No Head in the Clouds! How Health Providers Can Avert Cloud Security Breaches

Editor’s note: In the article, Dmitry explores the elements of healthcare data security and points out the safest cloud and SIEM system deployment models for healthcare organizations. Read on to get some useful tips on ensuring healthcare data security! And if you doubt your existing cloud deployment is secure enough, check our vulnerability assessment services.

Healthcare industry is ahead of the curve in cloud migration. HIMSS Analytics Cloud Survey reports that more than 84% of the US healthcare organizations have already taken the advantage of cloud services.

The top three reasons for cloud adoption include performance and reliability, ease of access and management, and the total cost of ownership (TCO). However, migration to the cloud is not all roses. A major factor that slows down the process is the growing number of cloud security breaches.

According to the 2016 IBM study, the annual cost of breaches in the U.S. healthcare amounts to $6.2 billion. The average cost of a single healthcare data breach is $4 million and counting. Using IBM Security cost of data breach calculator we can find out the annual cost of data breaches for global healthcare organizations which migrated to clouds. The number is striking – $10 million. In the US the cost amounts to $12 million. Small wonder, that today healthcare cyber-security experts put more and more focus on averting cloud data breaches.

Data security by deployment models

Data is secure when it is under authorized users’ control only. The degree of this control over data depends on the model of cloud deployment, which can be public, private and hybrid.

• A public cloud is the one hosted by a cloud service provider who rents out data center resources to customers (tenants).
• In case of a private cloud deployment (either on-premises or externally hosted), data center resources belong to the customer. Besides, it can be extended to affiliated organizations to form a community cloud, which will connect collaborating healthcare providers.
• Hybrid cloud deployment, in its turn, is a combo of the models mentioned above.

It’s evident that private clouds provide customers with the highest degree of control over their information resources. Therefore, critical data, such as EHR (electronic health records) and PHI (protected health information), is stored in private clouds. In case of on-premises cloud deployment, a cloud service provider has no access to the customer’s environment, which enhances the overall data security. Yet, the cost of this option may become a major stumbling block, as healthcare organizations have to invest considerable sums of money into infrastructure (virtualized on-premises data center). Cost-wise, the optimal deployment model is an externally hosted private cloud, where the service provider facilitates an exclusive and fully private cloud environment.

Cloud service provider of choice: what to look for

In the case of sensitive healthcare data, it’s crucial to choose a cloud service provider who implements best practices of Health Insurance Portability and Accountability Act (HIPAA). Other points to pay attention to include:

• Business Associate Agreement (BAA)

Cloud service providers must sign a BAA that protects PHI in compliance with HIPAA guidelines and defines responsibilities for each party.

• Disaster recovery

Cloud service providers must have a detailed plan to address both natural and human-induced disasters. Ideally, there should be multiple data centers, geographically remote from each other, which will provide solid security protection from ransomware attacks.

• Customer support services

Cloud service providers should ensure a 24/7 technical support even on holidays.

• Opportunity for scaling up

The volume of patients’ data grows exponentially, so you have to make sure that your cloud service provider possesses additional storage capacity.

Yet, neither on-premises nor externally hosted private clouds are 100% cyber secure, as they still face the threat of internal and external data thefts, just as all on-premises networks do. Therefore, information security specialists should put proper safeguards, namely encryption methods and Security information and event management (SIEM).

On data encryption

According to HIPAA, data encryption is a highly recommended procedure to reduce insider attacks, exfiltration through malware and other security threats healthcare data faces both on premises and on a cloud environment. It’s also an effective technique employed for APT protection.

Encryption won’t protect your cloud from breaches, but if hackers get access to your sensitive data, they won’t be able make any use of it. The technique comprises two levels: full disk encryption (FDE) and role-based encryption (RBE). The former involves encrypting the entire disc of a particular server. It is considered to be irrelevant for cloud environment, as it protects the data only when the server is in “off” state. In case of RBE, healthcare data is encrypted before it’s written to the disk and ensures data encryption on operating servers.

