Migrating the Health Care Industry's Data Into the Cloud Walaa Hawasawi Michael Turner Eyad Fairak Eric McGee Bradlee Lathon Eric Gibson Jr

Security Issues of Cloud Computing in Healthcare

There are tremendous advantages of implementing the cloud computing technology in healthcare field. However, as we all know there is no such a thing called “perfection”. Therefore, health care organizations are facing some huge risks mostly represented in: turning over data, security, availability and control to a third party, which means that the organizations have absolutely no control over where their data actually located. Define The Problem

Many EMR( Electronic Medical Records) vendors do not own their own servers. They are rented from companies like Amazon, Microsoft, Apple, and other data bank companies. Chances are good that your EMR flows on the same server, and hard drives as Twitter or Facebook. Unfortunately, Unauthorized disclosure of information results in severe consequences to the organization and significant costs in recovering and restoring data as well as notifying affected individuals.

Based on the security issue some important questions have been raised; How responsible can physicians or hospitals be for breaches by a vendor, or cloud system provider? What about hackers? What are the results of hacking the patients EMR? HIPAA will become rather meaningless!

A survey has been conducted by Healthcare IT News asked its readers if their organizations plan on implementing cloud computing:

The Survey's Results: Forty-eight percent said they plan on making cloud computing part of their organization’s health IT infrastructure. While 33 percent are already using cloud. Cloud computing has quickly made inroads in their health IT space. Only 19 percent of respondents indicated they are not going for the cloud because of Security issues surrounding cloud computing

Another survey has been conducted by KLAS ( Which is a research firm on a global mission to improve healthcare delivery by enabling providers to be heard and to be counted) titled Cloud Computing Perception 2013: The Hybrid Cloud in Healthcare.

The Survey's Result: 66% of non- cloud users surveyed said security was definitely the main issue stopping them from moving forward with adoption.

 The Accenture report statistics were compiled from a study released in February by unified management services provider Mimecast which last fall surveyed 565 IT decision makers across several industries in the United States and Canada about their cloud plans.  The 32% of respondents in the healthcare sector using cloud applications were most similar to those in industries such as manufacturing, in which 32% of respondents in that sector also said they were using cloud applications; followed by respondents in education (29%) and retail (35%).  The 73% of healthcare industry respondents planning to move applications to the cloud were most similar to the 75% of respondents in the technology and government sectors who also intended to expand their use of the cloud. Measure

Analyze

Improvements

Fear of the lack of valid security and compliance has caused the healthcare industry to slow down cloud implementation. Cloud providers must ensure that their infrastructure is secure and that their clients’ data and applications are protected while the customer must ensure that the provider has taken the proper security measures to protect their information. Cloud Security Concerns

 Identity and Access Management: Identity management helps to maintain security, visibility and control, and centralizing IT control of identities and access is useful.  Data Protection: Encryption of traffic and isolation mechanisms that serve to separate memory, storage, and routing between tenants must be put in place in multi- tenant cloud environments.  Compliance: Different countries and regions have different privacy laws, some more strict than others. To be sure that cloud vendors are compliant with policy, it is important that the cloud infrastructure is auditable. Most Common Concerns

 Trust: When migrating to the cloud, most of the control is now in the hands of the cloud vendor which requires trust. To build trust vendors need to deliver incident response, such as; attack analysis, containment, data preservation, remediation and service continuity. Data management tools are required so that the client can see over their data on the cloud and make sure agreed upon policies are being enforced.  Secured Architecture: Large cloud infrastructures obviously present a bigger and more vulnerable target for cybercriminals. To protect a healthcare cloud from trojans, rootkits and malware requires management of identities and APIs at the network edge to ensure that only authorized users can gain access. Also Hardware and software components that are inherently trusted (Roots of Trust) must be established to secure server and client machines by measuring or verifying software, protecting cryptographic keys and performing device authentication. Most Common Concerns (cont.)

Cloud Security Solutions

To help address the issue of securing sensitive patient data and medical records it is necessary that both client and vendor are using AES encryption. AES (Advanced Encryption Standard) – This type of encryption uses complex algorithms to secure data.

Due to the complexity of AES algorithms, in an environment where there is endless data being passed to and from the cloud, there will be too much overhead. Solution: Intel’s Advanced Encryption Standard New Instructions (AES NI)  This solution speeds up the execution of encryption algorithms by anywhere up to 10 times other solutions.  Intel has built this technology right into many of their Xeon, Core vPro and Core processors. Video on Intel AES NI -

Using the machine specs in the chart below, Intel measured the performance benefit offered by Intel AES- NI on a Linux/Java software stack to prove that use of their advanced encryption technology would be beneficial for the healthcare sector and allow more organizations to address the increasing security concerns within the industry and by consumers.

Test Results - The test was run 100 times for each encryption method and the results were averaged.

Key Findings  Application file encryption improved 39% (average) and file decryption 37% (average) with Intel® AES-NI enabled over AES128 key.  Application file encryption improved 37% (average) and file decryption 38% (average) with Intel® AES-NI enabled over AES256 key.

Control

Customers have built healthcare applications compliant with HIPAA’s Security and Privacy Rules

HIPAA does the following:  Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs;  Reduces health care fraud and abuse;  Mandates industry-wide standards for health care information on electronic billing and other processes.  Requires the protection and confidential handling of protected health information

HIPAA Compliance Administrative Safeguard Physical Safeguard Technical Safeguard

Case Study : Nimbus Health  Helps doctors and hospitals save money by enabling healthcare providers to share medical records with patients in an easy, online, and secure.  Nimbus Health a fully HIPAA compliant Software-as-a- Service (SaaS) solution.

THE END