Sometimes a little force isn’t a bad thing. Case in point? Cloud computing.
“Elective surgeries are down, and healthcare costs are going up from a labor perspective,” said Todd Bell, CISO at Valleywise Health. As a result, “we’re being forced into the cloud,” and not just for economic reasons. He believes cloud providers such as Google, AWS and Microsoft have proven to be effective at protecting data.
“The reality is that the cloud is better than our on-prem environments. They just do a better job,” he noted during a recent webinar, which also featured Sahan Fernando (CISO, Rady Children’s Hospital) and Chris Feeney (Healthcare Workflow Specialist, IGEL Technology). The problem is that many still aren’t convinced that cloud is the way to go.
“There’s a trust factor,” said Feeney. “When you switch to that environment, there are a lot of security concerns.” Whereas data centers are perceived as “well protected, robust and redundant,” the cloud is still a bit foggy to some. Another barrier is the fact that migrating is a “big shift,” particularly for organizations that have relied heavily on data centers for storage.
By embracing the cloud, however, health systems can improve flexibility and agility, and create a better user experience — as long as it’s approached and executed well, according to the panelists. During the discussion, they shared perspectives on the biggest barriers in “selling” cloud technology, and what to look for in a vendor partner.
Convincing the critics
As with so many initiatives, the idea of migrating to the cloud invokes anxiety because it requires change. “Our biggest competitor is the status quo,” said Feeney. “We hear people say, ‘Why would I want to change? We’ve always had firewalls.’” What they don’t see are the advantages it offers in terms of flexibility, cost savings, and availability.
The latter of those three, according to Fernando, is part of the triad – confidentiality, integrity, and availability – which guides much of the decision-making for security leaders. “Availability is critical,” he noted. “We can outsource the risk and the cost of having high uptime for mission critical applications to a vendor that has the ability to scale.”
That added layer is becoming increasingly important as boundaries continue to expand and evolve, said Bell. “It’s not only trusting the device that’s connecting back to us, but the individual as well,” which means adjusting conditional access requirements to manage logins from outside of the state or country. “Our boundary now goes beyond the traditional firewall.”
Feeney concurred, noting that the ante has been upped for IT and security leaders to be able to manage devices securely from anywhere and control the user experience, which IGEL seeks to do by providing an endpoint operating system for cloud workspaces. “At the end of the day, it’s about the user experience. That should be the driving factor.”
For Bell, the ability to quickly spin up new services and capabilities is one of the key advantages. “I look at the cloud as a platform where we can take these applications and plug them into the environment to give us that agility,” he said. “The reality is that people want to manage their care. As leaders, we need to ask what we can do to make ourselves more mobile so that patients have better access to healthcare, and we can produce better outcomes. That’s why I’m a huge proponent of the cloud.”
Once organizations have decided to go forward, the next step is choosing a vendor partner — a process that can be overwhelming, according to the panelists. To that end, they offered advice on what factors to consider, what questions to ask, and how to identify red flags.
When Rady Children’s is considering a vendor, Fernando’s team conducts a thorough risk assessment process. “We evaluate what controls they have, what processes they have, and how they’re structured.” Having trusted partner that can take on “tasks that would be difficult or impractical for us to do on a regular basis” is critical.
However, although risk assessments are certainly important, it’s about more than just asking questions, he noted. “We need to be sure we’re taking the output and looking at it in a qualified lens. What are the hills to die on? Certain findings need to be scored higher than others.”
For Bell, who bears unfortunate battle scars from a past ransomware incident, one of those ‘hills’ is making sure no shortcuts are taken — such as vendors that co-mingle data from multiple customers. “If you’re in that situation and one client gets compromised, they all get compromised,” he said. “There are vendors that are amazing and are HITRUST-certified, and there those who just built an app and are trying to make a quick buck. You need to vet all of your vendors to make sure they have cyber-hygiene in place.”
It’s also important to ensure vendors grasp the implications of being in the healthcare market, noted Feeney. “They have to understand that this is a 24/7 environment. If they aren’t taking the time to make sure healthcare customers can succeed by using their solutions, that’s a red flag.”
“Advise and guide”
What it comes down to, according to Fernando, is determining the right path for the organization — based on level of comfort, resources, and strategic vision, and not on outside opinions. “What can we afford? What has the organization decided is acceptable downtime? And if you’re not in the cloud, how long does it take to restore backups? Can you actually restore all of your backups? (In the cloud) it’s easy to quickly scale and have a redundant hot/cold site,” he said, but what’s vital is to present the information to stakeholders and get an accurate read of where they stand.
Organizations need to get specific by asking themselves what is acceptable in terms of patient care limitations during a downtime, and “working backwards to determine what the organization can invest from a disaster recovery/business continuity standpoint, and how the cloud can enable these outcomes in a cost-effective way,” he adds.
By framing it that way, CISOs and other leaders present it as a business decision, focusing more on risks and benefits and less on “the intricate nuances of different cloud providers and latency,” Fernando noted. “It’s our job to advise and guide the strategy and provide a roadmap. We need to make it clear that this is a decision that provides business value and reduces risk.”
“At the end of the day,” he concluded, “we’re business stakeholders.”