A security success story: Using cloud migration to improve data protection
Although security horror stories have become relatively common – especially after highly publicized data breaches – it's more challenging to find examples of healthcare organizations doing the right thing.
"It's hard to find the security success stories," said John Pescatore, director of emerging security trends at SANS, in a recent HIMSS20 Digital presentation.
As part of disrupting that negative narrative, Pescatore focused on a case study from the California-based Hill Physicians Medical Group, interviewing senior manager of enterprise security and architecture Juan Canales about the process of migrating to the cloud and the lessons the organization had learned from the experience.
"The range of security and privacy requirements at Hill Physicians is very complex," Canales said during the session, Migrating to the Cloud while Maintaining Security and Network Performance. "Our providers are independent and they have their own system. However, I have the responsibility of protecting all patient data."
Canales explained that HPMG also has a management service organization, which is also his responsibility to protect along with EHR systems.
"I have the responsibility of managing and protecting over 8,000 systems and about four petabytes of data," Canales said.
Pescatore pointed out that big transitions, including moving into cloud-based operations, can present an opportunity to enact security changes such as implementing anti-spam programs or email multi-factor authentication.
One common myth, he said, is that "there's not enough money for security." Other reported barriers to cybersecurity progress include a lack of skilled staff, a lack of automation, and non-integrated tools.
When it came to Hill Physicians, Canales said, migrating to the cloud was clearly necessary to help address the company's technological struggles. But "from a performance perspective, it was a hard sell to go from a physical traditional environment to a cloud, or a virtual environment," he said.
"My main challenge was to assure that we could both monitor the infrastructure and secure it without impacting the operations," he continued. "I started looking for solutions that could provide visibility into the environment with little to no overhead."
HPMG ended up using the cyber analytics vendor ExtraHop, which sponsored the session, for both its operational and security needs.
One major advantage, Canales said, has been the ability to monitor the security of off-site employees. Although remote work had always been an option, the COVID-19 pandemic made it clear how necessary it is to ensure seamless security implementations at all locations – especially considering the rise of cybercriminals taking advantage of the pandemic.
"We have seen, by means of ExtraHop, the rise of COVID emails like phishing campaigns," Canales said. "We're able to detect some of these campaigns by extracting the message header," looking for external emails and filtering based on keywords.
"The other thing we've seen as a primary issue is there's a sense of privacy that people seem to have when they're at home," he continued. "So they take on additional risk in the websites they browse or the content they download."
Though ExtraHop is a great way to address some of these concerns, Canales pointed out the importance of reducing human error.
"Our primary tool against those types of incidents is security awareness training: educating the user to be safer in the work that they're doing while at home," he said.
HIMSS20 Digital
Experience the education, innovation and collaboration of the HIMSS Global Health Conference & Exhibition… virtually.
Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Healthcare IT News is a HIMSS Media publication.