Having encrypted the data, its owner grants authenticated access to encryption keys only to the users with appropriate roles specified by the access control policy. Thus, the cloud provider has no access to the stored healthcare data unless given an appropriate role.

More details on role based encryption

RBE falls into three primary forms: application-level, database-level and file-level encryption.

• Application-level encryption

At this level, data encryption is implemented within the application itself. Data encryption at the application level ensures that the data is secured before it is transmitted and stored in the database. Although effective, this approach requires additional development efforts, as it has to be integrated with the application.

• Database-level encryption

This RBE form presupposes the encryption of even smaller healthcare data chunks: individual database records or fields within the record. This information can be decrypted individually after a proper authorization is granted.

File and database level encryption levels are mostly used for securing sensitive healthcare information stored in databases. The data is encrypted all the time, except when being used, which ensures better security protection.

• File-level encryption

With this approach, cryptographic file systems (for example, CryFS or EncFS) are installed on the cloud servers. These systems encrypt or decrypt individual files and directories. A user can get access to a particular file, while other files remain encrypted. This form of encryption requires neither code changes within the application nor the process of granting users access to all files.

Regardless of the data encryption method, healthcare providers who have sensitive data stored in the cloud should control the encryption keys to ensure minimal access to the data.

On SIEM systems

SIEM system models overview

Log source data analysis and management provide another layer of healthcare data security in the cloud, implemented within a SIEM solution. There are two models of SIEM system use for cloud data security:

• On-premises

Choosing this model, healthcare organizations take full responsibility for SIEM solution deployment, configuration and maintenance within their on-premises data center. Logs and flows from the cloud are fed to the on-premises SIEM solution for local event and flow analysis through an established VPN connection.

• Cloud-based

This model has two variants. The first is SIEM system deployment in the same cloud where the healthcare data is kept. As in the case of the on-premises model, servers communicate with a SIEM solution via a VPN channel. One SIEM unit operates data from one customer. In the other case, a SIEM system runs in another cloud and servers for multiple customers (such an approach is referred to as SIEM-as-a-service). Security analysts working for a particular healthcare organization get access only to the chunk of information processed by the SIEM unit.

On-premises vs cloud-based

In terms of security, on-premises SIEM deployment is the best model. In this case, SIEM-related data is kept within the organization’s VPN infrastructure, which ensures better control. To guarantee a smooth connection between cloud servers and the on-premises SIEM solution, it’s advisable to establish a backup channel from another provider. Yet, this model has a major downside – the cost of SIEM system deployment and management.

The two variants of a cloud-based model are substantially cheaper, but they involve delegation of control over SIEM-related data. A SIEM-as-a-service variant is the cheapest, as the infrastructure and maintenance of a SIEM solution is organized by a service provider in this case. Yet, this advantage fades against the background of insufficient security protection of sensitive data in the cloud. SIEM-as-a-service providers can’t configure individual correlation rule sets for different customers. This one-size-fits-all rule policy is insufficient to cover all the threat cases of each client.

SIEM system value

A SIEM system offers a real-time notification on who is accessing information, what kind of information it is, and when it happens, based on event logs. The system not only collects logs from different sources but also correlates events and flows (that is, discovers and applies logical connections among disparate individual raw events and flows based on correlation rules).

It’s critical to have all the vital log sources connected, so that your system could get control over the entire cloud environment. Unauthorized access attempts, intentions to send malicious data, SQL injections, cross-site scripting (XSS), brute-force attacks – these are only some of security threats that can be detected by a proper adjustment of log source connection to a SIEM and fine-tuned correlation rules. Find the checklist of vital log sources in our recent article.

To provide a comprehensive monitoring of your cloud network, it’s advisable to resort to cybersecurity services. Experienced security consultants will define the scope of log sources that should be connected to your SIEM solution to suit your cloud network environment and configure correlation rules.

Multilayered defense

Apparently, there are so many things to consider before moving healthcare data to a cloud environment. If used separately, choosing the private cloud deployment model, adequate data encryption, or the use of SIEM system are not sufficient to protect from data breach. Only multilayered defense will ensure safe data storage in the cloud environment.