In the cloud’s infancy, cloud hosting providers touted scalability, initial cost savings and speed. But the prospect of enhanced security in the cloud—indeed, that the better cloud deployments now mean that data is safer in the cloud than on a typical unsecured desktop—has altered the conversation. So let’s put this canard finally to rest: “the cloud poses security risks.”
Your data really is more secure in the cloud than parked on equipment under someone’s desk. Any cloud provider worth its salt brings to the task a phalanx of time-tested tools, procedures and technologies that ensure continuous uptime, regular backups, data redundancy, data encryption, anti-virus/ anti-malware deployment, multiple firewalls, intrusion prevention and round-the-clock monitoring. And that’s just for openers.
"In cybersecurity terms, everyone is vulnerable; there’s no such thing as a completely secure environment, but there are procedures that can make user organizations more secure over time"
Consider the healthcare industry, where, in IT terms, Anxiety #1 is security. The imperative is to ensure data integrity, maintain the sanctity of PII and respect the dictates of HIPAA: all place an extraordinary premium on security policies and procedures. In the cloud computing era, however, money doesn’t necessarily buy data security—or job security.
Larger hospitals and hospital groups aren’t lacking for resources. Most have invested heavily in IT infrastructures —but those sunk costs don’t typically make them more secure. For many, aging equipment, hosting legacy software, is the rule, not the exception. Hospitals tend to be highly insular, with IT fiefdoms protecting turf and, truth to tell, feeling increasingly threatened by the cloud. The cloud enables healthcare providers to reduce outlays for capital expenditures (no need to buy and depreciate hardware, rinse and repeat) and human capital alike (no need not to reduce IT headcount).
It’s understandable that healthcare CIOs and IT executives slap a big question mark on cloud security. They’re defending their jobs. But security turns out to be the cloud’s ace in the hole.
Data breaches at on-premises healthcare facilities are endemic. In May, the ransomware worm WannaCry fueled a massive attack that paralyzed some 300,000 computers in 150 countries, disabling systems at public hospitals throughout the U.K. along with those connected to Telefonica, the Spanish telecom provider, among other victims. WannaCry wreaked havoc— but, tellingly, not at the big public cloud providers like Microsoft Azure, Amazon’s AWS, IBM and Rackspace. And not at smartly managed midsize public cloud providers, either.
In this turn of events is a counter intuitive lesson about what was indeed a major hack. The experience of public cloud providers should put to rest the notion that the cloud isn’t safe. WannaCry makes a compelling argument that the cloud is in fact the safest place to be in a cyber hurricane. Internal IT departments, fixated on their own in-house mixology, were affected big-time, raising the very legitimate question of why hospitals and healthcare providers with roll-your-own solutions devote precious resources— including, with WannaCry, Bitcoins—to those departments in the belief that the cloud is a snake pit.
Moving cloud computing into the “safe” column doesn’t end the discussion, of course. Vigilance isn’t only a mindset—it’s an active verb. Security is a function of both awareness and work—a process, not an event. In cybersecurity terms, everyone is vulnerable; there’s no such thing as a completely secure environment, but there are procedures that can make user organizations more secure over time.
Achieving some measure of security requires a specific attitude that healthcare organizations need to understand and then internalize. It doesn’t matter if a department is engaged in “routine” tasks—every organization is more and less secure over time, since the nature of data breaches and cyber attacks constantly evolves. The process of security means adjusting and learning accordingly. A casual approach ensures that an organization will become less secure.
Security isn’t like filling out a job application; it’s not a matter of checking boxes and moving on. The dynamic extends to asking questions—lots of them. Where are threats coming from? Is the hospital looking at its environment in a holistic manner? Conducting a quarterly analysis of what’s secure, what’s not, what could be more secure, and then implementing a framework for how to deal with it?
Piecemeal approaches to security never work. Patching a hole or fixing a bug, and moving on—that’s hardly the stuff of which effective security policies are made. Because security is a moving target, scattershot repairs ignore the hundreds or even thousands of points of vulnerability that a policy of ongoing monitoring can help mitigate.
What might that policy include? Consider these guidelines, for openers (and just for openers):
• Do not write down passwords on paper.
• Do not store password in plain-text on computer or server.
• Do not share passwords with anyone inside or outside the company.
• Do not leave computer unattended while logged in.
• Do not save RDP credentials.
• Avoid logging on to server from un-trusted computers.
• Make sure anti-virus programs are up-to date and run regular scans.
• Make sure operating system and programs are updated on regular schedule.
• Do not give users admin rights, use built-in super-user account for system administration.
The cloud is a gift, not to IT, but to assertive, non-technical hospital administration outside the glass house. The cloud enables hospitals to modernize and increase efficiencies. Having fewer IT personnel may empower the healthcare organization to provide staff and services more directly applicable to patient care.
The cloud’s only job is delivering secure infrastructure 100 percent of the time—something immune from shrinking IT budgets.