Welcome!

Government Cloud Authors: Liz McMillan, Yeshim Deniz, Elizabeth White, Pat Romanski, Dana Gardner

Related Topics: @CloudExpo, Microservices Expo, Cloud Security

@CloudExpo: Article

Cloud Computing and Health Care Security

We need to centralize this information in a public private cloud to provide ease of access while still meeting strict regulation

"Cloud computing is one of the most heavily hyped, yet generally least understood trends in modern computing. Simply put, virtualization or cloud computing is the process of moving office information technology resources and data storage offsite and accessing them through a high-speed internet connection" (Varatharajan, Sathishkumar). Cloud computing and health care security is very important because naturally this will be the most logical next step for business to store information and use a public private cloud.

I will review the standard of best practice for public cloud security written by the Cloud Security Alliance. I will discuss what the National Institute of Standards and Technology states in a document titled Guidelines on Security and Privacy in Public Cloud Computing. Cloud computing is the future of storing medical health records and with all the strict regulations guaranteeing security on this information will be one of the most important jobs. We need to centralize this information in a public private cloud to provide ease of access while still meeting strict regulations. To assure not only the people that your information is safe but the fact that you're personal health data will not be stolen or sold for a profit.

"Cloud computing promises enormous benefits for the healthcare world," Steve Aylward, Microsoft's U.S. general manager for health and life science states. "These could include improved patient care, better health for the overall population's providers serve and new delivery models that will make healthcare more efficient and effective. Cloud computing can help do all of this in a cost-effective way" (Versel, Neil). The benefits, I think, outweigh the risk and concerns about security. With time and testing and following best practice standard a Health organization should feel safe and secure about their information in the cloud.

The Cloud Security Alliance published a list of best practices advice for securing Software as a Service and Platform as a Service environment. By following this list it will help strengthen the security of your public private cloud network. "First, at minimum, authenticate users with a username and password, along with stronger authentication options depending on the risk level of the services being offered. Second, Enterprise administration capabilities are required, especially the administration of privileged users for all supported authentication methods. Third, self-service password reset functions should be used first to validate identities. Fourth, agencies must define and enforce strong password policies. Fifth, consider federated authentication, which is a means of delegating authentication to the organization that uses the SaaS application. Sixth, user-centric authentication can allow users to sign in using existing credentials that need not be stored by the consuming site" (DePompa, Barbara). Most often you will purchase your cloud space from a large provider like Google and Amazon in the future. The list provided by the Cloud Security Alliance is just a brief overview of standards for these cloud providers to follow and for your Healthcare business to make sure they follow. Since these will most likely be the target of attacks instead of the customers local site.

There are many risks and concerns about the security of the information stored in these private and public clouds. This is a great target for hackers because of the amount of personal information stored in health records. There has always been a confidently clause between you and your doctor so it would be worst if a criminal used this information for a profit. "There are more risk and concerns that malicious users will target these large Infrastructure as a Service farms and use the for password and key cracking, DDOS, launching dynamic attack points, hosting malicious data, botnet command and control, building rainbow tables, and CAPTCHA solving farms. Some security issues are Insecure Interfaces and APIs. This kind of situation clearly creates an attractive opportunity for an adversary ranging from the hobbyist hacker, to organized crime, to corporate espionage, or even nation-state sponsored intrusion. The level of access granted could enable such an adversary to harvest confidential data or gain complete control over the cloud services with little or no risk of detection.

The Shared Technology Issues is one example of this using a shared cloud provider and the guest is using a high amount of CPU and GPU and therefore impact the level of performance for anyone else using the same service. A malicious user could run a program that demands a high load and at the same time deny performance to the other applications. There is also data loss or leakage which could be from the deletion or alteration of records without a backup of the original content is an obvious example. But there are many more different ways data could be compromised. Account or Service Hijacking and other attack methods such as phishing, fraud, and exploitation of software vulnerabilities still achieve results. Credentials and passwords are often reused, which amplifies the impact of such attacks" (*Cloud Security Alliance).

National Institute of Standards and Technology points out potential areas of improvement where organizations may derive security benefits from transitioning to a public cloud computing environment include the following. These are some reason why choosing a Public cloud can at the same time provide security benefits. "Staff Specialization is added to have an opportunity for staff to specialize in security, privacy, and other areas of high interest and concern to the organization. Increases in the scale of computing induce specialization, which in turn allows security staff to shed other duties and concentrate exclusively on security issues. Through increased specialization, there is an opportunity for staff members gain in-depth experience, take remedial actions, and make security improvements more readily than otherwise would be possible with a diverse set of duties. Platform Strength is an area where the structure of cloud computing platforms is typically more uniform than that of most traditional computing centers.

