UPMC: Reducing security risks for patient data in the cloud

UPMC has found a way to reduce the risk of data breaches while continuing to provide the latest technologies to improve its healthcare delivery.

John Houston would love if every malicious hacker disappeared from cyberspace. That isn’t likely, though, given the threat landscape keeps expanding due to copious amounts of patient data being generated and more frequently stored in the cloud.

“As we move to an environment where much of our information is stored by third parties—cloud service providers, SaaS [software as a service] providers, and so on—the likelihood of our data being stolen is greater,” Houston, Vice President of Security and Privacy at the University of Pittsburgh Medical Center (UPMC), said. “If our data is moved from an on-premise data center, where we can directly secure the information within, to cloud or SaaS providers, we must rely on someone else to secure that information. This makes security much more complex.”

UPMC, however, has found a way to reduce the risk of data breaches while continuing to provide the latest technologies to improve its healthcare delivery.

Houston is a founding member of the Third Party Risk Management Council, a group of health systems’ chief information security officers focused on improving healthcare’s IT security posture through better vendor management. The group is pushing for all business partners to adopt and continually adapt to the HITRUST Common Security Framework (CSP), thereby providing more assurance these third parties provide adequate security to protect their customers’ data.

“Because we’re amassing so much information, the propensity for breaches become bigger. We need smart outsourcing that improves our security posture,” Houston explained.

Look inward to better evaluate outsourcers

UPMC doesn’t just demand certain security and privacy standards of its tech partners; it demands the same of itself. The health system adopted HITRUST years ago and currently is undergoing an independent assessment to maintain certification.

“I know exactly the rigor required to obtain that HITRUST certification. So, if a vendor wants to sell me a SaaS service, I ask for their HITRUST report,” Houston explained. “If they give me that report or certification, I can quickly assess their maturity level with respect to information security. I also can trust that report or score because an independent third party has evaluated it based on a well establish and mature process.”

Houston believes widespread adoption of the CSP Framework is a good step to better securing patient data. The healthcare-specific framework draws from NIST and COBIT security standards as well as HIPAA security and privacy rules.

“As technology gets more complex, our business will change. That’s why a framework is so important. It recognizes that at any point in time you’re going to change, and the right framework helps you stay on top of security,” he said.

‘Sizing up’ threat response with smart outsourcing

Before any new technology is deployed at UPMC, it is evaluated by a multidisciplinary architectural review team. This group of full-time employees, representing business and clinical perspectives, are tasked with ensuring a chosen solution fits within UPMC’s secure and high performing environment—including its IT infrastructure.

Houston has 75 staff members devoted exclusively to cybersecurity, a workforce he admits is larger than some other healthcare systems but smaller than industries like finance and retail. Some of these UPMC information security professionals currently are searching for automation opportunities. In doing so, they can improve operational efficiencies that free up more time to monitor cybersecurity threats and respond to incidents.

For smaller hospitals with 200 or less beds, Houston recommends finding “a really good SaaS provider” to help deliver critical services. Part of the selection process should include close review of their security controls.

“You’re putting a lot of trust in them because they will probably do a better job of securing the environment than you can,” he explained. “You won’t have the resources to secure everything, so you’re better off partnering with a company that can secure large chunks of your environment. That makes it easier for you then to secure your desktop and network infrastructures, which is a much more manageable task.”

Gaining or maintaining a strong security posture can be challenging for mid-sized, competitive hospitals too. These organizations want to improve patient care using new technologies but often lack enough internal security resources to ensure these new solutions aren’t compromised by bad actors. “Sooner or later something’s going to fall through the cracks,” Houston said.

That’s why, he said, everyone needs to demand higher security standards—for all health systems and the third parties that serve them. “If enough of us push vendors to do that, we move the needle and get the whole vendor community to do the right thing.”

About VMware:

VMware Healthcare Solutions transform the cost, quality, and delivery of patient care from the data center to the point of care. Our software-defined healthcare IT platform modernizes and protects critical IT infrastructure at the heart of value-based patient care while mobilizing providers with always-on access to patient information from the right device, for the right task, at the right time.

www.vmware.com/solutions/industry/healthcare-it-solutions