Government Cloud Authors: Elizabeth White, Liz McMillan, Pat Romanski, Dana Gardner, Gopala Krishna Behara

Related Topics: @CloudExpo, Microservices Expo, Cloud Security

@CloudExpo: Article

Cloud Computing and Health Care Security

We need to centralize this information in a public private cloud to provide ease of access while still meeting strict regulation

"Cloud computing is one of the most heavily hyped, yet generally least understood trends in modern computing. Simply put, virtualization or cloud computing is the process of moving office information technology resources and data storage offsite and accessing them through a high-speed internet connection" (Varatharajan, Sathishkumar). Cloud computing and health care security is very important because naturally this will be the most logical next step for business to store information and use a public private cloud.

I will review the standard of best practice for public cloud security written by the Cloud Security Alliance. I will discuss what the National Institute of Standards and Technology states in a document titled Guidelines on Security and Privacy in Public Cloud Computing. Cloud computing is the future of storing medical health records and with all the strict regulations guaranteeing security on this information will be one of the most important jobs. We need to centralize this information in a public private cloud to provide ease of access while still meeting strict regulations. To assure not only the people that your information is safe but the fact that you're personal health data will not be stolen or sold for a profit.

"Cloud computing promises enormous benefits for the healthcare world," Steve Aylward, Microsoft's U.S. general manager for health and life science states. "These could include improved patient care, better health for the overall population's providers serve and new delivery models that will make healthcare more efficient and effective. Cloud computing can help do all of this in a cost-effective way" (Versel, Neil). The benefits, I think, outweigh the risk and concerns about security. With time and testing and following best practice standard a Health organization should feel safe and secure about their information in the cloud.

The Cloud Security Alliance published a list of best practices advice for securing Software as a Service and Platform as a Service environment. By following this list it will help strengthen the security of your public private cloud network. "First, at minimum, authenticate users with a username and password, along with stronger authentication options depending on the risk level of the services being offered. Second, Enterprise administration capabilities are required, especially the administration of privileged users for all supported authentication methods. Third, self-service password reset functions should be used first to validate identities. Fourth, agencies must define and enforce strong password policies. Fifth, consider federated authentication, which is a means of delegating authentication to the organization that uses the SaaS application. Sixth, user-centric authentication can allow users to sign in using existing credentials that need not be stored by the consuming site" (DePompa, Barbara). Most often you will purchase your cloud space from a large provider like Google and Amazon in the future. The list provided by the Cloud Security Alliance is just a brief overview of standards for these cloud providers to follow and for your Healthcare business to make sure they follow. Since these will most likely be the target of attacks instead of the customers local site.

There are many risks and concerns about the security of the information stored in these private and public clouds. This is a great target for hackers because of the amount of personal information stored in health records. There has always been a confidently clause between you and your doctor so it would be worst if a criminal used this information for a profit. "There are more risk and concerns that malicious users will target these large Infrastructure as a Service farms and use the for password and key cracking, DDOS, launching dynamic attack points, hosting malicious data, botnet command and control, building rainbow tables, and CAPTCHA solving farms. Some security issues are Insecure Interfaces and APIs. This kind of situation clearly creates an attractive opportunity for an adversary ranging from the hobbyist hacker, to organized crime, to corporate espionage, or even nation-state sponsored intrusion. The level of access granted could enable such an adversary to harvest confidential data or gain complete control over the cloud services with little or no risk of detection.

The Shared Technology Issues is one example of this using a shared cloud provider and the guest is using a high amount of CPU and GPU and therefore impact the level of performance for anyone else using the same service. A malicious user could run a program that demands a high load and at the same time deny performance to the other applications. There is also data loss or leakage which could be from the deletion or alteration of records without a backup of the original content is an obvious example. But there are many more different ways data could be compromised. Account or Service Hijacking and other attack methods such as phishing, fraud, and exploitation of software vulnerabilities still achieve results. Credentials and passwords are often reused, which amplifies the impact of such attacks" (*Cloud Security Alliance).

National Institute of Standards and Technology points out potential areas of improvement where organizations may derive security benefits from transitioning to a public cloud computing environment include the following. These are some reason why choosing a Public cloud can at the same time provide security benefits. "Staff Specialization is added to have an opportunity for staff to specialize in security, privacy, and other areas of high interest and concern to the organization. Increases in the scale of computing induce specialization, which in turn allows security staff to shed other duties and concentrate exclusively on security issues. Through increased specialization, there is an opportunity for staff members gain in-depth experience, take remedial actions, and make security improvements more readily than otherwise would be possible with a diverse set of duties. Platform Strength is an area where the structure of cloud computing platforms is typically more uniform than that of most traditional computing centers.

Greater uniformity and homogeneity facilitate platform hardening and enable better automation of security management activities like configuration control, vulnerability testing, security audits, and security patching of platform components. Information assurance and security response activities also profit from a uniform, homogeneous cloud infrastructure, as do system management activities, such as fault management, load balancing, and system maintenance. Many cloud providers meet standards for operational compliance and certification in areas of healthcare like HIPPA ( Health Insurance Portability and Accountability Act). Resource Availability will help the scalability of cloud computing facilities to allow for greater availability. Redundancy and disaster recovery capabilities are built into cloud computing environments and on-demand resource capacity can be used for better resilience when facing increased service demands or distributed denial of service attacks, and for quicker recovery from serious incidents. When an incident occurs, an opportunity also exists to capture information more readily, with greater detail and less impact on production. In some cases, however, such resiliency can have a downside. For example, an unsuccessful distributed denial of service attack can quickly consume large amounts of resources to defend against and cause charges to soar, inflicting serious financial damage to an organization.

