Moving Your Healthcare Organization to the Cloud? Here’s What You Need to Know First
While the last two years accelerated digital transformation across a wide range of industries, this has been a long time coming for healthcare. Healthcare has been undergoing a massive shift to improve security, streamline operations, and enhance the patient experience—and much of that shift centers around the movement to the cloud. Cloud-native ostensibly offers a better, more accessible user experience marked by enhanced uptime, reliability, and efficiency. Here are just a few of the elements impacted by the movement to the cloud:
Telemedicine. Once a niche offering, telemedicine exploded in popularity during the pandemic and has all the signs of becoming a mainstay. The security concern: every app and every connection needs to be secure and HIPAA-compliant.
Fast Healthcare Interoperability Resources (FHIR). The healthcare industry has been gradually shifting to electronic healthcare records, along with the digital storage and sharing of those records. The upside of electronic health care records is that healthcare professionals can access critical information about patients almost instantly. The security concern: how do you guarantee that only the right people get access to sensitive records when needed? The industry is trying to standardize APIs to mitigate risks while facilitating necessary access.
Regulations. Compliance and regulations vary widely by state. For example, in California, parents no longer have access to their child’s healthcare records once that child turns 12. How do you standardize processes across non-standard regulatory environments?
The common theme in all of these: ensuring security without compromising standards of care or the patient experience. That’s a tall order, to say the least. And it’s one that the movement to the cloud is designed to accommodate.
And yet, moving to the cloud comes with inherent security risks. In the cloud, not only do apps need to be secure, but all platforms those apps run on top of need to be secure as well. A perfectly secure application doesn’t help if an attacker can change the source code that makes up the application. Securing a cloud application means moving beyond firewalls and the assumption that the application is running on a local network; it means embedding security controls into each and every piece of software.
If your healthcare organization is accustomed to having everything stored and processed locally, the cloud can feel overwhelming. Modern cloud-native applications may now be composed of dozens or hundreds of microservices, housed in containers and hosted on immutable, dynamically scaling platforms like Kubernetes. If all of that sounded like another language to you, that’s because it is another language—and the language of cloud-native has a steep learning curve. The key takeaway: modern applications and the platforms they run on are built out of possibly hundreds of individual components, each of which must be secured.
Does that mean you should avoid the cloud? Not at all. When navigated appropriately, the benefits of moving to the cloud (flexibility, scaling, iterative capability, user interface, functionality with the decentralized workforce, operations that don’t break down if you have a local issue, etc.) far outweigh the risks. But it does mean you should plan ahead. Here’s how.
Embed security
The best way to optimize security and functionality when moving to the cloud is to build security into your people processes and software. Specifically, that entails addressing the authorization side of security: the rules that decide who can update information when using your software, e.g. which healthcare records a doctor can read.
When it comes to policy, a key to success is to fully embrace a policy-as-code approach.
Adopting policy-as-code means decoupling policy from your application code and using a dedicated, declarative language to define the conditions and rules that make up that policy.
Can application X access information Y at Z time from location Q? The policy code decides. No human intervention required. No need to implement it repeatedly throughout your application.
Can Bob in patient services access Maria’s file and send it to Acme Insurance Company via an encrypted email? The policy code decides. No human intervention required.
Adopting policy-as-code means developer teams can focus on creating features that help customers; security and compliance teams can audit policies without digging through reams of application code written in different languages; operations teams can enforce the rules that make the cloud platforms themselves safe. In short, policy as code helps each team focus on their strengths, working together to deliver secure software to customers as quickly as possible.
If healthcare organizations adopt a policy-as-code approach from the beginning of their move to the cloud, productivity increases and risks are reduced. This sounds great in theory, but how do you actually do it? Here are some best practices:
Best practices for adopting policy-as-code in healthcare
Get on board with zero trust. A zero trust framework means baking security right into your software, so a move to the cloud means that no matter where your applications are deployed, security goes with them. Zero trust ensures that every action a person (or machine) takes is vetted, without relying on other safeguards that were supposed to be checked earlier.
Put a security framework in place, not a security bandaid. When you establish a security framework, bringing in new people, software, or iteration doesn’t involve starting from scratch. Instead, those new elements can snap right into the existing framework. Nothing gets deployed that isn’t already secure, because it’s all part of the framework. Not only does this streamline security and make it more reliable, it also bridges the gap between DevOps and security/compliance teams: everyone’s on board with the framework, everyone knows what to expect, and changes don’t automatically require new conversations and new approvals.
Shift left. It’s essential to ensure that the framework makes things easier for developers, not harder. You can’t have a framework that inhibits developer productivity. The framework should be set up in a way that makes security controls fully accessible and understandable to developers early in the dev process. They need to know right away if something they’ve developed doesn’t fit in the framework, and they shouldn’t have to wait for delayed feedback. Shifting left means failing quickly and iterating just as fast.
Get a policy-as-code engine on board. Adopting a policy-as-code approach is only as easy as the engine you have doing the heavy lifting for you. A policy-as-code engine like Open Policy Agent (OPA) can smooth out the shift to cloud-native. Why? Because it’s decoupled from your tools, so your team can take the wheel without steering you into the ditch. OPA is also designed with enough architecture flexibility to deliver zero trust authorization wherever you want policies enforced.
A policy as code approach enhances security and productivity
A healthy move to the cloud is one that is done securely and without inhibiting productivity. In fact, doing it right means drastically enhancing security and productivity. Again, the best results come from starting early and adopting a policy-as-code solution from the get-go, but if you’re already wandering around the cloud, it’s not too late. With solutions like OPA, the future of cloud-native is flexible, fast, and far less burdensome on IT resources.
This article originally appeared in the HelpNetSecurity “Healthcare CyberSecurity Report” on February 23, 2022.
Interested in learning more about OPA? Sign up for the Styra Academy! It’s a free online portal that provides exclusive Open Policy Agent, Rego and Styra DAS training from the founders of Styra and OPA!