COMMENTARY: Protecting healthcare data in the cloud has become more vital than ever. As the attack surface area expands, adversaries have more opportunities to access sensitive health data.The main challenges are implementing adequate initial safeguards, which are steps taken to protect data from unauthorized access or corruption, and ensuring data protection and availability for quick recovery when facing cyberattacks.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]A July cybersecurity audit by the Department of Health and Human Services (HHS) underscores the importance of this issue. The findings discovered during the HHS audit originally done in June and July 2022 should serve as a wake-up call for immediate action to bolster cloud security measures and build cyber resilience across federal healthcare agencies and other organizations, such as hospitals.According to the HHS audit report earlier this year, the HHS Office of the Secretary (HHS OS) did not accurately identify and inventory all of its cloud systems in accordance with HHS security requirements. Also, although HHS OS implemented some security controls to protect its cloud systems, several important security controls were not effectively implemented in accordance with federal requirements and guidelines. Without essential security measures in its cloud-based systems, unauthorized users could access sensitive health data, jeopardizing patient privacy and data integrity. Moreover, weak security controls heighten the risk of cyberattacks, potentially disrupting critical healthcare services and research. HHS and federal healthcare agencies must address these security vulnerabilities to ensure the continuity of public health and patient well-being.With all these factors brought into question, healthcare agencies will have to do the following to improve cloud security:In today’s digital age, compliance alone often falls short of ensuring resilience in the face of crises. Our healthcare system’s robustness gets tested and then proven during a cyberattack. Healthcare agencies must stay proactive, preparing for the worst by building agile response capabilities grounded in zero-trust principlesWhen disaster strikes, coordination across the entire agency will become crucial. Agencies must improve collaboration and information sharing during cyber exercises, ensuring that their plans emphasize recovery, not just defense. Adopting an “assumed breached” zero-trust mentality can cultivate relentless innovation as agencies operate under the presumption that threats are always present.By prioritizing data protection to safeguard sensitive information, we can ensure a resilient recovery strategy. Healthcare agencies can significantly enhance their resilience by thoroughly understanding their environment, automating recovery processes, and regularly practicing thorough drills. This preparedness not only secures their operations, but also the critical services they deliver to millions. It’s time to elevate our defensive posture and ensure our healthcare systems can bounce back rapidly and securely from any digital threat.Evan Anderson, regional director, federal civilian, RubrikSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- Shift the organization’s thinking on data backup and recovery: Historically, cybersecurity has focused on keeping malicious actors out. Government and industry have prioritized perimeter defense alone as their primary security strategy, often neglecting recovery. Strategic IT plans rarely mention data backup and cyber recovery as a fundamental strategic protocol. Despite agencies continuing to use regular backups and restoration processes, the landscape has changed. Well-funded, state-sponsored threat actors aim to disrupt our organizations by targeting cloud-stored data. We need to shift our approach to address these evolving threats.
- Implement a shared responsibility model to safeguard healthcare agencies: Many public and private sector organizations operate under the presumption that hyperscalers and cloud providers ensure their safety. However, it’s essential to understand that there’s a shared responsibility model in cloud and software-as-a-service (SaaS) applications. The cloud provider is responsible for perimeter security and ensuring application uptime. In contrast, cloud users are responsible for securing their data and managing access. Healthcare agency IT and cybersecurity teams must ensure that individuals accessing systems authenticate correctly and implement mechanisms to protect their data. Many healthcare organizations might need to be made aware of these responsibilities if they have yet to take proactive measures to safeguard their information in the cloud. Therefore, it’s essential to secure data, recover quickly, and restore services during downtime.
- Embrace automation to achieve swift, consistent recovery task performance and reduce human error: Consider a scenario where a healthcare agency gets hit by malware, but fails to clean its entire system. This mistake can reintroduce harmful threats, compromising clean data. It’s vital to identify a clean recovery point to restore untainted data to prevent this. A majority of the effort involved in responding to a security incident is focused on understanding the severity of the breach and then taking steps to restore affected systems using backups to minimize downtime and data loss.
- Practice proactive data classification: Healthcare agencies can improve their security by classifying data based on sensitivity and implementing robust security measures like encryption, access controls, and continuous monitoring to protect the most critical data. This proactive approach ensures that sensitive data remains secure and the path to recovery is safer, faster and more transparent in the event of a breach.
