COMMENTARY: Protecting healthcare data in the cloud has become more vital than ever. As the attack surface area expands, adversaries have more opportunities to access sensitive health data.
The main challenges are implementing adequate initial safeguards, which are steps taken to protect data from unauthorized access or corruption, and ensuring data protection and availability for quick recovery when facing cyberattacks.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
A July cybersecurity audit by the Department of Health and Human Services (HHS) underscores the importance of this issue. The findings discovered during the HHS audit originally done in June and July 2022 should serve as a wake-up call for immediate action to bolster cloud security measures and build cyber resilience across federal healthcare agencies and other organizations, such as hospitals.
According to the HHS audit report earlier this year, the HHS Office of the Secretary (HHS OS) did not accurately identify and inventory all of its cloud systems in accordance with HHS security requirements. Also, although HHS OS implemented some security controls to protect its cloud systems, several important security controls were not effectively implemented in accordance with federal requirements and guidelines.
Without essential security measures in its cloud-based systems, unauthorized users could access sensitive health data, jeopardizing patient privacy and data integrity. Moreover, weak security controls heighten the risk of cyberattacks, potentially disrupting critical healthcare services and research. HHS and federal healthcare agencies must address these security vulnerabilities to ensure the continuity of public health and patient well-being.
With all these factors brought into question, healthcare agencies will have to do the following to improve cloud security:
In today’s digital age, compliance alone often falls short of ensuring resilience in the face of crises. Our healthcare system’s robustness gets tested and then proven during a cyberattack. Healthcare agencies must stay proactive, preparing for the worst by building agile response capabilities grounded in zero-trust principles
When disaster strikes, coordination across the entire agency will become crucial. Agencies must improve collaboration and information sharing during cyber exercises, ensuring that their plans emphasize recovery, not just defense. Adopting an “assumed breached” zero-trust mentality can cultivate relentless innovation as agencies operate under the presumption that threats are always present.
By prioritizing data protection to safeguard sensitive information, we can ensure a resilient recovery strategy. Healthcare agencies can significantly enhance their resilience by thoroughly understanding their environment, automating recovery processes, and regularly practicing thorough drills. This preparedness not only secures their operations, but also the critical services they deliver to millions. It’s time to elevate our defensive posture and ensure our healthcare systems can bounce back rapidly and securely from any digital threat.
Evan Anderson, regional director, federal civilian, Rubrik
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.