Government Cloud Authors: Elizabeth White, Liz McMillan, Pat Romanski, Dana Gardner, Gopala Krishna Behara

Related Topics: @CloudExpo, Microservices Expo, Cloud Security

@CloudExpo: Article

Cloud Computing and Health Care Security

We need to centralize this information in a public private cloud to provide ease of access while still meeting strict regulation

"Cloud computing is one of the most heavily hyped, yet generally least understood trends in modern computing. Simply put, virtualization or cloud computing is the process of moving office information technology resources and data storage offsite and accessing them through a high-speed internet connection" (Varatharajan, Sathishkumar). Cloud computing and health care security is very important because naturally this will be the most logical next step for business to store information and use a public private cloud.

I will review the standard of best practice for public cloud security written by the Cloud Security Alliance. I will discuss what the National Institute of Standards and Technology states in a document titled Guidelines on Security and Privacy in Public Cloud Computing. Cloud computing is the future of storing medical health records and with all the strict regulations guaranteeing security on this information will be one of the most important jobs. We need to centralize this information in a public private cloud to provide ease of access while still meeting strict regulations. To assure not only the people that your information is safe but the fact that you're personal health data will not be stolen or sold for a profit.

"Cloud computing promises enormous benefits for the healthcare world," Steve Aylward, Microsoft's U.S. general manager for health and life science states. "These could include improved patient care, better health for the overall population's providers serve and new delivery models that will make healthcare more efficient and effective. Cloud computing can help do all of this in a cost-effective way" (Versel, Neil). The benefits, I think, outweigh the risk and concerns about security. With time and testing and following best practice standard a Health organization should feel safe and secure about their information in the cloud.

The Cloud Security Alliance published a list of best practices advice for securing Software as a Service and Platform as a Service environment. By following this list it will help strengthen the security of your public private cloud network. "First, at minimum, authenticate users with a username and password, along with stronger authentication options depending on the risk level of the services being offered. Second, Enterprise administration capabilities are required, especially the administration of privileged users for all supported authentication methods. Third, self-service password reset functions should be used first to validate identities. Fourth, agencies must define and enforce strong password policies. Fifth, consider federated authentication, which is a means of delegating authentication to the organization that uses the SaaS application. Sixth, user-centric authentication can allow users to sign in using existing credentials that need not be stored by the consuming site" (DePompa, Barbara). Most often you will purchase your cloud space from a large provider like Google and Amazon in the future. The list provided by the Cloud Security Alliance is just a brief overview of standards for these cloud providers to follow and for your Healthcare business to make sure they follow. Since these will most likely be the target of attacks instead of the customers local site.

There are many risks and concerns about the security of the information stored in these private and public clouds. This is a great target for hackers because of the amount of personal information stored in health records. There has always been a confidently clause between you and your doctor so it would be worst if a criminal used this information for a profit. "There are more risk and concerns that malicious users will target these large Infrastructure as a Service farms and use the for password and key cracking, DDOS, launching dynamic attack points, hosting malicious data, botnet command and control, building rainbow tables, and CAPTCHA solving farms. Some security issues are Insecure Interfaces and APIs. This kind of situation clearly creates an attractive opportunity for an adversary ranging from the hobbyist hacker, to organized crime, to corporate espionage, or even nation-state sponsored intrusion. The level of access granted could enable such an adversary to harvest confidential data or gain complete control over the cloud services with little or no risk of detection.

The Shared Technology Issues is one example of this using a shared cloud provider and the guest is using a high amount of CPU and GPU and therefore impact the level of performance for anyone else using the same service. A malicious user could run a program that demands a high load and at the same time deny performance to the other applications. There is also data loss or leakage which could be from the deletion or alteration of records without a backup of the original content is an obvious example. But there are many more different ways data could be compromised. Account or Service Hijacking and other attack methods such as phishing, fraud, and exploitation of software vulnerabilities still achieve results. Credentials and passwords are often reused, which amplifies the impact of such attacks" (*Cloud Security Alliance).

National Institute of Standards and Technology points out potential areas of improvement where organizations may derive security benefits from transitioning to a public cloud computing environment include the following. These are some reason why choosing a Public cloud can at the same time provide security benefits. "Staff Specialization is added to have an opportunity for staff to specialize in security, privacy, and other areas of high interest and concern to the organization. Increases in the scale of computing induce specialization, which in turn allows security staff to shed other duties and concentrate exclusively on security issues. Through increased specialization, there is an opportunity for staff members gain in-depth experience, take remedial actions, and make security improvements more readily than otherwise would be possible with a diverse set of duties. Platform Strength is an area where the structure of cloud computing platforms is typically more uniform than that of most traditional computing centers.