Greater uniformity and homogeneity facilitate platform hardening and enable better automation of security management activities like configuration control, vulnerability testing, security audits, and security patching of platform components. Information assurance and security response activities also profit from a uniform, homogeneous cloud infrastructure, as do system management activities, such as fault management, load balancing, and system maintenance. Many cloud providers meet standards for operational compliance and certification in areas of healthcare like HIPPA ( Health Insurance Portability and Accountability Act). Resource Availability will help the scalability of cloud computing facilities to allow for greater availability. Redundancy and disaster recovery capabilities are built into cloud computing environments and on-demand resource capacity can be used for better resilience when facing increased service demands or distributed denial of service attacks, and for quicker recovery from serious incidents. When an incident occurs, an opportunity also exists to capture information more readily, with greater detail and less impact on production. In some cases, however, such resiliency can have a downside. For example, an unsuccessful distributed denial of service attack can quickly consume large amounts of resources to defend against and cause charges to soar, inflicting serious financial damage to an organization.

The backup and recovery policies and procedures of a cloud service may be superior to those of the organization and, if copies are maintained in diverse geographic locations, may be more robust. Data maintained within a cloud can be more available, faster to restore, and more reliable in many circumstances than that maintained in a traditional data center. Under such conditions, cloud services could also serve as a means for offsite backup storage for an organization¡¦s data center, in lieu of more traditional tape-based offsite storage. However, network performance over the Internet and the amount of data involved are limiting factors that can affect restoration.

The architecture of a cloud solution extends to the client at the service endpoint, used to access hosted applications. Cloud clients can be browser-based or applications-based. Since the main computational resources needed are held by the cloud provider, clients are generally lightweight computationally and easily supported on laptops, notebooks, and netbooks, as well as embedded devices such as smart phones, tablets, and personal digital assistants. Data maintained and processed in the cloud can present less of a risk to an organization with a mobile workforce than having that data dispersed on portable computers or removable media out in the field, where theft and loss of devices routinely occur.

Many organizations have already made the transition to support access to organizational data from mobile devices to improve workflow management and gain other operational efficiencies. For example, electronic mail can be redirected to a cloud provider via mail exchange (MX) records, examined and analyzed collectively with similar transactions from other data centers to discover widespread spam, phishing, and malware campaigns, and to carry out remedial action more comprehensively than a single organization would be able to do. Researchers have also successfully demonstrated a system architecture for provisioning cloud-based antivirus services, as an alternative to host-based antivirus solutions" (*Jansen, Wayne and Grance, Timothy).

In conclusion it is very important that we continue to expand on the best practices standard for securing cloud information. There are many risks now just like with any new technology and we need to continue to research and test. Remember to ask your cloud provider questions and talk about the security standards they use to define their service. For now we can use documents from Cloud Security Alliance to follow closely and set standards to build upon. The National Institute of Standards and Technology paper points out potential areas of improvement where organizations may derive security benefits from transitioning to a public cloud computing environment. Overall I see the Healthcare community embracing this new technology and find it secure and beneficial to all.

References

  1. *Cloud Security Alliance. "Top Threats to Cloud Computing V1.0" March 2010. 8 April 2011.
  2. DePompa, Barbara. "Cloud Security Concerns, Best Practices" Defense System 5 April. 2011
  3. *Jansen,Wayne and Grance, Timothy "National Institute of Standards and Technology Guidelines on Security and Privacy in Public Cloud Computing" Jan. 2011. 8 April 2011
  4. Varatharajan , Sathishkumar . Cloud Computing: Best Practices 23 March 2011. 12 April 2011.
  5. Versel, Neil. "Microsoft touts cloud computing in healthcare as providers wait for better security" 12 July 2010. 8 April 2011.

More Stories By Stephen Allen

Stephen Allen is a student at East Carolina University. East Carolina University is accredited by the Commission on Colleges of the Southern Association of Colleges and Schools to award baccalaureate, masters, and doctoral degrees.

IoT & Smart Cities Stories
Early Bird Registration Discount Expires on August 31, 2018 Conference Registration Link ▸ HERE. Pick from all 200 sessions in all 10 tracks, plus 22 Keynotes & General Sessions! Lunch is served two days. EXPIRES AUGUST 31, 2018. Ticket prices: ($1,295-Aug 31) ($1,495-Oct 31) ($1,995-Nov 12) ($2,500-Walk-in)
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
The challenges of aggregating data from consumer-oriented devices, such as wearable technologies and smart thermostats, are fairly well-understood. However, there are a new set of challenges for IoT devices that generate megabytes or gigabytes of data per second. Certainly, the infrastructure will have to change, as those volumes of data will likely overwhelm the available bandwidth for aggregating the data into a central repository. Ochandarena discusses a whole new way to think about your next...
CloudEXPO | DevOpsSUMMIT | DXWorldEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...
All in Mobile is a place where we continually maximize their impact by fostering understanding, empathy, insights, creativity and joy. They believe that a truly useful and desirable mobile app doesn't need the brightest idea or the most advanced technology. A great product begins with understanding people. It's easy to think that customers will love your app, but can you justify it? They make sure your final app is something that users truly want and need. The only way to do this is by ...
DXWorldEXPO LLC announced today that Big Data Federation to Exhibit at the 22nd International CloudEXPO, colocated with DevOpsSUMMIT and DXWorldEXPO, November 12-13, 2018 in New York City. Big Data Federation, Inc. develops and applies artificial intelligence to predict financial and economic events that matter. The company uncovers patterns and precise drivers of performance and outcomes with the aid of machine-learning algorithms, big data, and fundamental analysis. Their products are deployed...