A view from the Center

>

Deloitte's Life Sciences & Health Care Blog

Before moving data to the cloud, health organizations should assess benefits and risks

A growing number of health care organizations expect to move their electronic health records (EHRs) to the cloud.1 Migrating EHRs and other data to the cloud could make it easier for these organizations to build and use next-generation solutions such as big data analytics, population health, digital health, and use of the internet of things (IoT) to keep pace with future trends.

While the enterprise challenges of a cloud migration are similar in every industry (e.g., determination of cloud suitability, visibility into threats and risk exposure, and understanding of responsibilities), the use of the cloud in health care is a little bit different. The critical use cases to which health organizations migrate their data and applications in the cloud—as well as the high standards for privacy and security—can put extra pressure on protecting the information during and after the migration to the cloud.

Potential threats include data theft, reputation damage, and erosion of patient and employee trust. The safeguards most health plans and providers have relied on until now—the guardrails of the Health Insurance Portability and Accountability Act (HIPAA) and business associate agreements (BAAs) with their cloud service providers (CSPs)—might not be enough to counter growing security threats. Existing laws combined with a number of new ones (inside and outside of the US) make compliance challenging.

A new understanding of risk is needed for the new IT environment

Today’s health care organizations store far more data about their patients than just vital signs. In addition to protected health information (PHI) and personally identifiable information (PII), health organizations must also safeguard consumers’ financial and credit information, intellectual property, operational details, and the closely-held data from research and development (R&D) efforts.

Given the wealth of valuable data health organizations store, it is no surprise that data thieves have these groups in their sites. There were 1,579 US data breach incidents in 2017—a 44.7 percent increase from the previous year, according to the Identity Theft Resource Center. Across all industries, each lost or stolen data record costs organizations an average of $141. Among health care organizations, however, the average per-breach cost is $380.2

When compared to other industries, it appears that many health care organizations have underinvested in the security needed to overcome these threats. According to Symantec and HIMSS, 14 percent of the 2019 federal civilian IT budget goes toward cybersecurity.3 By contrast, the vast majority of health providers (74 percent) allocate 6 percent or less to cybersecurity. That leaves many health care IT departments without the resources they need to protect ever-more-attractive assets.

A lifetime to build, a moment to destroy

While organizations can take steps to minimize the tangible damage of a data breach, the effects on brand perception, patient trust, and employee confidence might be more difficult to repair. Deloitte’s report, Beneath the surface of a cyberattack, examines the impact a data breach had on a major health plan. Along with damage to a company’s reputation, a cybersecurity incident can result in non-compliance with HIPAA or other security and privacy requirements, which can lead to significant fines and penalties. Case in point: In 2017, health care organizations paid $19.4 million in HIPAA penalties—up 83 percent from 2015, according to the US Department of Health and Human Services’ Office for Civil Rights.

Self-assessment could determine cloud suitability

As with many complex system challenges, adapting data risk management to a cloud environment starts with a thorough assessment. Understanding the sources of risk across multiple key areas, assessing the likelihood of risk, and weighing the potential impact should be part of any process that defines a health care organization’s relationship with a cloud service provider (CSP).

Many health care organizations already have relationships with CSPs. However, existing governance structures are often ill-suited for cloud-hosted data governance due to lack of formal asset discovery, understanding of flows, and visibility into data during storage and transmission. From this example, health plans should conduct a thorough gap assessment to determine what existing governance models require enhancement prior to moving data to the cloud.

Several assessment frameworks and standards have been published to help organizations understand how to keep data secure if it is moved the cloud. These frameworks have been produced by groups that include the National Institute of Standards and Technology (NIST), Cloud Security Alliance (CSA), International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), and the European Union Agency for Network and Information Security (ENISA). The next step is to make sure whatever framework they choose meets the organization’s needs.

Effective risk assessment typically includes many steps, some of which might include:

  • Collating IT and data inventory. Identify cloud-related assets within the IT portfolio, including all the organization’s data. Using IT and data inventory discovery tools and processes can help an organization understand how migration to the cloud will affect its IT systems.
  • Identifying potential vulnerabilities. Health care organizations should document potential weaknesses or flaws that could pose risks to confidentiality, integrity, or availability. These risks could stem from gaps or weaknesses in governance, identity and access management, network and infrastructure security, business continuity, disaster recovery, or other sources. The published risk frameworks can help organizations begin this discussion. CSPs typically perform their own risk assessments, and health care organizations should review them as part of any business agreement.
  • Identifying existing controls. Identify threat sources that could exploit vulnerabilities and any existing controls in various cyber risk domain areas, such as data management and protection, threat and vulnerability management, and identity and access management. Modify controls based on the specific circumstances of the cloud provider once vulnerabilities are identified. The CSP may have different controls that might partially or fully mitigate some of these risks.
  • Qualifying the likelihood of risk and the potential impact. Prioritize risks and chart a cyber-risk-mitigation roadmap in the cloud. Organizations should understand the likelihood of a threat, its potential impact, and how well existing controls could help address it. Measure the impact for each vested internal and external entity. A solid understanding of risk and existing mitigation controls can help assess gaps, identify key controls, and develop roadmap to securing data in the cloud.

As health care organizations evaluate security threats to the adoption of cloud services, they should also examine all of the potential responses, such as avoidance, mitigation, sharing, and acceptance. For each risk, health organizations should ask questions such as “How might this affect the organization?” and “What will it cost to invest in the associated response?”

This assessment can be easier said than done. IT organizational maturity, monitoring cost, and unclear risk-assessment returns on investment (ROIs) can cloud the picture, despite—or perhaps because of—the abundance of data. But when organizations assess and classify the data they are moving to the cloud, they can map that understanding against the security lifecycle (create, store, use, share, archive, destroy) and make more specific, informed decisions about a CSP and the controls built into the relationship.

Click here for our full report, Off your premises, but not off your plate. Managing data risk in the health care cloud


1 Healthcare IT News, January 17, 2017
2 The 2017 Data Breach Year-End Review, the Identity Theft Resource Center
3 The HIMSS Analytic Healthcare IT Security and Risk Management Study

Author bio

Jeffrey Winn is a seasoned information security and privacy professional with over 20 years of experience providing cyber risk and privacy services to large, multifaceted organizations and building industry-leading data protection and privacy programs. His experience includes Chief Information Security Officer (CISO) transformation programs, Payment Card Industry Data Security Standard (PCI-DSS) remediation, security program management, project management, information risk assessments, security strategy, data privacy, data protection, network security, enterprise risk management, incident response, and regulatory compliance initiatives.

Justin Rowe is a senior manager in the Cyber Risk Services practice within the Life Sciences and Health Care industry at Deloitte. Justin specializes in delivering Data Protection programs focused on Data Loss Prevention, Data Protection program business engagement, Cloud Cyber Risk Management, Cybersecurity program assessments, HIPAA security compliance, and related program development and product implementations.