Blue Goat Cyber

Healthcare Cloud Adoption: A Breakdown of the Risk and Reward

healthcare cloud security

Moving to the cloud has been a trend every industry has embraced. Doing so helps companies be more operationally efficient, reduce costs, and improve cyber defenses. However, healthcare has been a bit slower to migrate, with all the complexities of regulations around the collection, storage, and usage of ePHI (electronic protected health information). Healthcare cloud adoption is accelerating as organizations realize it’s the future.

While many rewards come from moving to the cloud, risks remain. In reviewing the data on the adoption of the cloud by healthcare, there are some insights worth discussing. Below, we’ll look at the data, what it means, and how to be smart about cloud usage.

The Majority of Healthcare Organizations Are Using the Cloud

recent survey of healthcare IT professionals revealed that 70% have moved to cloud computing solutions. Another 20% expressed a desire to migrate. Other findings included:

  • 94% of those who completed a cloud migration said they would recommend it to their peers.
  • 84% said it was easier to maintain compliance in the cloud.
  • 60% of those who haven’t migrated listed that maintaining compliance was the most challenging part of transitioning.
  • The least likely areas of healthcare to use the cloud were physician offices and dental practices.

This data illustrates the dichotomy of cloud computing. IT folks rated their migration as positive and a support to compliance. Yet, they also note it as the barrier to adopting the cloud. The acceleration of adopters needs some context.

Healthcare has had the opportunity to move to the cloud just like any other sector. There was general encouragement to do so. It has become untenable to maintain on-premises servers due to costs, absence of expertise, and a lack of cybersecurity employees. The final push for many was the pandemic, which required a more flexible and agile network.

Other trends have driven the need for the cloud, including hybrid work models, adding medical IoT (Internet of Things) devices to the network, expanding telehealth services, decommissioning legacy systems, and data interoperability.

Yet, with all its benefits, using the cloud has risks. Healthcare continues to be the most attacked industry, with regular breaches and incidents of ransomware increasing. There is no way to eliminate all the risks, but the cloud has strong pillars of resiliency and security.

Let’s look further at the risk landscape.

Risk and Opportunities in Healthcare Cloud Adoption

A report on cloud adoption and risk provides some more insights for this discussion. Any healthcare organization has had and continues to have conversations about the cloud. You have unique needs and challenges centered around protecting data used across many cloud applications and services. Data visibility is murky, and implementations are slow.

Key findings from this report include the following:

Worries About Shadow IT

Healthcare IT professionals have big concerns about shadow IT, especially in large enterprises or systems. Many users could be accessing applications without IT’s knowledge. Nearly three-quarters (74%) of survey respondents said it was something they worry about.

Cloud Adoption Is Growing with Caution

The risk report had lower adoption rates than the previous survey, but the data needs context again. Most healthcare entities have applications in the cloud, but they may not be using it for the bulk of operations. There was only slight growth in the number of public cloud services used, which was 24 in 2023.

The cautionary approach to adoption involves concerns about having control of the data and integrating legacy systems. There are signs that healthcare does want to use more public cloud services and applications. The sector actually has greater usage of Google, AWS (Amazon Web Services), and Microsoft SharePoint compared to other industries.

This would indicate a lot of data sharing, which is essential in the delivery of care, likely between SaaS (software-as-a-service) applications. Of course, more sharing leads to greater risks. In fact, 98% of healthcare IT professionals said they have issues with SaaS.

The Problems with SaaS

The SaaS issues they face include shadow IT, lack of visibility into what data is in which cloud application, inability to assess the security of the cloud application provider’s operations, and not having staff with the right skills to manage it.

There is a SaaS application for any tools needed in healthcare, from claims management to remote patient monitoring software to EHRs (electronic health records). Healthcare IT has good reason to recognize the threats of adding these to the network. Unfortunately, they aren’t always included in the conversation about deploying new SaaS platforms.

Legacy System Complications

Legacy systems are a thorn in the side of healthcare IT. Replacing them requires substantial work and further complicates infrastructure complexity. Much of the challenge lies in insufficient funding. Yet, they are keenly aware of the need to migrate, as legacy systems pose bigger security risks, especially if the provider no longer updates them.

Cyber and IT Staff Labor Shortages Hurting Healthcare

It’s no secret that there is a cyber workforce shortage. Across all industries, millions of jobs remain unfilled. It’s a serious situation that increases risk. Survey respondents relayed that it has had an impact on the adoption of the cloud.

