Cloud data storage has become indispensable for efficiently storing sensitive patient data. However, with the convenience of the cloud comes the need for stringent security measures. This article explores the advancements in healthcare's digital transformation, delving into the challenges of safeguarding patient data. It also examines cybersecurity solutions that can effectively tackle these challenges.
Electronic records are increasingly susceptible to unauthorised access and hospitals face difficulties managing large volumes of data, necessitating dedicated servers or data centres. As the cost of self-managed data centres is prohibitive, cloud storage is seen as a more economical solution. Storing data in the cloud allows universal access, enabling doctors to retrieve patient histories, diagnose conditions, and prescribe medications more efficiently. Despite these benefits, security concerns arise when entrusting medical records to third-party cloud servers.
Related: Personalised, next-gen healthcare experiences are within grasp
Healthcare professionals often face recurring concerns regarding cloud data security. Issues faced include unauthorised access, data breaches, and compliance with industry regulations such as the Health Insurance Portability and Accountability Act (HIPAA).
Recently in New York, the Carthage Area Hospital and Claxton-Hepburn Medical Center announced they are taking legal action to recover patient data stolen by the LockBit ransomware gang. LockBit has a history of targeting hospitals globally, causing disruptions and delays in healthcare services. The stolen data is now stored on servers owned by Wasabi Technologies in Boston. Seeking a court order, the hospitals aim to compel Wasabi to return the data and require LockBit to destroy all copies. This incident highlights the ongoing threat posed by ransomware attacks targeting healthcare institutions.
Cybersecurity professionals play an important role in implementing best practices to strengthen the defences against potential threats. Ali Awad, IT Director at Clemenceau Medical Center Hospital Dubai, said CMC’s patient data resides in an on-premises data centre and the hospital has strict access controls to limit access to patient data only to authorised personnel.
“All our patient-related applications use role-based access control (RBAC) to ensure that each user has the necessary level of access based on their responsibilities. We have implemented multi-factor authentication using Microsoft 365 MFA and Cisco Duo to add an extra layer of security to user logins. This ensures that even if login credentials are compromised, an additional authentication step is required. We regularly review, and update user permissions based on their roles. We have comprehensive audit trails to track and monitor access to patient data. We regularly review these logs to detect and investigate any unauthorised access or suspicious activities."
He explained regular training sessions are conducted as part of the onboarding process and afterwards to educate healthcare staff about the importance of patient data. "We keep employees informed about the latest security threats and how to recognise and respond to potential breaches. This is extremely important as a significant majority of cybersecurity incidents involve human factors.”
Related: Digital load on healthcare infrastructure calls for 5G capabilities
With regards to using secure communication channels when sharing patient data, Mr Awad said: "When we must use email, we make sure all patient-related data files are encrypted. We regularly back up patient data and store backups in a secure offsite location. This ensures data recovery in case of accidental deletion, system failures, or cyber-attacks. In addition, robust endpoint security measures protect devices that have access to patient data. This includes antivirus software and regular software updates. We also conduct regular security risk assessments to identify vulnerabilities and potential threats to patient data. We then use the findings to implement appropriate security measures and continuously improve the overall security posture."
Understanding and addressing the concerns faced by cloud storage is crucial, with cybersecurity professionals working diligently to establish protocols such as encryption, multi-factor authentication, and employee training to prevent potential breaches. The shared responsibility model sheds light on the division of responsibilities between service providers and organisations.
Healthcare providers are increasingly adopting a hybrid cloud strategy, blending public and private clouds with on-premises infrastructure for a smoother transition. While applications and IT functions easily migrate to the cloud, sensitive patient information remains on-premises for enhanced security. The HIPAA permits cloud storage for protected health information (PHI) as long as specific privacy and security measures are in place. Using a HIPAA-compliant cloud storage service with encryption enables the secure storage of electronic PHI and supports applications processing health data.
Best practices that healthcare organisations can adopt to enhance cloud data security include employee training programmes, regular security audits, and staying informed of the latest security trends and threats. Healthcare organisations need a comprehensive strategy that integrates both technological solutions and organisational practices to keep patient data in cloud storage safe.
References available on request.