Healthcare in the Cloud: Ensuring SecuritySymantec's Rick Bryant on Raising the Bar
Healthcare entities are increasingly turning to the cloud, and regulators are increasingly focused on cloud service providers' security. Time to ensure those business associate agreements are in order, says Symantec's Rick Bryant.
"[The agreement] needs to clearly outline the shared responsibilities that both the covered entity and their selected cloud provider have for protecting and securing the patient care information," says Bryant, Symantec's national healthcare architect.
But, then, a business associate agreement is just a legal document, Bryant adds. It requires some extra due diligence on behalf of the healthcare organization.
"We should all know that trust is not a control," he says. "We want to make sure that within that business associate agreement ... we have true metrics that we can measure for the availability, performance and the security of that cloud solution."
In an interview about healthcare in the cloud and other security-related trends, Bryant discusses:
- Security challenges in the cloud migration;
- How to get a handle on mobility;
- Issues posed by social media.
Bryant is the National Healthcare Architect for Symantec Corporation. In this role, he leads initiatives within Symantec to serve the healthcare information technology industry through technology excellence and process solutions. He brings over 12 years of industry experience, with roles spanning from Infrastructure Management to Chief Information Security Officer, where he was responsible for architecting and implementing EMR systems. Prior to joining Symantec, Rick served as the Chief Information Security Officer at Texas Children's Hospital and Executive Manager of Infrastructure for M.D. Anderson Cancer Center in Houston, TX.
TOM FIELD: To get started, why don't you tell us a little bit about yourself and your own experience in healthcare, please?
RICK BRYANT: I've been in healthcare most of my professional career. I got a formal degree in management from the University of Texas. I recognized early on the benefit that technology could provide for business. I found that healthcare was uniquely suited to benefit from technology, both for the improvement of the patient care experience but also to improve quality outcomes and be able to manage what I consider the crown jewels of the industry - the protected healthcare information.
After college, I joined M.D. Anderson to manage their communications and computer services. After about six years there, I went over to Texas Children's, where I served in roles such as chief technology officer and chief information security officer. I had the opportunity to put in many technologies to be able to benefit healthcare, but also to play a vital role in the implementation of the first electronic medical record.
Cloud Migration in Healthcare
FIELD: You see a lot of movement now by healthcare organizations going to the cloud. What do you see is driving this migration?
BRYANT: The cloud became a big buzz word in the early to mid-2000s. At that point, it was touted for everything, to all answers technical and to be able to revolutionize the industry. But it wasn't really mature enough to meet most of the needs of business or healthcare. At the same time, the cloud was starting to stratify over the years into viable solutions to all industries, including healthcare. I built a model to typify this that many have seen and use as a reference to specify what a person means when they're talking about the cloud.
Starting at the data center, whether this is a hosted solution or whether or not this is a glass house built and managed within your organization, data centers provide the most control of your applications, performance and security. But they also have the highest level of cost and a significant amount of management for each and every patient care application.
The cloud started to stratify initially as infrastructure-as-a-service, and this offered roughly a 50-percent reduction in both the capital and operating cost, as well as a decrease in management responsibilities. However, that's when the industry first started to notice the loss of control over the systems, the patch levels and total and complete control over the access to their information.
We've seen it since develop into solutions such as platform-as-a-service, most notably the Azure cloud solution or the Amazon cloud solution. Platform-as-a-service offered substantial reductions in cost, roughly costing what I believe is between a tenth and a twelfth of what it would cost to host an application or a service and system in a traditional data center. It also extremely reduced the amount of management required to be able to keep the application up and running, and you can expand dynamically with capacity.
But it was at this point where organizations started being very concerned about the level of control because they no longer had the ability to be able to manage the patch levels on devices or security and access. Most of this was done through a portal or the responsibility of the cloud providers.
Finally, we saw it develop into a software-as-a-service, and this is where applications were purpose-built but had a high level of integration with the healthcare and provider applications. There was a true business connection between the application and the desired outcomes, as well as full integration with back-end systems.
As this started to deploy within the industries for the huge amount of cost savings involved, healthcare was very reluctant to adopt a cloud because of the reduction in control and because they're uniquely positioned with a higher level of risk. At that point in time, up until Sept. 23, 2013, the covered entities had all the responsibility and all the liability for protecting the PHI, regardless of what platform or what service they had that on.
This changed dramatically with the HIPAA Omnibus Rule that went into effect on Sept. 23, 2013, where one of the many provisions within that was to put liability on the business associates themselves. This provided a platform for healthcare to start sharing the responsibility of the security and privacy of the protected healthcare information, which I think is an important and very progressive step that's needed within healthcare. As we all know, security is everyone's responsibility. This opened healthcare up to take advantage of the extreme cost savings and flexibility that the cloud has to offer, but we're also seeing that the reduced revenues, the EMR requirements and the decrease in patient volume is driving many medium-to-small providers to either be acquired, affiliated or leverage the solutions that the clouds have to offer.
Cloud: Fundamental Security Concerns
FIELD: I want to come back to the notion of business associates in a minute, but let me stop here first. Based on the overview you've given us, what do you see as some of the fundamental security concerns that could hamper successful migration to the cloud?
BRYANT: The most important I believe is to have a revised business associate agreement. It needs to be clearly outlined the shared responsibilities that both the covered entity and their selected cloud provider have for protecting and securing the patient care information. All that being said, a BAA is just a legal document, and we should all know that trust is not a control. We want to make sure that within that business associate agreement and within that solution adoption, we have true metrics that we can measure for both the availability, performance and security of that cloud solution. Visibility in the cloud can be increasingly difficult, depending on the type of cloud service that you use and number of data centers. The potential locations of your critical information or your protected healthcare information could be in any of those data centers in any of those times, or at some point even in different countries. You want to make sure that you have visibility to where your critical data is at.
