7 STEPS TO SECURING HEALTHCARE INFRASTRUCTURES USING A CLOUD SECURITY PLANĀ (from HIMSS Media)5/6/2015 Step 1: Review business goals Although hospital settings and physician practices can vary greatly, every cloud security plan should begin with a routine assessment of specific business objectives. Security should enable:
The easiest way to create security policies, procedures and standards is to embrace best practices. Read everything available and apply industry best practices in order to create policies that align with your specific business goals and allow for the development of realistic procedures that are acceptable to your organization. For healthcare providers, a good example may be found in the provisioning of HIPAA- and HITECH-compliant services to new and existing patients. In order to do so, the healthcare organization must build security policies that define the restrictions when handling Protected Health Information (PHI), procedures that define the process of acquiring PHI and guidelines that promote the general adoption of best practices. Healthcare organizations can dramatically reduce the learning curve for developing security policies, procedures and standards by leveraging high-performance cloud computing. Step 3: Maintain a risk management program An effective cloud-computing risk management program will reduce overall risk, prioritize the utilization of resources and provide your healthcare organization with a long-term strategy. But only a well-defined and carefully maintained risk-management program will deliver an aggregated view of the risk that an organization is willing to accept. Most organizations assess the value of the asset and the loss expectancy probability before determining whether a risk is acceptable, or if steps should be taken to reduce the chances of that loss. Careful analysis should be conducted regularly to develop responsible programs and to build in the controls and auditing capabilities needed to lower threats and maintain a reasonable security program that protects assets within budgetary guidelines. Your cloud-computing risk-management program should be audited, and policies should be defined explicitly stating who may accept risk on behalf of the organization. Having a robust risk management program in place means you have identified your critical assets and established appropriate levels of protection. Rather than devoting the bulk of your time to writing policies, plan on spending the majority of your time learning how the organization truly functions, so security can better contribute to its success and not be viewed as a daily battle. Step 4: Support business goals A well-developed cloud-computing security plan should include goals with measurable results that provide support for the growth and stability of your healthcare organization. It should include compliance programs, technologies and processes with specific results. In many ways, your security plan will become a natural extension of the first two steps. Step 5: Go for organization-wide support and alignment To garner support and acceptance of your cloud-computing security plan, prioritize security policies and ensure that they are not in conflict with other policies from different departments. Involvement and support of the plan throughout the organization is critical to its success. Although establishing levels of security that meet business goals and comply with regulatory requirements and risk- management policies is critical, it is equally important that they can be centrally managed and conveniently implemented with minimal negative impact to productivity. Balancing ease of deployment and organizational acceptance is a necessary trade-off. Studies have found that the key is to budget enough time into the process to foster an understanding of how a healthcare organization develops its services and delivers them to patients and/or affiliated partners. Rather than devoting the bulk of your time to writing policies, plan on spending the majority of your time learning how the organization truly functions, so security can better contribute to its success and not be viewed as a daily battle. Step 6: Plan for regular audits and reviews Regularly reviewing your security plan, reporting on goal progress and auditing the organization’s compliance with security policies and procedures are important components of the plan’s success. If it is part of your overall business plan, a third-party audit can deliver an impartial review of the controls and report on compliance to established programs. Fully grasping the auditing requirements for your healthcare organization – as well as the frequency of audits – ensures both compliance with relevant requirements and maintenance of best practices for securing enterprise resources. Step 7: Improve your improvements The continuous improvement of security and compliance goes hand-in-hand with a well-developed security plan. Healthcare is a rapidly evolving industry. Your organization’s security needs will change over time, just as the technology available to support these needs will continue to evolve. Senior executives and your cloud services provider should review your cloud computing security plan at least once a year. Plan on revising goals and objectives as needed, reviewing and editing security policies and procedures, and reporting the security and compliance teams’ achievements back to your organization. Half of cloud adopters are hosting clinical applications in the cloud, primarily using Software as a Service (SaaS). Other common cloud services include Health Information Exchange (HIE), hosting human resources (HR) applications and data, as well as backup and disaster recovery. Although approximately 3 percent of survey respondents expressed a resistance to adopting cloud services due to security concerns, properly managed cloud infrastructure provides better security than most enterprise data centers, applications and IT infrastructure. Selecting a stable cloud service provider with world-class data centers, enterprise cloud computing infrastructure, application expertise and a proven security methodology will help your healthcare organization reap the financial rewards of cloud computing while implementing a security framework optimized for the requirements of cloud architectures. By partnering with cloud providers, healthcare organizations can more readily alter their security plans to support evolving corporate strategies or regulatory requirements |