What every health tech leader needs to know about cloud data and security

With the explosion of new data capture devices in healthcare and the rapid move to the cloud, we explore what healthcare technology leaders need to know about cloud data and security.

Health technology leaders must bring security into the conversation from the start of any initiative.

As most healthcare organizations continue to digitize their services and move more and more workloads to the cloud, any healthcare technology leader must prioritize cloud data and cloud security in this environment. growing virtual.

Reduced administrative work leading to improved overall patient care, combined with the benefits of technologies such as the Internet of Things (IoT), which are changing the face of medicine and healthcare, demonstrate the importance of a digital-first approach.

However, as these digital transformation initiatives continue to expand an organization’s virtual ecosystem, it is imperative that cybersecurity and cloud data protection practices are prioritized and integrated into business strategy.

This is crucial, as nearly two-thirds of global healthcare organizations have experienced a cyberattack in their lifetime, with more than half in the past 12 months, according to research by Keeper Security.

Know your data

As part of the organization’s journey to the cloud, technology leaders must take responsibility and ownership for this journey, while building a comprehensive security framework from the start. In the scenario of a data breach, for example, someone needs to be accountable and lead the organization through its governance and compliance requirements.

Knowing where an organization’s data resides, who owns that data, and what type of data it is, will facilitate any security incidents and any legal or compliance implications. It will also facilitate an organization’s ability to manage risk and improve its response over time.

Commenting on the importance of knowing your data, William Klusovsky, Global Cybersecurity Strategy, Governance, Risk & Compliance Officer Lead at Avanade, said, “Often, technology leaders will forget that asset management is not just about tracking hardware, it means knowing where your data is, where your data flows, and who owns that data.

The challenge of having a holistic view of an organization’s data landscape is intensified by the problem of Shadow IT – the purchase of software and technology without IT’s knowledge. As new systems and applications are integrated by various departments, it is easy to lose track of them and the data they contain, without a solid systems acquisition process.

In healthcare in particular, the rapid introduction of IoT medical devices and all the new data they generate is an example of this. Every new device needs to be monitored and secured, because even a vulnerable device – which is very easy to obtain – could be used as a gateway for a hacker to enter a network of healthcare providers.

Find your data

Gaining visibility and securing the sensitive data held by healthcare organizations requires planning and understanding across the enterprise.

Explaining how Avanade helps healthcare customers build a strong security posture, Klusovsky said, “We offer services that start at the strategic or board level, moving down to the management of individual departments.

“It’s important to start at the top. We bring in executive-level experts to discuss building a comprehensive security strategy, then architects to review policies and processes within the organization, before defining the technology needed and how to enforce. Once in place, our managed services provide ongoing risk management for effective security monitoring and response.

Giving a specific example of how Avanade works with one of its customers, Klusovsky continued, “We are currently working with a healthcare customer on privacy and data protection around their artificial intelligence. Conduct impact assessments to identify client and client risks, document data flow, and recommend controls and processes to maintain data security and privacy. The goal is to give the client a plan to mitigate risk and align with GDPR. »

By partnering with customers in this way, instead of offering a service, there is little or no transfer of knowledge required, as it has been communicated and passed down to different levels of the business, from strategy to policy process and technology implementation.

It’s a people problem

Knowing your data and gaining visibility into it is essential for an effective cloud security strategy. However, human error must be considered when considering how to protect an organization’s data – according to IBM’s Cost of a Data Breach 2020 report, the average cost of data breaches due to human error amounted to $3.33 million. The problem has only increased in the pandemic-induced remote work environment.

To counter this, industry leaders should invest in regular cybersecurity training, not only to avoid financial and reputational damage, but also to protect sensitive data.

“When calculating risk and developing budgets, companies often overlook training requirements or ‘reduce’ them to control costs. Organizations should view their staff as a risk like anything else and ‘do the math’ to invest in mitigation,” Klusovksy explained.

Developing a healthcare cloud security strategy

Protecting patients’ personal information should be a priority for any health technology leader. Here, Klusovksy provides four tips for developing an effective and holistic cloud security strategy:

1. Planning — Leaders need to assess their organization, understand their current security posture, and define what is achievable from the start. The plan must also “live” and be continually reassessed as the risk and compliance landscape changes.

2. Align security with business goals — security should be integrated into the development of the business strategy. The two must be aligned. Technology leaders must therefore consider business objectives before making purchasing or strategic security decisions.

3. A governance framework — despite the wide variety of regional regulations, healthcare organizations should develop a basic standard way of doing business, which should take into account all the things you need to do from a compliance and risk perspective. Having a governance framework in place, knowing where the risk lies, gives the organization the roadmap of what it needs to do to manage and continually improve things.

4. Qualified Resources — it is important to understand your skills and abilities. If you’re a healthcare organization that doesn’t have strong cloud skills, for example, partner with someone who does. This will help you get the job done right the first time, saving you time and money.

William Klusovsky is head of global cybersecurity strategy, governance, risk and compliance at Avanade.

The Evolution of Data Security in the Cloud: Zero Trust

Going forward, adopting a Zero Trust framework in an IT or security strategy is necessary.

The concept of Zero Trust, which assumes that businesses cannot trust anything, be it a user, device, or network, means that mechanisms must be built in to create that trust. .

From a healthcare perspective, looking at the explosion of IoT medical devices and wearable technologies that are now active on a provider’s network, these devices are unreliable and the data they produce and that in the cloud must be secure. Any IoT device, be it a smartwatch, MRI machine or thermostats, they need to be monitored and security teams need to be able to detect malicious activity.

“Protecting IoT requires the ability to be able to monitor it, which is different from typical security monitoring. Tools like Azure Defender for IoT provide the capability and insights needed to get the job done,” explained Klusovsky.

“In a broader sense, moving to Zero Trust requires the same planning as a cloud migration strategy. Organizations need to look at their processes, infrastructure, data flows, and business operations and start charting a path to zero trust. This requires strong identity management and access controls using products like Azure Active Directory, among other things,” he continued.

The impact of Covid-19 has also created a new challenge for the security landscape. To mitigate disruption, organizations have had to embrace digital transformation faster than they ever have before. Klusovsky thinks this innovation should be viewed positively, but is concerned about the number of organizations that have made it possible in a secure way. Was security an afterthought?

“If you’re considering new innovations and want to move forward, a health technology leader needs to build security into their plan early on in the transformation journey,” he added.

Comments are closed.