Over the past decade, workloads and data have moved increasingly into the cloud. For the healthcare industry, that means personal health information is stored in multiple environments – and so security should be able to respond to threats across those environments too.

"As the IT estate continued to evolve, the traditional 'gate in castle' approach to security became less and less relevant," said Ryan Smith, VP of product at Armor Cloud Security, in a HIMSS20 Digital presentation. 

"It was no longer sufficient enough to have a firewall on the outside perimeter," he said. "Instead, you had to begin focusing on the workload. When you think about security, you have to be thinking about how you're protecting that workload."

During his talk, Maintaining Visibility and Security Across Hybrid Infrastructure Deployments in the Healthcare Industry, Smith explained that cloud-based security failures are nearly always the fault of the customer, rather than the security provider – and that in healthcare companies, orchestrating security teams is often "a very fragmented picture."

This means, Smith said, that security in the cloud is not a technology problem, but an operations problem – and a cultural problem – for businesses.

The defense of healthcare information, in particular, presents a number of unique challenges, including a murky understanding of cloud architecture and data landscapes, poor authentication, weak role-based controls, stubborn end-user adoption, and a lack of orchestration between point solutions. 

Another hurdle, Smith said, involves furthering the understanding that regulatory constraints under HIPAA aren't always prescriptive. 

"Compliance is built on a checklist of how we should maintain best practices," Smith said. "Compliance is more of a point-in-time snapshot. … Security never sleeps, while compliance is often a once-a-year activity."

"Threat actors don't care if you're compliant," he pointed out.

Plus, as Smith noted, compliance often results from security. 

Security platforms should protect the data environment from both accidental and intentional threats, Smith said. He explained that tools focused on Cloud Security Posture Management, Cloud Workload Protection and Cloud Access Security Brokers can work together to address the all-around security needs of an organization.

This is important, Smith said, because "healthcare data is gold to bad actors." 

The financial impact of data breaches is often significant due to government fines, loss of customers or theft of intellectual property.

"If you are subject to breach," Smith said, "there is tremendous impact to the business."

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Healthcare IT News is a HIMSS Media publication.