Greater uniformity and homogeneity facilitate platform hardening and enable better automation of security management activities like configuration control, vulnerability testing, security audits, and security patching of platform components. Information assurance and security response activities also profit from a uniform, homogeneous cloud infrastructure, as do system management activities, such as fault management, load balancing, and system maintenance. Many cloud providers meet standards for operational compliance and certification in areas of healthcare like HIPPA ( Health Insurance Portability and Accountability Act). Resource Availability will help the scalability of cloud computing facilities to allow for greater availability. Redundancy and disaster recovery capabilities are built into cloud computing environments and on-demand resource capacity can be used for better resilience when facing increased service demands or distributed denial of service attacks, and for quicker recovery from serious incidents. When an incident occurs, an opportunity also exists to capture information more readily, with greater detail and less impact on production. In some cases, however, such resiliency can have a downside. For example, an unsuccessful distributed denial of service attack can quickly consume large amounts of resources to defend against and cause charges to soar, inflicting serious financial damage to an organization.

The backup and recovery policies and procedures of a cloud service may be superior to those of the organization and, if copies are maintained in diverse geographic locations, may be more robust. Data maintained within a cloud can be more available, faster to restore, and more reliable in many circumstances than that maintained in a traditional data center. Under such conditions, cloud services could also serve as a means for offsite backup storage for an organization¡¦s data center, in lieu of more traditional tape-based offsite storage. However, network performance over the Internet and the amount of data involved are limiting factors that can affect restoration.

The architecture of a cloud solution extends to the client at the service endpoint, used to access hosted applications. Cloud clients can be browser-based or applications-based. Since the main computational resources needed are held by the cloud provider, clients are generally lightweight computationally and easily supported on laptops, notebooks, and netbooks, as well as embedded devices such as smart phones, tablets, and personal digital assistants. Data maintained and processed in the cloud can present less of a risk to an organization with a mobile workforce than having that data dispersed on portable computers or removable media out in the field, where theft and loss of devices routinely occur.

Many organizations have already made the transition to support access to organizational data from mobile devices to improve workflow management and gain other operational efficiencies. For example, electronic mail can be redirected to a cloud provider via mail exchange (MX) records, examined and analyzed collectively with similar transactions from other data centers to discover widespread spam, phishing, and malware campaigns, and to carry out remedial action more comprehensively than a single organization would be able to do. Researchers have also successfully demonstrated a system architecture for provisioning cloud-based antivirus services, as an alternative to host-based antivirus solutions" (*Jansen, Wayne and Grance, Timothy).

In conclusion it is very important that we continue to expand on the best practices standard for securing cloud information. There are many risks now just like with any new technology and we need to continue to research and test. Remember to ask your cloud provider questions and talk about the security standards they use to define their service. For now we can use documents from Cloud Security Alliance to follow closely and set standards to build upon. The National Institute of Standards and Technology paper points out potential areas of improvement where organizations may derive security benefits from transitioning to a public cloud computing environment. Overall I see the Healthcare community embracing this new technology and find it secure and beneficial to all.


  1. *Cloud Security Alliance. "Top Threats to Cloud Computing V1.0" March 2010. 8 April 2011.
  2. DePompa, Barbara. "Cloud Security Concerns, Best Practices" Defense System 5 April. 2011
  3. *Jansen,Wayne and Grance, Timothy "National Institute of Standards and Technology Guidelines on Security and Privacy in Public Cloud Computing" Jan. 2011. 8 April 2011
  4. Varatharajan , Sathishkumar . Cloud Computing: Best Practices 23 March 2011. 12 April 2011.
  5. Versel, Neil. "Microsoft touts cloud computing in healthcare as providers wait for better security" 12 July 2010. 8 April 2011.

More Stories By Stephen Allen

Stephen Allen is a student at East Carolina University. East Carolina University is accredited by the Commission on Colleges of the Southern Association of Colleges and Schools to award baccalaureate, masters, and doctoral degrees.

IoT & Smart Cities Stories
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitoring and Cost Management … But How? Overwhelmingly, even as enterprises have adopted cloud computing and are expanding to multi-cloud computing, IT leaders remain concerned about how to monitor, manage and control costs across hybrid and multi-cloud deployments. It’s clear that traditional IT monitoring and management approaches, designed after all for on-premises data centers, are falling short in ...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...