Commentary: Protecting healthcare data in the cloud is more important than ever. As the attack surface area expands, adversaries have more opportunities to access sensitive health data.
The main challenges are implementing adequate primary safeguards, which are steps taken to protect data from unauthorized access or corruption, and ensuring that data is protected and available for rapid recovery when faced with cyber attacks.
(SC Media Perspectives columns are written by SC Media's trusted community of cybersecurity subject matter experts. Read more perspectives here.)
A cybersecurity review conducted by the Department of Health and Human Services (HHS) in July underscores the importance of this issue. The findings uncovered during an HHS audit originally conducted in June and July 2022 should serve as a wake-up call for immediate action to strengthen cloud security measures and build cyber resilience across federal health care agencies and other organizations, such as hospitals.
According to an HHS audit report earlier this year, the Office of the Secretary of HHS (HHS OS) did not accurately identify and inventory all of its cloud systems in accordance with HHS security requirements. Additionally, although HHS OS has implemented certain security controls to protect its cloud systems, many important security controls have not been effectively implemented in accordance with federal requirements and guidelines.
Without basic security measures in their cloud-based systems, unauthorized users can access sensitive health data, putting patient privacy and data integrity at risk. Furthermore, weak security controls increase the risk of cyberattacks, which can disrupt vital healthcare services and research. The Department of Health and Human Services and federal health care agencies must address these security vulnerabilities to ensure the continuity of public health and patient well-being.
With all of these factors in question, healthcare agencies will need to do the following to improve cloud security:
In today's digital age, compliance alone is often insufficient to ensure resilience in the face of crises. The strength of our healthcare system is tested and then proven during a cyberattack. Health care agencies must remain proactive and prepare for the worst by building rapid response capabilities based on zero trust principles
When disaster strikes, coordination across the entire agency becomes critical. Agencies must work to improve cooperation and information sharing during cyber exercises, and ensure that their plans focus on recovery, not just defense. Adopting a “zero trust” mindset can foster relentless innovation, as agencies operate on the assumption that threats are always present.
By prioritizing data protection to protect sensitive information, we can ensure a resilient recovery strategy. Healthcare agencies can significantly enhance their resilience by comprehensively understanding their environment, automating recovery processes, and regularly practicing comprehensive exercises. This readiness ensures not only their operations, but also the vital services they provide to millions. It is time to raise our defensive posture and ensure that our healthcare systems can quickly and safely recover from any digital threat.
Ivan Anderson, Regional Director, Federal Civil, Rubric
SC Media Perspectives columns are written by SC Media's trusted community of cybersecurity subject matter experts. Each contribution aims to provide a unique voice to important cybersecurity topics. The content strives to be of the highest quality, objective and non-commercial.
