Say outage to a retail company’s IT department and they’ll probably talk about lost revenue, salvaging a brand’s reputation and restoring consumer trust. Say breach to an e-Commerce IT department and you might hear talk about avoiding a PCI fine. But if you discuss either of those terms with healthcare IT staff, you’ll probably hear about a very different concern – saving lives.
Obviously disasters, outages and breaches are damaging for every organization. But healthcare cloud security goes beyond protecting sensitive personal information to ensuring the availability of critical medical data that can be the difference between life or death. Think of a consultant who suffers an accident or heart attack while traveling and becomes unresponsive. The accessibility of his medical history could help hospital staff save his life. While that may seem like an extreme example, an outage can have disastrous effects on all patient care. A lack of test results or allergy information, patient identity mix-ups or conflicting medications, can all have deadly consequences.
This means that while high performance is mandatory for all healthcare clouds, disaster preparedness is even more crucial. Meeting HIPAA compliance standards and FDA regulations are only one aspect of cloud security for healthcare providers. Critical systems must be kept running and available even in the event of a large-scale failure. And given that major brands like Amazon, Microsoft and Google have experienced outages this year, it’s obvious that every organization can benefit from making sure their business continuity and disaster recovery (BCDR) plans are up to snuff.
The good news: the cloud’s virtualized infrastructure can actually assist you in maintaining uptime and reliability. It’s just a matter of following three steps.
Assess Your Risk
Risk assessments are a mandatory part of protecting electronic health information, yet a 2012 Office of Civil Rights audit found many healthcare organizations and their vendors fail to perform them. If you’re not regularly conducting these evaluations, start by considering possible threats to your information systems. Don’t stop with intentionally malicious human attacks; also include natural disasters like floods or earthquakes or power outages.
After assessing the likelihood of an actual threat occurrence and the plausible impact it would have on your cloud environment, take any corrective actions necessary. Be thorough in your assessment, and analyze all security policies and architectural vulnerabilities relating to storage and backup, encryption use and data authentication and transmission. All of this can go a long way toward preventing a disruption in services.
Be a Detective
When it comes to breaches, it’s an ugly truth that many stay undetected for months, giving hackers ample opportunity to penetrate systems and collect data. It doesn’t help that cybercriminals are unpredictable, striking through a variety of methods like malware, stolen credentials, or misused privileges. For this reason, a strong detection system is critical to cut attacks off at the knees before they accelerate from bad to catastrophic.
The best way to do this: set up alerts for anomalies like brute force attempts, abnormal web application requests or suspicious increases in traffic. Proactive monitoring, scanning and remediation can build a stronger security wall, along with automatic security countermeasures that stop further attacks while engineers check into the alert. Third party security data on malicious domains, advanced persistent threats or similar concerns can also be helpful in shaping your security model. Another smart technique: collecting and trending data at a macro level so that your data patterns can highlight any breaches.
Protect Business Continuity
Maintaining uptime is the heart of any healthcare disaster prevention plan. Whether your organization suffers an external incident or an internal crisis, your cloud infrastructure must be configured to ensure continuity and keep healthcare data accessible while keeping other personal information like insurance or identification data private.
Assess your organizations tolerance for downtime (recovery time objective or RTO) and data loss (recovery point objective or RPO) and ensure that your BCDR plan is built to meet these requirements.
There are many ways to ensure against disaster ranging from bare bones data replication to a warm failover site to fully redundant, load balanced sites. You need to balance your RTO and RPO against the costs associated with the various options to find the optimal solution for your organization. For systems handling the most critical health care information, maximum failure resiliency is a must to keep the system and data available. This requires two or more geographically disbursed production environments, with as near to real-time data replication as can be achieved. DNS Traffic Management or Advanced Traffic management platforms can provide the necessary load balancing capabilities while preventing a failed environment from serving traffic.
A final word on disaster prevention: don’t forget to include any vendors who are working with protected health information in your plan. Just as you would check on their compliance efforts and cloud performance, make sure your vendor has created a BCDR plan that will keep your systems available and reliable. Preparation and foresight are at the core of all valuable disaster prevention strategies – and laying careful groundwork now will safeguard your cloud as well as your patients’ lives.
