1. Doesn't moving data to the cloud reduce security?
Allowing applications to leave your data center can be scary. It appears that losing detailed control and ownership may lead to security problems. The opposite is often true: Cloud providers have the ability to provide vast resources to secure applications and data, and are at the forefront of security best practices. Healthcare IT teams don't have this level of resources to devote to security.
2. Aren't cloud providers responsible for the security of my data?
Moving to the cloud, whatever type of service you choose, means shared responsibility for security. Physical security, network and infrastructure security are now the cloud provider's problem. For SaaS, this extends to operating system and application security patches. But the overall configuration and choosing the right options remains your responsibility. If you don't require multi-factor authentication or leave your data storage pools publicly available, the security issues you create are your own problems. Healthcare IT leaders need to take the time to understand what they are configuring and choose appropriate and secure options.
3. Wouldn't moving to the cloud reduce my compliance burden?
Cloud providers undergo their own audit and certification process, and delivering these reports to you is part of your compliance reporting plan. But ultimate control of data access is always your responsibility, no matter where the data resides. The cloud is not a shortcut to going beyond HIPAA and HITECH requirements.
4. Doesn't the cloud change identity and access management?
IAM has never been more important than in the cloud because traditional physical barriers (such as having to be in a hospital) disappear. Solid IAM is the foundation for everything. Healthcare IT teams that rely on on-premises Active Directory or cloud-based Entra ID (Microsoft's new name for Azure AD) with MFA are off to a good start. But the cloud introduces some additional IAM requirements. Risk management through geolocation, intrusion evasion, and other posture checks must be integrated into IAM to maintain access control in the cloud application environment.
5. Isn't encrypting online data enough protection?
Encryption is necessary, but by no means sufficient. Tools like SSL/TLS encryption protect cloud data in transit between data centers and users, but data at rest also needs security that goes far beyond simple encryption. In addition to robust IAM and access controls, healthcare IT teams should add tools to help audit their configurations and monitor security events. The process of preventing a data breach starts with identifying and fixing the human errors that are always present. This is just the beginning: unauthorized data access must be detected and remedied in real-time, at Internet speeds, to prevent large-scale data breaches.
Click the banner below to read CDW's 2024 Cloud Computing Research Report.
