As more healthcare organizations become comfortable with using cloud services, there's a risk this familiarity could lead to complacency -- and that endangers patient data, networks, and the organization's very reputation.
Cloud services continue to gain traction across verticals, including other highly regulated industries such as finance, and healthcare organizations can tap existing tools, governance policies, and procedures to preserve integrity and security. To do so, IT must be vigilant and proactive, experts say, and CIOs must work closely with their business counterparts to ensure the cloud is both the best technological and organizational solution to the problem.
The cloud increasingly is the answer to many healthcare organizations' needs: Almost 83% of 150 industry respondents currently use at least some cloud services, according to the 2014 HIMSS Analytics Cloud Survey, published in June. Another 9% plan to use the cloud, and just 6% don't plan to try cloud services, the report found.
By 2017, healthcare organizations will spend $5.4 billion worldwide on cloud services, according to MarketsandMarkets. Slow to adopt public cloud products formally, healthcare IT primarily invests in private or hybrid models for security reasons, experts noted.
However, employees do not always abide by IT's carefully scripted guidelines. The plethora of software-as-a-service software -- often free or so cheap it can be charged to an expense account -- attracts employees unwilling to wait for an IT-approved approach. Healthcare enterprises used an average 1,180 cloud services, according to Skyhigh Networks' Cloud Adoption and Risk Report 2Q, which is based on anonymized data for more than 10.5 million users. Enterprises in general use 738 cloud services, the report found.
"There is a massive opportunity for IT to be more proactive and to understand the risk of cloud services," says Kamal Shah, vice president of products at Skyhigh Networks, in an interview.
Shadow IT, which may or may not resolve an employee's immediate business need, can have far-reaching implications, Shah says. During an audit of its cloud services, one Skyhigh client found employees used 19 different file sharing and collaboration applications, he says. In addition to increasing security risks, this situation was hurting productivity, because the lack of standardization meant employees had to download multiple collaboration and sharing programs in order to work together, he notes. "It's hard to collaborate when different groups within an organization are using different applications," he says.
Also, when a healthcare organization's network is overwhelmed, cloud access can be limited, an issue for many hospitals at a time when a growing number of devices wirelessly connect for analysis, monitoring, and data collection. Performance is critical, uptime is a requirement, and poor connections are intolerable in healthcare.
When using cloud services, healthcare organizations must be certain that providers meet HIPAA regulations, said Jennifer Christianson, a partner in the law firm Carlton Fields Jorden Burt, in an interview. Healthcare organizations also must consider how local or state laws might affect them, she noted. Scrutinizing business associate agreements to make sure they meet all specifications is crucial, too, Christianson said.
Read on for the five steps all healthcare organizations should take to make sure their cloud security is up to snuff.