Physicians and healthcare provider organizations have a
limited window of time to take to qualify for the incentive
program from the HITECH Act, which provides large
incentives to implement electronic health records (EHR) in a
short period of time.
TREND Micro
Dave Asprey
VP Cloud Security
Given that in the US alone, there are between 300 and 400 EHR vendors, EHR projects can already
take long amounts of time to watch. This combination of complex security and privacy
requirements and a short timeframe to implement an HER project creates an ideal opportunity to
use cloud computing.
If cloud computing can meet the healthcare industry’s security and privacy requirements, it
becomes the silver bullet that allows physicians and healthcare provider organizations to meet
the timeline imposed by the HITECH Act. It also represents the opportunity to significantly cut IT
costs associated with EHR projects.
For many healthcare provider organizations taking their first tentative steps into the brave new
world of cloud computing, the $64,000 question is: “Is the cloud secure enough for regulated
data?” While IT analyst firm Gartner Group advocates that cloud computing should be the
number one priority for CIOs in 2011, the analysts also recognize that security and privacy are
critical concerns for those considering adoption of cloud-based technologies. These concerns
outweigh the sum of other factors such as performance, compliance and immaturity and must
be addressed head on if cloud computing is to gain genuine traction in physician and healthcare
provider organization environments, not to mention meeting HITECH deadlines.
Introduction
Navigating the current cloud computing landscape can be a tricky task, which is why you need to
do your homework before deciding whether to meet the HITECH deadlines by taking the plunge.
Outsourcing some or all of your computing to the cloud is not a decision to be taken lightly. It
requires a serious amount of due diligence, planning and forethought to ascertain both what
model of cloud computing is best for your organization’s needs – Software-as-a-Service (SaaS),
Platform-as-a-Service (PaaS) or Infrastructure-as-a-Service (IaaS) – and which EHR provider will
offer the right level of security assurances.
The differences between Software-as-a-Service and Infrastructure-as-a-Service are significant, so
businesses must first assess the relative merits of both models in order to determine whether
they are likely to provide better or worse security than you can currently manage in-house.
SaaS and IaaS – A Definition
In the Software-as-a-Service model, all the computing heavy-lifting is done by the cloud
software provider, which usually then provides access to the applications to the end customer in
a pay-per-use model. What this means from an infrastructure standpoint is that the end user has
virtually no responsibility for the running or securing of that application – almost everything is
done by the SaaS provider which hosts and secures in their own datacenter before delivering via
the internet to the customer. However, if the endpoints (PCs, tablets, or mobile devices) are not
secured, the EHR information stored by the SaaS provider could easily be compromised.
Whether it’s Salesforce.com or Google Apps, the visibility and control afforded to the IT
manager is usually minimal. The advantage of SaaS offerings for EHR is that the implementation
time of a project can be shorter, depending on how long it takes to import existing records from
existing systems, but SaaS providers have far fewer customization options than traditional
software or Infrastructure-as-a-Service, described below. From a security perspective, you will
need to verify that the SaaS provider meets all of the security standards your organization is
required to follow.
Infrastructure-as-a-Service (IaaS), as the name suggests, is a very different type of cloud
computing from SaaS in that it allows the customer to rent virtualized servers, storage and
networking capabilities on a pay-per-use basis from the service provider. The customer has
more visibility and control over their outsourced computing environment and greater flexibility
over which applications and operating systems they run on top of it. However, typically there is
more responsibility on their part to secure this infrastructure, as the IaaS provider’s own security
provisions can be basic. The advantage of infrastructure as a service for EHR is that you maintain
nearly all control and visibility from a security effective, and you can use most any EHR software
you like, including custom software you have developed.
How good is SaaS security for EHR?
If an organization goes down the SaaS path for EHR, there will be very little application security
to actually take care of, provided the EHR SaaS vendor’s offering is compliant. In fact, the only
responsibility the CISO has is to protect the username, password, and browser sessions of their
staff with the appropriate endpoint security controls. Application security is handled by the SaaS
provider, so it is somewhat reassuring to know that most big-name providers are pretty good
when it comes to the resources they apply to security. However, as previously mentioned, you
will have less access to traditional IT controls with a SaaS vendor. It is also very difficult or
impossible to apply encryption on top of a SaaS offering. Sass vendors will often inform their
customers that data is encrypted, which is technically true because either the database or
storage of the sass provider is encrypted. However, the type of encryption used does not
prevent the sass provider from viewing customer information, and it does not normally use
different keys for each of the sass provider’s customers.
For the most part, reputable cloud providers are likely to be well resourced, security
accredited to a good standard (ie SAS70), and with a dedicated and highly trained security
team which can protect their customers’ apps and underlying infrastructure better than
many IT managers could themselves.