Then I recommend that organizations put in or utilize a DLP technology to not only provide that visibility, but to be able to report, control and prevent the loss of any PHI that could be put into that solution. With DLP technologies available today, you can specify which storage devices or which cloud providers are enabled to be able to receive certain types of files, especially personally identifiable information or your PHI information. Through the use of that, you can manage and control even outside of your organization's boundaries and within the cloud space.
I would also recommend that we need to have identity proofing for our users. This is especially important if the cloud solutions are being used and accessed by your patients as part of your patient engagement strategy. Make sure that the authentication method can truly identify that the users you're allowing into your cloud-based solution are authorized users by your system.
Finally, it's always a good idea to make sure that you have some sort of endpoint integrity, that users that are connecting into, say, a shared cloud storage solution are free of malware or anything that could affect the integrity of the information that they're accessing within the cloud.
FIELD: Let's come back to this notion of business associates. As you know, one of the things that healthcare entities need to do is take care of their own security, but they're also responsible for the security of their business associates - their vendors. How do you help them to ensure or approach the surety of their cloud service provider's security?
BRYANT: It's a very good point, especially with the expanded definition of what constitutes a business associate under HIPAA Omnibus. There are a lot more business associates out there than there were previously. Make sure that when they do the business associate agreements there's a clear definition of liability. But I also recommend that you put in a right-to-audit clause. Most of us don't have the resources to be able to audit all of our business associates, but it's important that you have the right to audit. And it doesn't necessarily have to be someone within your organization; it can be someone of your designation, like a trusted partner and a third party, maybe one of the big three auditing firms.
I also recommend that you define metrics and that you measure against those metrics; that you would measure the performance, security and reliability of your business associates and any cloud providers just as you would any other system or application within your own data centers; and that you meet on a regular basis because, as we all know, it's what we track that people are going to perform against. Making sure that you have good structure around that and the ability within your agreements to perform those are important for managing the solution overall.
Responding to Mobility, BYOD
FIELD: In addition to cloud, we see mobility on the rise in healthcare. In fact, you could say that BYOD really is being forced upon organizations by their own employees and staff. How must healthcare entities respond to this?
BRYANT: The consumerization of IT is affecting all industries, but it's especially affecting healthcare. My experience is that, regardless of an organization's position on mobility, it's being brought in and used by their employees and patients regardless. What I always recommend to organizations is that they develop an organizational strategy around mobility. It can't really be put in a situation where you hope it will go away. It's an important trend. All other services and solutions are being mobilized, and our society in general is getting much more in the position to where they want to self-service, and the best way for them to be able to do that is through mobile devices.
I see that a lot of healthcare organizations are offering e-mail to their employees [who are] bringing their own devices, and this is a first and critical step. It really helps improve the efficiency and drive the cost out of healthcare, and that's really what we want to do with the Affordable Care Act. We want healthcare to be more effective and efficient so that we can reduce the cost and be able to provide the needed healthcare for the oncoming generations and improve the system.
But what most organizations don't realize is that our findings are that 87 percent of intellectual property and PHI can be found within e-mail. It's important for organizations who have made this first step in the mobility to recognize that they have already put themselves into a position of greater risk just by being able to extend e-mail out to those users.
However, we see that progressive organizations are embracing mobility, not just for a device management strategy but also for enabling patient care applications. Some leading organizations are finding that this is really improving the patient care experience, whether it's doctors using tablets at the bedside instead of portable carts so that they can have the face-to-face interaction with their patient that they really want; or whether it's to improve the speed and efficiency of healthcare, such as a radiologist who can now do diagnostic reads on an iPad 2 with retina display because the quality is high enough, and it could get that read done as much as an hour or two early so they don't have to commute back into the hospital. That's exactly the type of flexibility that most industries have had for many years, and it is healthcare's opportunity to be able to leverage these technologies to not only improve the physician experience and the patient experience, but also to make the organizations much more efficient and nimble.
Securing Social Media
FIELD: Final question: Use of social media is on the rise with all organizations, but especially healthcare. What must healthcare entities do to ensure that they're secure, for one, but also compliant with regulations governing privacy?
BRYANT: Social media is a major emerging concern for all organizations, especially healthcare. I literally hear horror stories about social media almost every day, whether it's the inappropriate use of social media reporting activities within the organization or whether it's the loss of PHI through a multitude of social media challenges. New social media channels are literally opening up every day, and that adds to part of the complexity and challenge of being able to control how information about your organization, your organization's PHI and intellectual property can leak out through these new channels every day. They're popping up left and right, and to be able to get control and understand how they work and how both employees and patients can interact with them can be a real challenge.
My recommendation is that organizations have a good social media policy, along with good training and employee compliance against that policy so that everybody understands the limitations of use and the authorized use for social media within healthcare. Social media has a huge value, particularly in our personal lives. But every employee needs to understand that information within the healthcare arena can be both sensitive and protected by law. Having all your employees educated on that is a key first step. I also recommend continuing education on that.
I think it's also appropriate to implement web proxies to be able to control access to various social media sites. This will help you identify as new social media channels become available. It also gives your organization control as to how and if your employees can access social media within their work arena. Now, we all know they carry around mobile phones and that there are several different opportunities to access social media within our environment. Does your organization sanction the access to social media and control it?
Finally, there are data loss prevention technologies out there that can be integrated into your organization to not only monitor what goes out through social media, but to control and, if necessary, prevent the distribution of information through social media. I believe that social media is an inevitable evolution of our society. It's going to continue to grow and be used in various means, and it can be used very effectively. At the same time, it has to be embraced and managed by the organizations themselves.