreast of the latest trends, developing best practices and integrating key business considerations are all vital to preventing data breaches and establishing and maintaining a strong security posture at any health care organization.
Mahesh Kalva is chief technologist for Health and Life Sciences at Lockheed Martin.
Andrew Underhill is chief technologist at Systems Made Simple, a Lockheed Martin company.