In other words, the SaaS vendor will put all of its eggs in one basket and protect that basket
extremely well via measures such as:
Strict operational security policies, covering everything from networks to change management and
datacenter security
Frequent staff security and awareness training
Dedicated physical security teams
Audits for compliance with key statutory and regulatory requirements including SOX, PCI
Strict authentication and authorization controls for administration
Malware scanning
Vulnerability management/remediation
Network security (firewall/ACL)
Hardened OS
Up-to-date patching of apps, OS
Visibility Issues
CISOs may find the lack of visibility afforded from an operational level into things like operating
system files and logs makes SaaS a poor choice for their organizations. In December 2010 a
Microsoft misconfiguration error meant customers of the firm’s hosted (SaaS model) BPOS suite
could access and download data belonging to other users of the service. If SaaS providers can’t
show how they’d prevent against this kind of internal error then they risk losing potential
customers.
How good is IaaS security for EHR
For those who want more control over their outsourced IT environment and have the resources
to pay for it, IaaS is a more attractive option. It enables an IT manager to run any EHR
application they select on nearly any operating system. However, the other side of this double-
edged sword is that the IT organization itself will need to provide [and pay for] more in the way
of security controls. For organizations with existing IT departments already capable of providing
HIPAA level security controls, this is well within reach.
Many public cloud IaaS providers offer only minimal security and those that have enhanced their
services with improved security measures have done so in a piecemeal fashion so that there is
no uniform landscape in the IaaS industry. Some providers will offer little more than a bare,
open virtual machine for the customer, with the expectation that the customer will provide all
server and application security controls, while others may provide options such as a virtual
private network which enables customers to securely connect their cloud to on-premise
resources. For example, Amazon Web Services recently upped its own security capabilities by
adding the ability for customers to carry out network configuration between virtual machines in
the cloud as well as other basic security measures.
This means that IT managers must plan ahead when using infrastructure-as-a-service in an EHR
project. They need to carry out due diligence on any prospective IaaS vendor to ensure they
know where security is provided and where there are gaps which they will need to fill
themselves. On the positive side, those are typically very similar security requirements to
systems hosted in an internal data center. Organizations must also be prepared to implement
strong encryption on all of their data in the cloud protect patient records in case their security
controls fail to prevent a breach.
The Risks
Traditionally, the security risks of IaaS lie mainly around the shared public cloud infrastructure.
Users may share the same lowest common denominator firewall, the same network inside the
firewall, the same storage and the same physical server. This is not the case with all
environments, but without thorough security measures there could be a risk of attack via the
hypervisor.
Another risk was recently revealed when it was found that a pre-built machine image uploaded
for use on Amazon Web Services was found to still have the publisher’s SSH key on it, meaning
the publisher in question could technically log in to any instance running that image. Although
pre-built images can be a handy way of saving time and speeding the start-up process, this
incident raised important questions about the potential security risks inherent in using virtual
machine images from 3rd party providers on top of infrastructure-as-a-service.
Best Practice Tips
Bearing in mind that all IaaS vendors are not created equal when it comes to security,
organizations should consider the following best practice steps:
Patch and update OS/apps with most up-to-date versions
Purchase, deploy and configure host-based agents for every instance/VM separately (DLP, IDS/IPS,
firewall).
Encrypt everything – network traffic, block storage and shared storage and only allow decryption keys
to enter the cloud during decryption; don’t store in the cloud.
Lock down access to systems. Don’t allow password-based authentication for shell access or
passwords for sudo access.
Back-up regularly outside the cloud
Keep particularly sensitive data in a separate database
Minimize the no. of services per VM instance with the goal one per instance
Only open the ports you need
Specify source addresses and only allow HTTP global access
Ensure pre-built cloud images come from a reputable vendor and are cryptographically signed
Further Issues to Consider
Even having taken these precautions, CISOs should be aware that risks persist with the both
IaaS and SaaS models, but that the rapid deployment benefits offered by both models
outweigh the risks if an EHR project is designed to account for the risks. There are still issues
with how much visibility the customer has into their cloud environment – access to the cloud
provider’s physical or admin access logs will not be provided and visibility into network traffic
on shared equipment at the cloud provider will not be visible, for example. Also, the lack of
role-based account access in certain IaaS packages may prove problematic for some
organizations.
Conclusion
There are really three questions to ask yourself when considering using cloud computing as a way to
quickly provide an EHR system. The first question is whether cloud computing can be secure enough to
meet regulatory and business requirements for physicians and healthcare provider organizations. The
answer to this is an unqualified yes.
The next question is whether your IT organization is capable of securing HIPAA information and
applications in your own data center today. If the answer to this is yes, then infrastructure-as-a-service
is likely to offer the most secure cloud computing EHR solution at the lowest infrastructure cost. If your
organization has less advanced IT capabilities, you will want to rely on it outsourcer which uses
infrastructure-as-a-service to run your EHR apps for you, or you will want to use a SaaS-based EHR
service.
The third question is whether existing EHR SaaS vendors offer the set of features you require. If
they do not, your only choice of cloud computing architectures is infrastructure-as-a-service.
In any case, it’s important to recognize that encryption key management techniques from
internal data centers do not work well on the cloud, and cloud EHR applications are only as safe
as the devices used to access them. For this reason, I highly recommend policy-based
encryption key management services like those offered by Trend Micro. At the same time, it’s
more important than ever to secure endpoints, including mobile devices, with advanced
malware and antivirus protection, because having a secure EHR application in the cloud doesn’t
mean very much if end-user machines are compromised before they access the cloud. •