5 Cloud Security Best Practices for Healthcare Leaders

Jake Madders, co-founder and director of Hyve Managed Hosting

Based on last year’s research by PWC, the majority of health services organizations have already transitioned to the cloud or are in the process of doing so. The study claims that 81% of health services executives confirmed that they have adopted the cloud in most or all parts of their business to enhance patient care, clinical workflows, safety and more. However, with 79% of all reported data breaches during the first 10 months of 2020 targeting the healthcare sector and recent spotlights on infrastructure security following the Change Healthcare attack, IT leaders in healthcare need to stay ahead of the unique security challenges their industry faces. 

With increased scrutiny on healthcare and the cloud, it’s a good opportunity for those IT leaders to take another look at the five basic best practices for their infrastructure.

1. Understand your organization’s needs.

Healthcare IT is almost a technological sector in itself. That means cloud deployments need to be built with specific considerations in mind, including the number of employees, the amount of data stored, and, most importantly, what regulations they must comply with. Operating in one of the most highly regulated environments, healthcare IT must prioritize patient data protection and adhere to industry regulations, such as HIPAA, HITRUST, or ISO 27001. 

2. Proactive planning.

Effective planning is the key to any secure and robust cloud infrastructure. In the healthcare sector organizations have the added responsibility of protecting sensitive data while complying with regulatory requirements. This means that organizations need to consider factors such as regulations, track records and available backup plans when selecting a cloud provider.

As a last safeguard, healthcare providers need to set up a robust data backup and recovery plan in place. Backup and recovery are planning for the worst-case scenario while protecting highly sensitive data. This plan also requires regular onsite and offsite data backups and frequent testing of recovery procedures to be prepared in the event of an outage or data loss.

3. Cloud diversification. 

Diversifying cloud infrastructure can further strengthen an organization’s resilience to cyber threats. Cloud diversification, or in other words, cloud distribution, can take different forms depending on a company’s needs, but a common method is a hybrid or multi-cloud solution.

A hybrid cloud incorporates different forms of infrastructure, commonly including an on-premise or private cloud environment in tandem with a public cloud. Multi-cloud is an approach that consists of more than one cloud service, which can be made up of public or private clouds.

A hybrid or multi-cloud solution allows organizations to split workloads and run backups across different environments, reducing the impact that one disaster or incident with a provider has on the infrastructure. Finding a provider who has data centers in multiple locations is also important. This way, a natural disaster or accident in one location doesn’t cause a widespread outage – a scenario that could be disastrous for patients and clinicians alike. 

4. Evaluating risk.

Evaluating risk is key to disaster prevention planning and disaster recovery. 

Assessing risk includes:

  • Creating an inventory of assets—Regular inventory of patient records and other sensitive information that has been stored. 
  • Assessing entry points for potential data breaches within the organization – When going through the inventory of an organization’s assets, it’s crucial to estimate potential damages that could arise from compromised assets. IoMT devices on the network could provide entry points for hackers to compromise the network.
  • Analyzing what situations pose a threat—Threats come in many forms, such as natural disasters, insider threats like data tampering and power failures, or malicious attacks such as DDoS attacks. HIPAA’s contingency planning guidelines can help to prepare for potential risks.
  • Looking for possible vulnerabilities – Identifying potential vulnerabilities gives a good idea of how exposed the organization is. For example, old medical equipment and network systems that may contain vulnerabilities, or even untrained staff who could inadvertently compromise your systems.

5. Updates and maintenance.

A run-down house is easier to break into, and the same goes for poorly maintained and secured IT infrastructure. Just as it is important to continually prepare for disaster, it is equally important to conduct regular maintenance on infrastructure and applications. This includes software and tool updates and timely patching.

Mistakes and disasters happen, but making sure your healthcare organization is as prepared as possible is important in today’s ever-moving technological landscape. Incorporating sustainable, robust, and secure IT infrastructure allows healthcare organizations to ensure the safety of their patients AND their records. 


About Jake Madders

Jake Madders, co-founder and director of Hyve Managed Hosting, plays a pivotal role in the growth of the managed cloud service provider, overseeing all aspects of the businesses, from strategic planning to recruitment. Jake boasts 27 years of experience in IT, previously working for Microsoft, before founding Hyve.