Dan Costantino, chief information security officer at Philadelphia-based Penn Medicine-University of Pennsylvania Health System, shares his thoughts on cloud-based storage versus in-house systems as well as critical points of cybersecurity health systems should tackle after a cyberattack.
Responses have been lightly edited for clarity and length.
Question: What are your thoughts on cloud-based storage systems?
Dan Costantino: In general, from a security perspective, moving to cloud-based storage really does depend on two different things. The first is how early in the adoption or migration process a security team becomes involved. This significantly drives the decision between whether it's a good idea, from a security perspective, or a potential risky move for an organization to make. If you know the security team is involved very early on, there's some merit to the migration and probably a reasonable level of security that will come with it. Too often security teams get involved or pulled in after a migration has already taken place or the decision has been made. We're fortunate here compared to most of our peers in medicine because we have made zero cloud migrations without full security involvement up front. I think that's rare to happen these days, so we're one of the fortunate organizations.
The second factor is not just getting involved early on but it's how much security consideration is taken when these ongoing cloud-based storage decisions are being made. Security obviously needs some weigh-in in the beginning, but there also needs to be a heavy amount of risk analysis conducted by the security and privacy office in an ongoing capacity. The office of the general council needs to be involved early on when it comes to cloud-based storage for things like business-associated agreements and contract language. It's important for those groups to present the business with the risks that are being inherited through cloud-based storage. There are great business drivers and operational drivers, and, in some cases, I'd say even financial incentives to go with cloud-based storage, but it's important for the business to understand what inherent risks come with that.
Q: What, if any, threats do cloud-based storage systems pose to hospital cybersecurity?
DC: Anytime you move your data from onsite storage to cloud storage, you're doing a couple of things. First, you're transferring some of the responsibility of the security controls, not the data, to a third party, which always carries some risks with it. I think at that point, again, you go back to the risk analysis factor, and you really need to be doing your due diligence to understand what measures, precautions and steps these organizations are taking to safeguard your data. You're not transferring the risk of that data. I mean that's the tricky part, right? Transferring the responsibility of implementing security controls, but you still as an organization carry most of the risk of the data, should it be compromised.
In a health system setting, a third party may have some involvement in the breach but at the end of the day it’s the hospital's patient data that's been exposed. Therefore, that hospital's reputation is on the line. There's significant threat there and, I don’t want to say very little control, but very little daily operational visibility into what levels of security are being introduced to your data that's being stored in the cloud.
The second threat is you are losing some institutional knowledge and business context when you move anything to the cloud, especially when it comes to storage. What I mean by that is there are a lot of generic and general security controls that go into storage, and most of them are pretty well-known and standardized across the industry. But there are certainly some specialized controls, whether they be business process or special security controls, that take place based on the way an organization or an institution functions. By moving something into a third party's cloud solution, you're losing that institutional context. You're getting their sweep of security, or of secure cloud storage, regardless of the institution. And in a lot of cases, you're getting the same level of security regardless of the industry vertical. Most third-party organizations are simply providing secure controls around the data but not actually specializing or customizing it to what your business needs specifically. So, you lose that, which is something you do have the capability of doing if you keep it in house.
My position remains that there are, in many cases, just too many business opportunities and good business decisions to be made around cloud storage and migration to the cloud in general. At times some of the risks need to be managed by a security team rather than blocking the entire migration in general.
Q: Are there any benefits to cybersecurity from using a cloud-based storage system?
DC: That depends on your program's maturity. If you are a small institution or are in a large institution with a very limited set of resources, whether that be budget or people, then there are certainly some security benefits to be had when migrating to a large service provider in the cloud. They simply have more resources and time dedicated to securing that data. If you're a large institution with a very mature security program, you still may inherit a few security benefits, but again, you're going to lose some of that organizational context that your team could probably deliver.
Q: What role do you think technology plays in protecting, as well as exposing, hospital data?
DC: Technology plays a massive role in protecting information for health systems. While information security reaches far beyond IT, there is still a very high level of partnership and collaboration necessary between security and technical teams. There are several reasons for this, one of which includes the delivery of many security-based technologies. It's not uncommon for information security teams to rely heavily on IT to deliver the controls necessary to reduce risk. Those tools may help to reduce the risk of internal and external cyber threats, but they also have the potential of carrying a different kind of threat to the availability and functionality of technology that IT teams are responsible for delivering to the health system. This brings security and IT to the ever-so-often talked about battle of balance everyone is so desperately aiming to achieve.
Q: After a cyberattack, it’s important for hospital CISOs and CIOs to not only undergo a recovery process but to also turn the situation into a learning experience for the rest of the business. What advice do you have for IT leaders in this type of situation? What are some critical points of cybersecurity they should try to convey to the rest of the hospital personnel?
DC: It is critical for CISOs and CIOs to leverage the short window they have after a cyberattack in a positive way for the business and program. It's a rare time where security has the attention of the business and its key leaders, and it won't be long before a new issue arises, and their attention is elsewhere.
The mistake many leaders make is by using this time to do one of two things. The first mistake made by some security leaders is using the lessons learned phase to ask for more money. Perhaps an increased budget is necessary, but that kind of information should present itself through thoughtful recommendations for better security controls and business process. Another common mistake a CISO can make following a breach is by trying to separate themselves from responsibility due to potential business decisions that were made to accept a risk or address it at a later point in time. Executive leadership teams are wise enough to reflect on these decisions, and post-breach is not the time to revisit them to absolve yourself from blame. Instead, use the opportunity to show leadership how these events can be avoided moving forward and what level of support from the business will be necessary to execute.
To learn more about clinical and IT leadership, register for the Becker's Hospital Review 2nd Annual Health IT + Clinical Leadership Conference May 2-4, 2019 in Chicago. Click here to learn more and register.
To participate in future Becker's Q&As, contact Jackie Drees at jdrees@beckershealthcare.com.
More articles on cybersecurity:
California eye center plans to switch EMR vendors after it suffered a ransomware attack
Google's cloud security command center now available in beta: 3 notes
41K+ patients warned of possible data breach after Cancer Centers of America phishing attack