The healthcare industry has always been preoccupied with data security. Healthcare organisations have to store enormous amounts of sensitive data and are subject to stringent compliance regulations. They have little choice but to make security a top priority.
Understandably they have long been skeptical about new technologies that could put data at risk — including cloud technologies.
But times change and the healthcare industry is changing too. In January of 2018, an important announcement was made: The National Health Service (NHS), the largest healthcare provider in the UK, was allowed to expand its use of US-based cloud providers to store patient data.
According to the 2018 Netwrix Cloud Security In-Depth Report, 84% of healthcare organisations already store data in the cloud, but NHS is the first state healthcare organisation to see this officially extended.
>See also: Transforming healthcare with tech
Although the NHS’s decision was driven by commonly cited cloud benefits like better data security and reduced operating costs, the reality from the perspective of IT staff on the ground is less clear cut.
According to the Netwrix survey, only 19% of organisations said their security improved after cloud adoption. In fact, the majority of respondents either were not sure of the impact cloud adoption had on security, or felt that the move had actually reduced their overall security posture.
Top cloud concerns in the healthcare industry
In 2017, malware infiltrations continued to grow, and ransomware was one of the most common attacks. According to reports organisations were hit by ransomware every 40 seconds. Healthcare providers were among the top targets for malware, with variants such as NotPetya, WannaCry and Locky.
The WannaCry attack on the NHS resulted in disruptions at 37% of trusts and the cancellation of thousands of appointments and operations. Although the NHS did not pay the ransom, it did incur multiple hidden costs in terms of cancelled appointments, hiring of IT consultants, system downtime as well as a lot of unwelcome publicity. Our study reflects this with 61% of healthcare organisations worried about malware infiltrations.
The survey also found that healthcare was the only industry to rate data encryption as a top cloud security concern. Healthcare compliance standards often mandate data encryption.
An unfortunate side effect is that data encryption can double or triple a healthcare provider’s cloud bill. As a result, smaller healthcare organisations, especially private ones, tend to resist cloud migration, or at least avoid storing protected health information (PHI) in the cloud.
Healthcare organisations named employees as the top risk to cloud security, with more than 50% of respondents saying that the human factor plays the most important role. In spite of this only 21% of healthcare organisations have a complete understanding of what their IT staff members are doing in the cloud, and visibility into the activity of business users is even less common.
In fact, the overall visibility into internal actors is the lowest among all industries in the study. IT people recognise this mismatch, but most of them do not get the necessary management support to address it. Only half of respondents said that they get top management support to implement cloud security initiatives; the lowest among the industries surveyed.
Measures for improving cloud security
Less than a third of surveyed companies planned to add security solutions to improve their ability to mitigate risk in the cloud. Lacklustre support from senior executives leaves IT budgets stretched without the proper means to purchase additional security software or hire experienced cloud professionals.
Instead they are left having to make do with lower cost measures such as improvements in employee training and tightening security policies.
>See also: Healthcare will become digitised by 2030
On the surface these strategies might seem like a valid response to the high security risk associated with employees. However, poor visibility into user activity makes it impossible to measure success — most IT teams simply do not have any way to determine whether the improved training and stricter policies is making any difference. Moreover, if you have to rely on people to do the right thing it’s little better than keeping your fingers crossed.
There can be no substitute for a long-term security strategy.
Cloud security trends
The NHS cloud decision is almost certain to signal an increase in cloud technology activity, regardless of any security concerns or lukewarm support from senior management. Around 69% of surveyed organisations already have plans to move more data to the cloud.
For the moment, healthcare remains the conservative industry surveyed. Just 23% are planning broader cloud adoption. A similar proportion plans to be 100% cloud-based in the next five years. Only 19% are ready to try a cloud-first approach. Until cloud providers start to offer more advanced ways to solve data security and help with compliance audits most respondents will continue to be cautious about cloud adoption.
>See also: NHS GPs call for digitisation of healthcare
In summary, the NHS is the exception among healthcare providers when it comes to cloud adoption. Most private health services are waiting until conditions are right before storing protected health information in the cloud.
Right now, the price of a mistake is simply too high – particularly when most IT departments do not have full visibility into user activity.
A reduction in the cost of data encryption could encourage smaller healthcare services to turn to the cloud.
Cloud security services available today already exceed the modest capabilities of many small and medium companies, and provide protection that’s good enough to satisfy compliance auditors.
As cloud security matures more healthcare providers will switch on to cloud services. Cloud ability to making compliance easier will help them to focus more on serving their patients.
Sourced by Matt Middleton-Leal, GM EMEA, Netwrix Corporation.