Hesitancies Over Storing Data in the Cloud

Another problem that keeps healthcare from cloud adoption is the concern over data. Sensitive data is currently in the cloud. It’s not just ePHI. Competitive information, internal documentation, proprietary and intellectual property, and more have a home in the cloud.

Additionally, data sharing between internal applications and external ones happens regularly. Ensuring secure interoperability is challenging due to the absence of standardization and many applications built on old architecture.

All these risks are present with on-premises systems, too. In the case of most clouds, layered security is stronger, and data backup and redundancy are in place. In securing the cloud, healthcare applies many strategies.

How Healthcare Is Securing the Cloud

The survey asked respondents what they were doing to secure cloud services. The top answers were:

  • Data loss prevention (DLP) and encryption
  • Migrating shadow IT to an approved service
  • Controlling the functionality of certain applications
  • Fixing identified security deficiencies

However, very few regularly audit applications. Organizations face the challenge of simplifying cloud computing while also improving security. Those that have had a cybersecurity breach, threat, or theft of data have responded by:

  • Increasing investments in cybersecurity
  • Refining or creating disaster recovery
  • Moving toward zero trust

Making these changes and constant monitoring and retooling of cybersecurity policies and protocols is an enormous burden. Most organizations cannot manage this on their own. Achieving clarity around applications, data storage and usage, and access is critical yet hard to do. Healthcare IT has more on its plate than just cybersecurity. It’s why so many find partners to support their efforts on their journey to cyber resilience and reduction of risk.

Getting to a Place of Confidence About Cloud Adoption

The risk of the cloud is a reality, but not adopting it doesn’t eliminate threats. Cyberattacks happen to on-premises systems. Those often cripple operations and could lead to adverse outcomes for patients. Additionally, the cost to keep things in-house will only increase, impacting your organization’s ability to pivot and adapt.

To get to a place where you feel confident about fully embracing the cloud, you can do several things to strengthen your healthcare cybersecurity ecosystem.

Initiate Regular Pen Tests

Pen tests simulate a cyberattack within your network carried out by ethical hackers. You can work with a firm to perform these tests across several areas. Pen tests can cover the following:

  • SaaS and web applications
  • Cloud Security
  • HIPAA compliance measures
  • Network security
  • mIoT

They’ll provide clear results on what vulnerabilities are present and exploitable by hackers.

Make Vulnerability Assessments Part of Your Cyber Framework

Along with pen tests, vulnerability assessments offer insight into the gaps in your security protocols. They also help satisfy the requirements of the HIPAA Security Rule. With these evaluations, experts provide reports to improve your risk posture and management. The findings from vulnerability assessments help you:

  • Prioritize fixes with classifications of vulnerabilities found as critical, high, medium, or low.
  • Create an inventory of all devices on your network and system information.
  • Establish a risk profile.
  • Plan upgrades.
  • Manage resources more effectively.
  • Improve the overall security of your organization.

Pen tests and vulnerability assessments are critical in monitoring cloud security and being able to thwart attacks. Working with a team that specializes in performing these for healthcare gives you an advantage. They complement each other and should both be part of your cybersecurity strategy.

When considering a partner, focus on:

  • How they carry out assessments, which should involve manual and automation scanning
  • What credentials they have that demonstrate their expertise, such as CISSP, CSSLP, OSCP, ECSA, LPT (Master), and CEH
  • What methodology they use, and if it’s proven
  • How they support you after fixes, such as with a remediation validation test (RVT)
  • What their reporting looks like, and if it’s generally practical and useful

At Blue Goat Cyber, we are healthcare cybersecurity experts. If you want to adopt the cloud completely or partially, we can help you plan for a migration with a security and compliance approach.

Get started by requesting a consultation.

Blog Search
Social Media

Explore Our Cybersecurity Services

Medical Device Cybersecurity

We understand that often the key objective of testing medical devices is to assist with FDA approval.

Penetration Testing Services

How secure is your network? When is the last time you tested your cybersecurity defenses?

HIPAA Security Risk Analysis (SRA)

We help you meet the requirement to conduct an accurate and thorough assessment of risks to the confidentiality, integrity, and availability of ePHI. 

CISO-as-a-Service

We help you mature your cybersecurity posture in alignment with your compliance requirements and business objectives.