Government Cloud Authors: Elizabeth White, Pat Romanski, Dana Gardner, Liz McMillan, Gopala Krishna Behara

Related Topics: @CloudExpo, Microservices Expo, Cloud Security

@CloudExpo: Article

Cloud Computing and Health Care Security

We need to centralize this information in a public private cloud to provide ease of access while still meeting strict regulation

"Cloud computing is one of the most heavily hyped, yet generally least understood trends in modern computing. Simply put, virtualization or cloud computing is the process of moving office information technology resources and data storage offsite and accessing them through a high-speed internet connection" (Varatharajan, Sathishkumar). Cloud computing and health care security is very important because naturally this will be the most logical next step for business to store information and use a public private cloud.

I will review the standard of best practice for public cloud security written by the Cloud Security Alliance. I will discuss what the National Institute of Standards and Technology states in a document titled Guidelines on Security and Privacy in Public Cloud Computing. Cloud computing is the future of storing medical health records and with all the strict regulations guaranteeing security on this information will be one of the most important jobs. We need to centralize this information in a public private cloud to provide ease of access while still meeting strict regulations. To assure not only the people that your information is safe but the fact that you're personal health data will not be stolen or sold for a profit.

"Cloud computing promises enormous benefits for the healthcare world," Steve Aylward, Microsoft's U.S. general manager for health and life science states. "These could include improved patient care, better health for the overall population's providers serve and new delivery models that will make healthcare more efficient and effective. Cloud computing can help do all of this in a cost-effective way" (Versel, Neil). The benefits, I think, outweigh the risk and concerns about security. With time and testing and following best practice standard a Health organization should feel safe and secure about their information in the cloud.

The Cloud Security Alliance published a list of best practices advice for securing Software as a Service and Platform as a Service environment. By following this list it will help strengthen the security of your public private cloud network. "First, at minimum, authenticate users with a username and password, along with stronger authentication options depending on the risk level of the services being offered. Second, Enterprise administration capabilities are required, especially the administration of privileged users for all supported authentication methods. Third, self-service password reset functions should be used first to validate identities. Fourth, agencies must define and enforce strong password policies. Fifth, consider federated authentication, which is a means of delegating authentication to the organization that uses the SaaS application. Sixth, user-centric authentication can allow users to sign in using existing credentials that need not be stored by the consuming site" (DePompa, Barbara). Most often you will purchase your cloud space from a large provider like Google and Amazon in the future. The list provided by the Cloud Security Alliance is just a brief overview of standards for these cloud providers to follow and for your Healthcare business to make sure they follow. Since these will most likely be the target of attacks instead of the customers local site.

There are many risks and concerns about the security of the information stored in these private and public clouds. This is a great target for hackers because of the amount of personal information stored in health records. There has always been a confidently clause between you and your doctor so it would be worst if a criminal used this information for a profit. "There are more risk and concerns that malicious users will target these large Infrastructure as a Service farms and use the for password and key cracking, DDOS, launching dynamic attack points, hosting malicious data, botnet command and control, building rainbow tables, and CAPTCHA solving farms. Some security issues are Insecure Interfaces and APIs. This kind of situation clearly creates an attractive opportunity for an adversary ranging from the hobbyist hacker, to organized crime, to corporate espionage, or even nation-state sponsored intrusion. The level of access granted could enable such an adversary to harvest confidential data or gain complete control over the cloud services with little or no risk of detection.

The Shared Technology Issues is one example of this using a shared cloud provider and the guest is using a high amount of CPU and GPU and therefore impact the level of performance for anyone else using the same service. A malicious user could run a program that demands a high load and at the same time deny performance to the other applications. There is also data loss or leakage which could be from the deletion or alteration of records without a backup of the original content is an obvious example. But there are many more different ways data could be compromised. Account or Service Hijacking and other attack methods such as phishing, fraud, and exploitation of software vulnerabilities still achieve results. Credentials and passwords are often reused, which amplifies the impact of such attacks" (*Cloud Security Alliance).

National Institute of Standards and Technology points out potential areas of improvement where organizations may derive security benefits from transitioning to a public cloud computing environment include the following. These are some reason why choosing a Public cloud can at the same time provide security benefits. "Staff Specialization is added to have an opportunity for staff to specialize in security, privacy, and other areas of high interest and concern to the organization. Increases in the scale of computing induce specialization, which in turn allows security staff to shed other duties and concentrate exclusively on security issues. Through increased specialization, there is an opportunity for staff members gain in-depth experience, take remedial actions, and make security improvements more readily than otherwise would be possible with a diverse set of duties. Platform Strength is an area where the structure of cloud computing platforms is typically more uniform than that of most traditional computing centers.

