The Healthcare Cloud Security Paradox

PARADOXTHE HEALTHCARE CLOUD SECURITY 2Public cloud can be significantly more secure than private or on-premise data center strategies. So why aren’t healthcare CIOs taking full advantage of moving to the cloud?2 3Moving data to the public cloud does not involve a security trade off. To the contrary, experts say that the 60% of enterprises that implement appropriate public cloud security controls will experience one-third fewer security failures.1 This is good news for US healthcare organizations, which experienced double-digit growth in the number of data breaches from 2016-2017.2Accenture research shows that healthcare CIOs clearly recognize the security benefits of cloud: 60% cite data protection and management as the principal strategic priority advanced by moving to the public cloud. And 66% are in the process of shifting to a cloud services model—enabled through migrating existing applications and/or building natively on new cloud platforms. Yet the research also reveals that more than two thirds of organizations have retained 80% or more of their estate on-premise. So, what’s holding CIOs back from moving to the public cloud?1 Gartner, “Is the Cloud Secure?”, March 27, 2018 https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/2 Accenture analysis of publicly available data from the U.S. Department of Health & Human Services 4Accenture research shows that “security concerns” trump both complexity and cost as the key reason for caution among slow cloud adopters (see Figure 1). However, the same survey also revealed that many healthcare CIOs (40%) acknowledge that the public cloud is more secure than either private cloud (35%) or on-premise data centers (25%). This strongly suggests that the issue is more about mindset than technology. Security concerns revolve around how to leverage public cloud as a platform to improve security rather than whether cloud is inherently more secure if leveraged correctly. The skills and knowledge gap in developing mature public cloud security strategies and the tools and processes that enable them is creating roadblocks to rapid public cloud adoption. The uncertainty about how to translate existing on-premise security practices to public cloud and where to adapt or change to benefit from new approaches or capabilities that public cloud provides translates into long delays in design and implementation.Figure 1: Security concerns and perceived complexity and cost are the top reasons for slow public cloud adoption in the healthcare industry.For those [business functions] that have been slower to adopt cloud, what were the reasons?** Respondents could choose multiple optionsSource: Accenture researchCOMPLACENCY IS CONTAGIOUSTotal N = 200Payers N = 100Providers N = 10076%77%75%59%59%59%52%55%49%8%4%3%7%8%5%Security concernsPerceived complexityPerceived costNo budgetDon’t buy in to cloud business case 5Another significant challenge to public cloud adoption is that nearly all healthcare organizations (96%) still have traditional policies and controls in place that prevent material public cloud adoption (see Figure 2). This is often because policies and controls name specific technologies or products rather than focusing on the desired security outcome. It is commonplace to see vendor names or capabilities in policies that limit the application to public cloud or lack the flexibility to accommodate newer capabilities born in the cloud. Often compounding this problem in healthcare are the customer-specific and regulatory requirements that have been translated into on-premise security practices over the years, which need to be refreshed for the public cloud. Figure 2: Nearly all healthcare organizations have security policies or controls that prevent public cloud adoption.Are there existing security policies or controls within your organization today that prevent material cloud adoption (private or public)?Source: Accenture researchNo - Defined security controls allow for full evaluation of public cloudYes96%99%92%56%59%53%18%19%17%22%21%22%5%1%8%Yes - Security controls allow for moving to private cloud onlyYes - Security controls are driving us to remain in data centerYes - Security controls allow for some move to public cloud depending on the applicationTotal N=200Payers N=100Providers N=100 6Accenture experience suggests that few existing security policies are in direct conflict with public cloud-based platforms as the primary landing zone for healthcare applications and data—it’s more about understanding new shared responsibility models inherent with large platform providers and vendors and building out a new set of security controls that are easily consumable by application teams building new capabilities in the cloud. And if CIOs had a better understanding of why the public cloud is so secure the necessary shift in mindset might be accelerated. (See below.)Modern, well architected applications leveraging the public cloud are innately more secure than their on