The backup and recovery policies and procedures of a cloud service may be superior to those of the organization and, if copies are maintained in diverse geographic locations, may be more robust. Data maintained within a cloud can be more available, faster to restore, and more reliable in many circumstances than that maintained in a traditional data center. Under such conditions, cloud services could also serve as a means for offsite backup storage for an organization¡¦s data center, in lieu of more traditional tape-based offsite storage. However, network performance over the Internet and the amount of data involved are limiting factors that can affect restoration.

The architecture of a cloud solution extends to the client at the service endpoint, used to access hosted applications. Cloud clients can be browser-based or applications-based. Since the main computational resources needed are held by the cloud provider, clients are generally lightweight computationally and easily supported on laptops, notebooks, and netbooks, as well as embedded devices such as smart phones, tablets, and personal digital assistants. Data maintained and processed in the cloud can present less of a risk to an organization with a mobile workforce than having that data dispersed on portable computers or removable media out in the field, where theft and loss of devices routinely occur.

Many organizations have already made the transition to support access to organizational data from mobile devices to improve workflow management and gain other operational efficiencies. For example, electronic mail can be redirected to a cloud provider via mail exchange (MX) records, examined and analyzed collectively with similar transactions from other data centers to discover widespread spam, phishing, and malware campaigns, and to carry out remedial action more comprehensively than a single organization would be able to do. Researchers have also successfully demonstrated a system architecture for provisioning cloud-based antivirus services, as an alternative to host-based antivirus solutions" (*Jansen, Wayne and Grance, Timothy).

In conclusion it is very important that we continue to expand on the best practices standard for securing cloud information. There are many risks now just like with any new technology and we need to continue to research and test. Remember to ask your cloud provider questions and talk about the security standards they use to define their service. For now we can use documents from Cloud Security Alliance to follow closely and set standards to build upon. The National Institute of Standards and Technology paper points out potential areas of improvement where organizations may derive security benefits from transitioning to a public cloud computing environment. Overall I see the Healthcare community embracing this new technology and find it secure and beneficial to all.


  1. *Cloud Security Alliance. "Top Threats to Cloud Computing V1.0" March 2010. 8 April 2011.
  2. DePompa, Barbara. "Cloud Security Concerns, Best Practices" Defense System 5 April. 2011
  3. *Jansen,Wayne and Grance, Timothy "National Institute of Standards and Technology Guidelines on Security and Privacy in Public Cloud Computing" Jan. 2011. 8 April 2011
  4. Varatharajan , Sathishkumar . Cloud Computing: Best Practices 23 March 2011. 12 April 2011.
  5. Versel, Neil. "Microsoft touts cloud computing in healthcare as providers wait for better security" 12 July 2010. 8 April 2011.

More Stories By Stephen Allen

Stephen Allen is a student at East Carolina University. East Carolina University is accredited by the Commission on Colleges of the Southern Association of Colleges and Schools to award baccalaureate, masters, and doctoral degrees.

IoT & Smart Cities Stories
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
BMC has unmatched experience in IT management, supporting 92 of the Forbes Global 100, and earning recognition as an ITSM Gartner Magic Quadrant Leader for five years running. Our solutions offer speed, agility, and efficiency to tackle business challenges in the areas of service management, automation, operations, and the mainframe.
After years of investments and acquisitions, CloudBlue was created with the goal of building the world's only hyperscale digital platform with an increasingly infinite ecosystem and proven go-to-market services. The result? An unmatched platform that helps customers streamline cloud operations, save time and money, and revolutionize their businesses overnight. Today, the platform operates in more than 45 countries and powers more than 200 of the world's largest cloud marketplaces, managing mo...
The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected pat...
Apptio fuels digital business transformation. Technology leaders use Apptio's machine learning to analyze and plan their technology spend so they can invest in products that increase the speed of business and deliver innovation. With Apptio, they translate raw costs, utilization, and billing data into business-centric views that help their organization optimize spending, plan strategically, and drive digital strategy that funds growth of the business. Technology leaders can gather instant recomm...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
As you know, enterprise IT conversation over the past year have often centered upon the open-source Kubernetes container orchestration system. In fact, Kubernetes has emerged as the key technology -- and even primary platform -- of cloud migrations for a wide variety of organizations. Kubernetes is critical to forward-looking enterprises that continue to push their IT infrastructures toward maximum functionality, scalability, and flexibility. As they do so, IT professionals are also embr...
CloudEXPO has been the M&A capital for Cloud companies for more than a decade with memorable acquisition news stories which came out of CloudEXPO expo floor. DevOpsSUMMIT New York faculty member Greg Bledsoe shared his views on IBM's Red Hat acquisition live from NASDAQ floor. Acquisition news was announced during CloudEXPO New York which took place November 12-13, 2019 in New York City.
In an age of borderless networks, security for the cloud and security for the corporate network can no longer be separated. Security teams are now presented with the challenge of monitoring and controlling access to these cloud environments, at the same time that developers quickly spin up new cloud instances and executives push forwards new initiatives. The vulnerabilities created by migration to the cloud, such as misconfigurations and compromised credentials, require that security teams t...
The graph represents a network of 1,329 Twitter users whose recent tweets contained "#DevOps", or who were replied to or mentioned in those tweets, taken from a data set limited to a maximum of 18,000 tweets. The network was obtained from Twitter on Thursday, 10 January 2019 at 23:50 UTC. The tweets in the network were tweeted over the 7-hour, 6-minute period from Thursday, 10 January 2019 at 16:29 UTC to Thursday, 10 January 2019 at 23:36 UTC. Additional tweets that were mentioned in this...