Executives across industries are increasingly turning to the cloud to cut costs and enhance scalability. In fact, the shift away from on-premise data centers and into the cloud is expected to affect $1 trillion in IT spending across the globe by 2020, according to a 2016 report out of the advisory firm Gartner.
Even HHS officials expect almost half — 41 percent — of the agency's systems to be in the cloud by the end of 2017, HHS CIO Beth Killoran told Federal News Radio earlier this year. However, some hospital leaders have been hesitant to join this growing trend, questioning the cybersecurity implications of storing and sharing protected health information online.
"Security has always been a component of my career," says Brian Herr, chief security and privacy officer at managed cloud services provider Secure-24, which oversees a portfolio of managed application and database services including Epic, Microsoft and Oracle. "The tremendous risk for healthcare organizations and our other clients mandates that I stay ahead of the game at all times."
Mr. Herr, who boasts roughly 20 years of experience in the IT space, spoke with Becker's Hospital Review about the challenges hospitals face when transitioning to the cloud and the top IT security trends he suggests hospital leaders watch in 2018.
Editor's note: This interview has been edited for length and clarity.
Question: What security challenges do hospitals face when moving information into the cloud?
Brian Herr: The cloud is an amazing platform that brings huge advantages, but it also brings giant challenges. The first challenge that usually surfaces relates to how a cloud service being considered would impact data privacy and compliance. This is not to be underestimated. Today, many managed services solutions have more security and compliance controls built in than on-premise solutions, but it's the organization's responsibility to ensure cloud services are heavily vetted to meet the requirements dictated by privacy, security, availability and compliance standards. For example, requirements for data security and privacy are imperative as data traverses the entire data ecosystem.
Q: What advice would you give hospital CIOs considering a shift to the cloud?
BH: Most healthcare professionals have already moved to the cloud in their private and professional lives. However, I would advise everyone to take time to learn about the differences in cloud services. While some healthcare organizations can effectively use independent cloud services, many find they benefit much more from fully managed services that understand today's hybrid IT. A cloud strategy must meet the requirements set by the organization, regulators and end users, which is a difficult and complex task. Cost is always a factor, but in any successful cloud strategy, the CIO must also consider security, privacy, compliance and legal considerations before committing to a service.
Q: What key motivators would you say drove hospital leaders' interests toward the cloud in 2017?
BH: Our Secure-24 clients cite cost control, ease of use, staffing difficulty, availability, security and compliance issues as their main motivators. Hospital leaders have sought opportunities to move to a more secure, affordable solution by selecting tools or services that assist in immediate migration and have strong security and compliance features. More and more, they recognize they can't keep up with the costs to maintain their own IT and information security departments for all of the services required. This motivation to move to the cloud often opens the door to new innovations, while freeing existing staff to focus on other priorities.
Q: How do you see hospitals' information security management programs changing in 2018?
BH: Security management is not an IT issue in healthcare — it's a patient safety issue as we continue to put more of the patient's life into a digital format. The upside is greater interoperability and medical care, but the downside is greater risk. With changes to technology and the increasing need for data privacy and compliance, I see the need and demand for information security skyrocketing in 2018.
Q: What security and privacy trends should hospital leaders keep an eye on in 2018?
BH: Identity and access management, if not already, will be a major initiative as the need to integrate with existing, legacy and now cloud platforms in an auditable format is critical. Healthcare has a unique blend of requirements that must be considered when choosing and implementing a platform.
Security of medical devices will continue to evolve, and vulnerability programs must address the evolving needs of testing, patching and acquiring or replacing medical devices in all steps of the device's life cycle.
Clinical engineering systems will come under greater scrutiny by organizations' security programs. Today's stop-gap measure of segmenting those systems, in an effort to contain risk, is not a sustainable, long-term solution.
Certain difficult-to-staff and difficult-to-manage security roles will continue to be outsourced. Planning around how this service is incorporated into 2018 security programs is a major key to success.
Outdated legacy systems in use by healthcare organizations must be protected by technologies that are compensating technical controls to "secure around" the legacy system, until they can be replaced.
Hospitals will recognize a breach or successful ransomware attack is not a matter of "if," but "when." A detailed incident response plan will be critical, so hospitals should re-review and enhance their own plans. Cybersecurity insurance purchases will likely increase across the healthcare industry, as well.