Greater uniformity and homogeneity facilitate platform hardening and enable better automation of security management activities like configuration control, vulnerability testing, security audits, and security patching of platform components. Information assurance and security response activities also profit from a uniform, homogeneous cloud infrastructure, as do system management activities, such as fault management, load balancing, and system maintenance. Many cloud providers meet standards for operational compliance and certification in areas of healthcare like HIPPA ( Health Insurance Portability and Accountability Act). Resource Availability will help the scalability of cloud computing facilities to allow for greater availability. Redundancy and disaster recovery capabilities are built into cloud computing environments and on-demand resource capacity can be used for better resilience when facing increased service demands or distributed denial of service attacks, and for quicker recovery from serious incidents. When an incident occurs, an opportunity also exists to capture information more readily, with greater detail and less impact on production. In some cases, however, such resiliency can have a downside. For example, an unsuccessful distributed denial of service attack can quickly consume large amounts of resources to defend against and cause charges to soar, inflicting serious financial damage to an organization.

The backup and recovery policies and procedures of a cloud service may be superior to those of the organization and, if copies are maintained in diverse geographic locations, may be more robust. Data maintained within a cloud can be more available, faster to restore, and more reliable in many circumstances than that maintained in a traditional data center. Under such conditions, cloud services could also serve as a means for offsite backup storage for an organization¡¦s data center, in lieu of more traditional tape-based offsite storage. However, network performance over the Internet and the amount of data involved are limiting factors that can affect restoration.

The architecture of a cloud solution extends to the client at the service endpoint, used to access hosted applications. Cloud clients can be browser-based or applications-based. Since the main computational resources needed are held by the cloud provider, clients are generally lightweight computationally and easily supported on laptops, notebooks, and netbooks, as well as embedded devices such as smart phones, tablets, and personal digital assistants. Data maintained and processed in the cloud can present less of a risk to an organization with a mobile workforce than having that data dispersed on portable computers or removable media out in the field, where theft and loss of devices routinely occur.

Many organizations have already made the transition to support access to organizational data from mobile devices to improve workflow management and gain other operational efficiencies. For example, electronic mail can be redirected to a cloud provider via mail exchange (MX) records, examined and analyzed collectively with similar transactions from other data centers to discover widespread spam, phishing, and malware campaigns, and to carry out remedial action more comprehensively than a single organization would be able to do. Researchers have also successfully demonstrated a system architecture for provisioning cloud-based antivirus services, as an alternative to host-based antivirus solutions" (*Jansen, Wayne and Grance, Timothy).

In conclusion it is very important that we continue to expand on the best practices standard for securing cloud information. There are many risks now just like with any new technology and we need to continue to research and test. Remember to ask your cloud provider questions and talk about the security standards they use to define their service. For now we can use documents from Cloud Security Alliance to follow closely and set standards to build upon. The National Institute of Standards and Technology paper points out potential areas of improvement where organizations may derive security benefits from transitioning to a public cloud computing environment. Overall I see the Healthcare community embracing this new technology and find it secure and beneficial to all.


  1. *Cloud Security Alliance. "Top Threats to Cloud Computing V1.0" March 2010. 8 April 2011.
  2. DePompa, Barbara. "Cloud Security Concerns, Best Practices" Defense System 5 April. 2011
  3. *Jansen,Wayne and Grance, Timothy "National Institute of Standards and Technology Guidelines on Security and Privacy in Public Cloud Computing" Jan. 2011. 8 April 2011
  4. Varatharajan , Sathishkumar . Cloud Computing: Best Practices 23 March 2011. 12 April 2011.
  5. Versel, Neil. "Microsoft touts cloud computing in healthcare as providers wait for better security" 12 July 2010. 8 April 2011.

More Stories By Stephen Allen

Stephen Allen is a student at East Carolina University. East Carolina University is accredited by the Commission on Colleges of the Southern Association of Colleges and Schools to award baccalaureate, masters, and doctoral degrees.

IoT & Smart Cities Stories
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...
If a machine can invent, does this mean the end of the patent system as we know it? The patent system, both in the US and Europe, allows companies to protect their inventions and helps foster innovation. However, Artificial Intelligence (AI) could be set to disrupt the patent system as we know it. This talk will examine how AI may change the patent landscape in the years to come. Furthermore, ways in which companies can best protect their AI related inventions will be examined from both a US and...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.
Chris Matthieu is the President & CEO of Computes, inc. He brings 30 years of experience in development and launches of disruptive technologies to create new market opportunities as well as enhance enterprise product portfolios with emerging technologies. His most recent venture was Octoblu, a cross-protocol Internet of Things (IoT) mesh network platform, acquired by Citrix. Prior to co-founding Octoblu, Chris was founder of Nodester, an open-source Node.JS PaaS which was acquired by AppFog and ...
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science," is responsible for setting the strategy and defining the Big Data service offerings and capabilities for EMC Global Services Big Data Practice. As the CTO for the Big Data Practice, he is responsible for working with organizations to help them identify where and how to start their big data journeys. He's written several white papers, is an avid blogge...
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
Whenever a new technology hits the high points of hype, everyone starts talking about it like it will solve all their business problems. Blockchain is one of those technologies. According to Gartner's latest report on the hype cycle of emerging technologies, blockchain has just passed the peak of their hype cycle curve. If you read the news articles about it, one would think it has taken over the technology world. No disruptive technology is without its challenges and potential impediments t...