Where should healthcare data be stored?

Healthcare data: a special nightmare to deal with

According to the Information Commissioner’s Office in the UK, healthcare data breaches accounted for 40% of late 2016 security incidents. This type of information is a special nightmare to deal with. On the one hand, the data is obviously highly sensitive, on the other hand, accessing up-to-date medical data without delay can be a matter of life and death for patients. Black hat hackers are very conscious of these facts; they know medical organizations are very likely to pay any ransom if their patients’ lives are at risk.

Digitization raises security issues

With medical processes generating a huge amount of paperwork, no wonder the healthcare sector is pushing towards digitization. Benefits are manifest: medical information can be transmitted easily from one organization to another, patients can have better access to their medical records. But it raises questions: where and how to store the information properly and securely? Each organization which needs access to the data has different governance, management and rules, and it is hard to implement consistent data security policies and training to educate staff on keeping data safe with all the different requirements. Cédric Cartau, Chief Information Security Officer at Nantes University Hospital notes:

In the next 5 to 10 years, we can expect far more security issues, which will require bigger budgets, more staff and teaching best practices.

And what do you do if you are confident in your security policy but you know that this or that hospital you have to share with is not as sophisticated with regards to digital hygiene? Consistent governance is hard: the mix of private and public organizations in most countries like the UK, France, Germany and the US makes unified protocols and policies difficult.

Expensive chaos

Today, the situation is chaotic at best with PBS asking if health care hacking has become an epidemic. Healthcare data can leak from everywhere: according to this report from the U.S. Department of Health and Human Services, the health care industry has averaged close to four data breaches per week in 2016. Patients also carry these vulnerabilities with them, in the form of minimally secured smartphone health apps. And this data is worth a lot of money!

Electronic health records are 100 times more valuable than stolen credit cards

said James Scott, co-founder and senior fellow at the Institute for Critical Infrastructure Technology (ICIT) in Washington D.C.

Public clouds: no solution

IT teams do not have a substantial budget dedicated to security concerns. And when you are attacked every seven seconds on average like the Beth Israel Deaconess Hospital you have a real problem. Some health care organizations made a surprising move: put their data into the Public Cloud. In terms of security, it is indeed a better alternative than building your own system on a shoestring budget. Microsoft, Google and Dropbox spend millions on security. Their teams patch security issues in no time and their core business is making data accessible whenever and wherever it’s needed.

But Public Clouds are not set up very well for handling healthcare data. First of all, using Public Clouds raises privacy concerns, which is particularly worrying when it comes to dealing with such sensitive data. Second, Public Clouds don’t really solve the security issues! Due to the typical consumer-focused nature of of Public Clouds, IT teams have to rely on third-party tools to ensure that only the right people have access to medical data and to enforce the secure use of those clouds. These tools for example provide Identity as a Service (IaaS) and help manage staff-owned devices and sharing. But this is only moving the problem. Using several tools layered on each other multiplies complexity and increases the opportunities for costly mistakes as well as the surface of attack. Now, a breach on several levels and in a variety of tools can leak data!

Delegating security policy also hampers your ability to adapt to changing situations and requirements:

• Can you track (or limit!) the sharing or downloading of specific files if you need to for compliance requirements?
• Can you change or adapt the whole process if new laws come into force?
• Can you at least migrate part of all of your data out of the Cloud to another place if you need to, or is it too costly?

Vendor lock-in and lack of control, the simple fact that your patients’ medical data is intermingled with the data from countless other users in an unknown location, the chance of being part of massive data leaks like this one from Dropbox last year – the risks of the Public Cloud are countless while promised cost benefits usually fail to materialize.

Private cloud: stay in control

The most powerful and elegant solution to the security-vs-accessibility problem faced by the medical sector is implementing a Private Cloud solution. The existing data storage and access technologies, and more importantly, existing governance processes and tools, can be leveraged by software like Nextcloud, making the data caretakers need available easily and quickly while IT can stay in control. The flexible nature of Nextcloud enables deep integration in existing infrastructure.

• Powerful File Access Control capabilities enable administrators to control, optimize and secure data flows through their cloud technology.
• Ability to restrict and monitor access to data to a specific group of users and to set an expiration date when sharing files is a real need for medical organizations.
• Encryption of data on storage allows medical organizations to optimize costs by taking advantage of Public Cloud storage while securing the data with encryption, keeping encryption keys on-premise.

Developed with verified, industry-leading security standards and offering unique tools to verify the security of Private Clouds, Nextcloud offers the most secure and cost-effective Private Cloud solution on the market.